SlideShare a Scribd company logo

Secure PostgreSQL deployment

Command Prompt., Inc
Command Prompt., Inc

Magnus Hagander PostgreSQL supports several options for securing communications when deployed outside the typical webserver/database combination. This talk will go into some details about the features that make this possible, with some extra focus on the changes in 8.4. The main areas discussed are: * Securing the channel between client and server using SSL, including an overview of the threats and how to secure against them * Securing the login process, using LDAP, Kerberos or SSL certificates, including the use of smartcards to log into the database The talk will not focus on security and access control inside the database once the user is connected and authenticated.

1 of 42
Downloaded 75 times
1
Secure PostgreSQL Deployments JDCon-East 2010 Philadelphia, PA Magnus Hagander Redpill Linpro AB
2
There's much to security ● Identify the threats ● Apply the correct measures – Don't do things just because you can
3
Not in this talk ● Application security ● Data Access Control ● Data Encryption ● etc ● etc
4
Definitely not in this talk ● Unix vs Windows ● Linux vs BSD ● SELinux/SEPostgreSQL ● Any other religion
5
In this talk! ● Authentication methods ● Connection security
6
Authentication methods ● How do we determine who the user is ● When do we determine who the user is
7
pg_hba.conf ● Lets you use different auth methods from different clients ● Not just limited to username/password ● For convenience or security ● Internal or external
8
pg_hba.conf local all all trust host all all 127.0.0.1/32 trust host webdb webuser 10.0.0.0/24 md5 host all @dba 192.168.0.0/24 gss
9
Trust Authentication ● Any user can be anyone he/she claims to be!
10
Trust Authentication ● Any user can be anyone he/she claims to be! ● Anyone think this is a bad idea?
11
Username/password ● Normally, use md5 method – crypt has been removed, avoid plaintext ● What everybody does ● What everybody expects
12
LDAP authentication ● To the client, username/password ● Backend verification is off-loaded to directory server ● Common in enterprise deployments ● Password policies, expiry, etc
13
LDAP authentication ● Single password not single signon PostgreSQL ct Server onne 1. C sw o rd pa s qu est ord 2. Re assw e nd p 3. S Client LDAP Server
14
LDAP news in 9.0 ● search/bind combination ● Can use non-cn fields in login – Anything that's LDAP searchable – Common choice: uid
15
RADIUS (new in 9.0) ● Remote Authentication Dial In User Service ● Simple single-packet UDP service ● Original use-case: ISP dialup ● Common for one-time passwords, etc ● Good policy frameworks
16
Kerberos/GSSAPI/SSPI ● Single signon ● Same benefits as LDAP (mostly) ● Most common: Active Directory ● («krb5» is deprecated)
17
Kerberos/GSSAPI/SSPI ● Single password not single signon PostgreSQL t Server nt ticke 3. Prese 1. Req u est tic ket Client 2. Ret urn tic KDC ket
18
PAM ● Provided by OS ● Can do password, LDAP, etc ● Can also do Kerberos & friends ● One-time passwords – RSA SecurID, Vasco, etc – RADIUS (no need in 9.0)
19
SSL
20
SSL secured connections ● Encryption ● Man-in-the-middle protection ● Authentication
21
SSL secured connections ● Enabled on the server (ssl=yes) – Platform quirks! ● Optionally required through pg_hba ● Optionally required in libpq
22
SSL secured connections ● Need to protect data in both directions ● For example username/password ● Must know before connection is started – Unknown equals unprotected
23
SSL encryption ● SSL always requires a server certificate ● Can be self-signed ● Does not need to be known by client
24
Certificate chains Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
25
Certificate chains Self-signed certificate Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
26
SSL secured connections Client Server
27
Threats handled by SSL: Eavesdropping SELECT * FROM secret_stuff Client Server
28
Eavesdropping ● Prevented by encrypting all data ● Key negotiation is automatic – On initial connection – After 512Mb traffic ● Server certificate used but not verified
29
Key renegotiation ● Broken in the SSL protocol – OOPS! ● Fixed SSL libraries are available ● Broken fixes were pushed by vendors ● ssl_renegotiation_limit = 512MB
30
Threats handled by SSL: Man in the middle Valid SSL session Valid SSL session Fake server Client Server
31
SSL server verification ● On top of encryption ● Validate that the server is who it claims to be ● CA issues certificate, can be self- signed ● CA certificate known by client
32
Threats handled by SSL: Man in the middle Valid SSL session Fake server Client Server
33
SSL client authentication ● On top of encryption ● Normally on top of server verificateion, but not necessary ● CA issued certificate on client ● Match CN on certificate to user id ● Protect client certificate!
34
SSL client authentication PostgreSQL te Server ertifica esent c 1. Pr Client
35
SSL client certificates ● Can also be used together with other authentication ● Require client certificate ● Also require e.g. username/password
36
SSL in libpq ● Controlled by sslmode parameter ● Or environment PGSSLMODE ● For security, must be set on client – Remember, unknown = unsecure
37
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
38
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
39
