- Why Encrypt?
- What to Encrypt?
- Encryption over the Wire
- Encryption Methods
- Encryption At Rest
- Encryption Methods
- IBM DEE
- Using DEE with Informix
- Cooked Devices
- Raw Devices
Administrating and Developing with Informix
Matching: security X
MarkJamison 100000ESF6 Tags:  security informix query database encryption expert vormetric 2 Comments 6,801 Views
So as it has been painfully obvious, I haven't been blogging particularly frequently over the past few months. Now on the one hand, you could just say that the "honeymoon period" for me on the blog is over, but the truth is I've been buried in regulatory compliance stuff and other security related issues. Of late, I've been working especially hard with a customer on implementing IBM Database Encryption Expert and Informix. It's been challenging learning a product that is focused at being integrated into the OS layer, but fun too. Of late though, I've wondered how much that might apply to application developers. Sure the intent is to be as transparent as possible, but if you data is have to be encrypted/unencrypted, do you want to know about it? And if so how much?
So anyway, I'm asking for feedback as to whether you would like to hear a bit more about encrypting databases, the methodologies, and what I firmly believe is the best choice for Informix, well ok all, databases.
Two useful IDS security resources have recently been published..
1. developerWorks Article:
Protect your data with Secure Sockets Layer support in Informix Dynamic Server, Part 1: Setting up SSL support in IDS by IDS security engineers Manoj Mohan and Lynette D. Adayilamuriyil .
This article takes you through the basics of setting up encrypted database communcation using Secure Sockets Layer (SSL), which begins with requesting a Digital Certificate. The digital certificate is used to exchange keys at the beginning of an SSL connection, after which a random symmetric key is generated. The article also has a section on troubleshooting SSL in IDS.
Update: The article is here.
2. Audio replay and slides available for IDS Security Best Practices chat with lab.
IDS Security Architect Jonathan Leffer presented this topic at the Chat with Lab series on December 16th. The audio replay and slides are now available here: http://www.ibm.com/informix/labchats
Informix security architect Jonathan Leffler is giving a webcast on Tuesday March 4th 2008 at 12PM Eastern (5PM UTC) entitled Securing Your Data: Choosing the Right Platform.
The flyer for this webcast and registration details can be found here.
Draft Redbook: Security and Compliance Solutions for IDS
The draft of new IBM Redbooks publication Security and Compliance Solutions for IBM Informix Dynamic Server is now available at the IBM Redbooks web site: http://www.redbooks.ibm.com/redpieces/abstracts/sg247556.html. This Redbook provides an overview of security features in IDS and has the following contents:
Chapter 1. Technology overviewChapter 2. Role separationChapter 3. AuditingChapter 4. Securing data with SQLChapter 5. Client-server communicationChapter 6. Server-server communicationChapter 7. Security issues with Backup and RestoreAppendix A. Audit event mnemonicsAppendix B. PAM API and macrosSo take a look if you'd like to preview this book prior to final publication and perhaps provide feedback.[Read More]
IDS Security engineers Manoj Mohan & Lynette D. Adayilamuriyil have written a new developerWorks article Column-level encryption in IDS - Protect your sensitive data by using the column-level encryption (CLE) feature of IBM Informix® Dynamic Server (IDS) 10 and later. It's an accessible introductory article which includes using Column Level Encryption from Dbaccess, via a simple ESQL/C program, examples of using password hints, and how to calculate storage requirements for encrypted data.
Keeping to the topic of security Fernando Nunes recently wrote a detailed article on how to setup an IDS instance to use an Active Directory or OpenLdap server as its authentication infra-structure on his Informix-Technology blog. It includes screen-shots of setting up a Windows Server 2003 as an Active Directory Server. Well worth checking out: Informix user authentication: PAM for the rescue (part 1)[Read More]
Based on support calls there is a fairly high demand for Informix integration with Pluggable Authentication Modules (PAM). When it comes to worked examples there is somewhat of a dearth. It is therefore refreshing to see this new developerWorks article by Manoj Mohan, Ramesh Gopal Srinivasan, Thamizhchelvan A. Anbalagan: Enhance Informix Dynamic Server security using the Pluggable Authentication Module framework and JDBC - Increased authentication flexibility for IDS.
The article includes a working example PAM module written in C with Solaris 32 compilation instructions and configuration file. Next is a an example JAVA callback module using JDBC. The Informix JDBC driver has supported PAM since 2.21.JC5. (Incidentally the JDBC version coming out with Cheetah will be 3.10.)
At one point the article states:
Note that IDS also supports LDAP on Windows which is set up and configured just like PAM - look in %INFORMIXDIR%\demo\authentication for an example. The IDS documentation for LDAP on Windows is here: http://publib.boulder.ibm.com/infocenter/idshelp/v10/index.jsp?topic=/com.ibm.admin.doc/admin219.htm.[Read More]
Suppose you have some server code which needs to check whether a user has read or write access to a file...
A UNIX programmer might say: "Use stat() to get the file permissions and check them against the user and group id. I'm going to lunch. Don't wait up".
A Windows programmer on the other hand had better skip lunch and start coding.
Here are four possible ways to check whether a user has the requested access to a file on Windows. The first three use GetFileSecurity() to get a file security descriptor and varying methods toobtain the user's security credentials.
