We are considering using Ingres/Net to allow us to run OpenRoad for
windows and connect it to our Sun unix server running Ingres 6.4/05.
However we have the following worries about security.
1. It seems that once Ingres/Net is set up on our server then anyone from
around the world, running Ingres/Net on their Pc, could attempt to make a
connection. Of course they would still need a valid password but there
would be no further check. We currently connect to our server through
Telnet. As well as a password check a user's ip address is checked
against a valid list preventing logins from unauthorised sites. There
doesn't seem to be any way of carrying out a similar check using
Ingres/Net.
2. Users with a valid password could access the database not only through
OpenRoad applications but through isql etc. This could potentially give
them much greater power over the data. Currently our users can't access
utilities such as isql as their unix login takes them directly into a 4GL
application.
Has anyone discovered ways around these problems ?
Does OpenIngres tackle these issues ?
Thanks for your help,
Ewan Kilgour.
====================================================================
Ewan Kilgour | Ewan.Kilgour@admin.ox.ac.uk
Analyst/Programmer |
University Offices |
University of Oxford |
Wellington Square | Tel: +44 (0)1865 270071
Oxford OX1 2JD | Fax: +44 (0)1865 270708
====================================================================
From: tsmith@ingres.co.uk (Tony Smith)
Subject: Re: Ingres/Net Security Worries
Date: 19 Jul 1996 11:04:36 GMT
Hi Alan and Ewan,
Alan Crosswell (alan@curta.cc.columbia.edu) wrote:
: In article <31ECF449.8AE@admin.ox.ac.uk>,
: Ewan Kilgour wrote:
[snip]
: >However we have the following worries about security.
: >
: >1. It seems that once Ingres/Net is set up on our server then anyone from
: >around the world, running Ingres/Net on their Pc, could attempt to make a
: >connection. Of course they would still need a valid password but there
: >would be no further check. We currently connect to our server through
: >Telnet. As well as a password check a user's ip address is checked
: >against a valid list preventing logins from unauthorised sites. There
: >doesn't seem to be any way of carrying out a similar check using
: >Ingres/Net.
This could be implemented on the UNIX ports by using some cunning
trickery with II_SHADOW_PWD. This environment variable points to an
executable used to validate passwords on Net connections. Traditionally
it uses the standard system calls to read from /etc/shadow or equivalent
in systems running with C2 security but it can be customised to perform
additional validation if required. Obviously your customisations are
not supported but it works.
: It is worse than that. You can trivially bypass Ingres/Net on Unix by
: setting II_DBMS_SERVER=hostname:portnumber. You don't need to be
: running Net at all and can avoid "all that hassle" of passwords:-)
: Try it on a second Sun on your network. It works here.
You can only do that if the DBMS server is directly accessible across
a TCP/IP network. This can be disabled by converting it to use
UNIX domain sockets as its IPC protocol. You do this by setting the EV
II_GC_PROT to either UNIX or SOCK_UNIX (port dependent - do a strings on
the dbms to check which is in use and take your pick). The GCC process
still remains visible on the network, but it is the only Ingres process
that is. Consequently, all incoming connections can be validated as per
normal or via II_SHADOW_PWD as discussed earlier.
: The only network security in Ingres is obscurity.
Hmm. Factually incorrect and not very helpful.
: >2. Users with a valid password could access the database not only through
: >OpenRoad applications but through isql etc. This could potentially give
: >them much greater power over the data. Currently our users can't access
: >utilities such as isql as their unix login takes them directly into a 4GL
: >application.
: You can always set appropriate permissions with the GRANT statement,
: assuming you are not worried about the identity of the user being faked
: in the first place.
With secure password validation plus any other validation you want to
implement this comes down to password security on the UNIX box.
: And, you should consider doing something with a firewall router or
: mucking with routing tables on the machine to prevent unsolicited Unix
: "guests" using II_DBMS_SERVER....
Absolutely.
: I think it would take a bit more
: work to bypass Ingres/Net on the PC, only because of the way it's
: packaged.
Concentrate on securing the server where your data is held and worry less
about the PC clients. II_DBMS_SERVER doesn't work across Net on PC's
because of the way it's packaged, but that's not important if it's
disabled properly anyway !
: /a
I hope this is of some help to you Ewan, if you need further advice, by
all means drop me a line and I'll see what I can do.
Tony.
***********************************************************************
Tony Smith
CA (UK) Technical Support
tsmith@ingres.com
All opinions my very own - I must be rich to have so many !
***********************************************************************
-
Ingres Q & A
-
To William's Home Page
© William Yuan 2000
Email William