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
40
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
41
Not a bad idea: ipsec ● If already deployed ● Application transparent ● Global policies ● Integrated management ● Somebody Elses Problem?
42
Secure PostgreSQL Deployments Questions? magnus@hagander.net Twitter: @magnushagander http://blog.hagander.net
Secure PostgreSQL Deployments JDCon-East 2010 Philadelphia, PA Magnus Hagander Redpill Linpro AB
There's much to security ● Identify the threats ● Apply the correct measures – Don't do things just because you can
Not in this talk ● Application security ● Data Access Control ● Data Encryption ● etc ● etc
Definitely not in this talk ● Unix vs Windows ● Linux vs BSD ● SELinux/SEPostgreSQL ● Any other religion
In this talk! ● Authentication methods ● Connection security
Authentication methods ● How do we determine who the user is ● When do we determine who the user is
pg_hba.conf ● Lets you use different auth methods from different clients ● Not just limited to username/password ● For convenience or security ● Internal or external
pg_hba.conf local all all trust host all all 127.0.0.1/32 trust host webdb webuser 10.0.0.0/24 md5 host all @dba 192.168.0.0/24 gss
Trust Authentication ● Any user can be anyone he/she claims to be!
Trust Authentication ● Any user can be anyone he/she claims to be! ● Anyone think this is a bad idea?
Username/password ● Normally, use md5 method – crypt has been removed, avoid plaintext ● What everybody does ● What everybody expects
LDAP authentication ● To the client, username/password ● Backend verification is off-loaded to directory server ● Common in enterprise deployments ● Password policies, expiry, etc
LDAP authentication ● Single password not single signon PostgreSQL ct Server onne 1. C sw o rd pa s qu est ord 2. Re assw e nd p 3. S Client LDAP Server
LDAP news in 9.0 ● search/bind combination ● Can use non-cn fields in login – Anything that's LDAP searchable – Common choice: uid
RADIUS (new in 9.0) ● Remote Authentication Dial In User Service ● Simple single-packet UDP service ● Original use-case: ISP dialup ● Common for one-time passwords, etc ● Good policy frameworks
Kerberos/GSSAPI/SSPI ● Single signon ● Same benefits as LDAP (mostly) ● Most common: Active Directory ● («krb5» is deprecated)
Kerberos/GSSAPI/SSPI ● Single password not single signon PostgreSQL t Server nt ticke 3. Prese 1. Req u est tic ket Client 2. Ret urn tic KDC ket
PAM ● Provided by OS ● Can do password, LDAP, etc ● Can also do Kerberos & friends ● One-time passwords – RSA SecurID, Vasco, etc – RADIUS (no need in 9.0)
SSL
SSL secured connections ● Encryption ● Man-in-the-middle protection ● Authentication
SSL secured connections ● Enabled on the server (ssl=yes) – Platform quirks! ● Optionally required through pg_hba ● Optionally required in libpq
SSL secured connections ● Need to protect data in both directions ● For example username/password ● Must know before connection is started – Unknown equals unprotected
SSL encryption ● SSL always requires a server certificate ● Can be self-signed ● Does not need to be known by client
Certificate chains Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
Certificate chains Self-signed certificate Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
SSL secured connections Client Server
Threats handled by SSL: Eavesdropping SELECT * FROM secret_stuff Client Server
Eavesdropping ● Prevented by encrypting all data ● Key negotiation is automatic – On initial connection – After 512Mb traffic ● Server certificate used but not verified
Key renegotiation ● Broken in the SSL protocol – OOPS! ● Fixed SSL libraries are available ● Broken fixes were pushed by vendors ● ssl_renegotiation_limit = 512MB
Threats handled by SSL: Man in the middle Valid SSL session Valid SSL session Fake server Client Server
SSL server verification ● On top of encryption ● Validate that the server is who it claims to be ● CA issues certificate, can be self- signed ● CA certificate known by client
Threats handled by SSL: Man in the middle Valid SSL session Fake server Client Server
SSL client authentication ● On top of encryption ● Normally on top of server verificateion, but not necessary ● CA issued certificate on client ● Match CN on certificate to user id ● Protect client certificate!
SSL client authentication PostgreSQL te Server ertifica esent c 1. Pr Client
SSL client certificates ● Can also be used together with other authentication ● Require client certificate ● Also require e.g. username/password
SSL in libpq ● Controlled by sslmode parameter ● Or environment PGSSLMODE ● For security, must be set on client – Remember, unknown = unsecure
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Not a bad idea: ipsec ● If already deployed ● Application transparent ● Global policies ● Integrated management ● Somebody Elses Problem?
Secure PostgreSQL Deployments Questions? magnus@hagander.net Twitter: @magnushagander http://blog.hagander.net
Ad

Recommended

PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
PostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityPostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total Security
Robert Bernier
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
Faisal Akber
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres Deployment
PGConf APAC
 