1. Use LogonUser to get a Token handle, and validate with AccessCheck()
If you have a Token representing a logged on user you can call the AccessCheck() functionto validate the user access rights against a file security descriptor. If your server code has the user's password and other credentials (not defined in the example code), you could get the Tokenusing LogonUser() (error checking removed for brevity). Assuming the desired access is encoded in the flags variable:
// desired access flags can be set to whatever you defineint flags = O_WRONLY;DWORD sdLen, dwAccessDesired = 0, dwPrivSetSize, dwAccessGranted;PSECURITY_DESCRIPTOR fileSD;GENERIC_MAPPING GenericMapping;PRIVILEGE_SET PrivilegeSet;BOOL fAccessGranted = FALSE;HANDLE hToken;I have found this to be the most reliable method of checking a user's file access rights, with thedisadvantage that your server needs to have the user logon details.
2. Use OpenProcessToken() to get a Token handle and validate with AccessCheck()
If you have the process ID, pid, of the user's front-end process you can avoid logging on by getting a handle to the token using OpenProcessToken() as follows (the rest of the code would be the same):
HANDLE hProcess, hMyToken;LUID luid;
One problem I've experienced with this method is that OpenProcessToken() can fail with Access Denied on some machines and not others. I have yet to identify the root cause.
3. Use GetEffectiveRightsFromAcl() with a user SID
One way to verify a user's access rights without a token is to get hold of the user SID using LookupAccountName() and call GetEffectiveRightsFromAcl(). Once the file security descriptor has beenobtained as above the rest of the code would do this:
BOOL daclThere = FALSE, daclDefault = FALSE;PACL fileDacl;DWORD sidSize, domainSize = 128;BYTE pSid[sizeof(SID)+(SID_MAX_SUB_AUTHORITIES * sizeof(DWORD))];SID_NAME_USE sidType;char domain;TRUSTEE trustee;ACCESS_MASK mask;
A potential problem with this is that LookupAccountName() can take a long time to execute if you have a remote user from a trusted domain in a network infrastructure with many domains.
Another problem I've seen with this is GetEffectiveRightsFromAcl() failing with return code 5. I have an open support call with Microsoft concerning this problem.
Update 2/13/07: Thanks to some help from a Microsoft Escalation Engineer the specific problem has been identified as when any local user (i.e. not a domain user) calls GetEffectiveRightsFromAcl() and passes it the ACL of an unprivileged local user, the file ACLs include those for groups which contain domain groups, and at a domain level the Network access: Allow anonymous SID/Name translation setting is disabled (default setting) the function will return "Access Denied". Because of this reason using GetEffectiveRightsFromAcl() is not the recommended method to determine whether a user has access rights to a file.
4. Launch a process as the user and test access
If you don't want to mess with all the access functions, you could could simply create a process as the user using LogonUser() and CreateProcessAsUser()and try opening a file with the required permissions. This isn't a very efficient method, and executing a command leaves your code open to malicious command injection, but it works.
The file access rights implementation on Windows, and its programming interface, is in my opinion a pile of pants. It probably seemed like a good idea at the time to create an access model with so much flexibility, but a flexible security system is often a misconfigured security system. Suggestionswith simpler alternatives to the above are welcome.
Check User’s Permissions On A File or Folder- ASP article By Softomatix.
How To Program a Secure Server on Microsoft Windows NT - Microsoft KB article
IBM announced a security vulnerability involving insecure use of the /tmp directory by the IDS and CSDK UNIX install scripts recently. The text of the announcement is here: Possible security vulnerabilities with Informix Dynamic Server, CSDK, and I-Connect product installers.
Reports of this vulnerability have been around since the beginning of October when someone called Larry Cashdollar sent an announcement directly to Bugtraq. As far as I can tell, in contrast to other security advisories we receive, IBM were not given any advance notice of this so had to start working on a response from that point. Since the announcement the usual security sites have picked it up, generally giving it a rating of less critical:
FrSIRT Security Advisories: IBM Informix Insecure Permissions and Temporary File Creation Vulnerabilities
Secunia Advisory #1: IBM Informix Dynamic Server Insecure Temporary File Creation
Secunia Advisory #2: IBM Informix Products Insecure Permissions and Temporary File Creation
Security Tracker: Informix Dynamic Server Uses Unsafe Installation Scripts and Directory Permissions That May Let Local Users Gain Elevated Privileges
I've been waiting for the dust to settle before writing about this given the less than critical impact, the straightforward workaround, the difficulty of exploiting and the IIUG coverage, but now the official IBM announcement is out it's worth at least highlighting the workaround:
Use the -log option when performing your product installation to redirect the temporary files created to a secure directory.
The following example from Jonathan Leffler illustrates using the -log workaround:
umask 077mkdir /tmp/informix./installserver -log /tmp/informixThis creates a directory with no public (or group) access, and then directs the install logs to that directory.
It is also worth mentioning that Informix products running on Windows do not have this vulnerability.[Read More]
The recent Cheetah announcement covering the next major version of Informix Dynamic Server had a reference to a new feature called "record-level locking". This resulted in some speculation since "row-level locking" has been part of IDS for many years.
This was meant to be Label-Based Access Control. LBAC supports access to database objects based on labels, leading to highly configurable security policies, providing significantly increased control over who can access data. As mentioned in the press release, LBAC is already supported in DB2.[Read More]
Princeton Softech and the IIUG are hosting a joint webinar entitled Data Privacy... Protecting Your Informix Database on Wednesday September 27, 2006 at 3-4pm EDT. After reading the press release I had some questions about the agenda and requested more details. Eric Offenberg, product marketing manager at Princeton Softech, advises attendees can expect the following:
The registration page can be found here.[Read More]