Nginx - Tips and Tricks.
Nginx - Tips and Tricks.Nginx - Tips and Tricks.
Nginx - Tips and Tricks.
Harish S
 
Load Balancing with Nginx
Load Balancing with NginxLoad Balancing with Nginx
Load Balancing with Nginx
Marian Marinov
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINX
Server Density
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Community
 
NGINX High-performance Caching
NGINX High-performance CachingNGINX High-performance Caching
NGINX High-performance Caching
NGINX, Inc.
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage Systems
Dong Ye
 
Shootout at the AWS Corral
Shootout at the AWS CorralShootout at the AWS Corral
Shootout at the AWS Corral
PostgreSQL Experts, Inc.
 
The Accidental DBA
The Accidental DBAThe Accidental DBA
The Accidental DBA
PostgreSQL Experts, Inc.
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL
Tommy Lee
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2
Denish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
Leif Hedstrom
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
Kevin Jones
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
Kevin Jones
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Proxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteProxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynote
Marco Tusa
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
Chiranjeevi Jaladi
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2
SergeyChernyshev
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기
PgDay.Seoul
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014
EDB
 

More Related Content

What's hot (20)

NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Community
 
NGINX High-performance Caching
NGINX High-performance CachingNGINX High-performance Caching
NGINX High-performance Caching
NGINX, Inc.
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage Systems
Dong Ye
 
Shootout at the AWS Corral
Shootout at the AWS CorralShootout at the AWS Corral
Shootout at the AWS Corral
PostgreSQL Experts, Inc.
 
The Accidental DBA
The Accidental DBAThe Accidental DBA
The Accidental DBA
PostgreSQL Experts, Inc.
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL
Tommy Lee
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2
Denish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
Leif Hedstrom
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
Kevin Jones
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
Kevin Jones
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Proxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteProxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynote
Marco Tusa
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
Chiranjeevi Jaladi
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2
SergeyChernyshev
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Community
 
NGINX High-performance Caching
NGINX High-performance CachingNGINX High-performance Caching
NGINX High-performance Caching
NGINX, Inc.
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage Systems
Dong Ye
 
Shootout at the AWS Corral
Shootout at the AWS CorralShootout at the AWS Corral
Shootout at the AWS Corral
PostgreSQL Experts, Inc.
 
The Accidental DBA
The Accidental DBAThe Accidental DBA
The Accidental DBA
PostgreSQL Experts, Inc.
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
Trygve Vea
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL
Tommy Lee
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2
Denish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
Leif Hedstrom
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
Kevin Jones
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
Severalnines
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
Kevin Jones
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Proxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteProxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynote
Marco Tusa
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
Md Waresul Islam
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
Chiranjeevi Jaladi
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2
SergeyChernyshev
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 

Viewers also liked (20)

pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기
PgDay.Seoul
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014
EDB
 
Introduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XIDIntroduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XID
PGConf APAC
 
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
JAXLondon_Conference
 
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
Mark Wong
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
InMobi Technology
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
Denish Patel
 
Microservices Past, Present, Future
Microservices Past, Present, FutureMicroservices Past, Present, Future
Microservices Past, Present, Future
David Dawson
 
PostgreSQL: Past present Future
PostgreSQL: Past present FuturePostgreSQL: Past present Future
PostgreSQL: Past present Future
PGConf APAC
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
PostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and CapabilitiesPostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and Capabilities
PGConf APAC
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
Fuenteovejuna
 
On The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL ClusterOn The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL Cluster
Srihari Sriraman
 
Lightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst PracticesLightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst Practices
PGConf APAC
 
Lessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’tLessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’t
PGConf APAC
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
PGConf APAC
 
How to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'rollHow to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'roll
PGConf APAC
 
PostgreSQL on Amazon RDS
PostgreSQL on Amazon RDSPostgreSQL on Amazon RDS
PostgreSQL on Amazon RDS
PGConf APAC
 
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Lisa Dehner
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
Ashnikbiz
 
pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기
PgDay.Seoul
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014
EDB
 
Introduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XIDIntroduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XID
PGConf APAC
 
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
JAXLondon_Conference
 
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
Mark Wong
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
InMobi Technology
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
Denish Patel
 
Microservices Past, Present, Future
Microservices Past, Present, FutureMicroservices Past, Present, Future
Microservices Past, Present, Future
David Dawson
 
PostgreSQL: Past present Future
PostgreSQL: Past present FuturePostgreSQL: Past present Future
PostgreSQL: Past present Future
PGConf APAC
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
PostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and CapabilitiesPostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and Capabilities
PGConf APAC
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
Fuenteovejuna
 
On The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL ClusterOn The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL Cluster
Srihari Sriraman
 
Lightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst PracticesLightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst Practices
PGConf APAC
 
Lessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’tLessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’t
PGConf APAC
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
PGConf APAC
 
How to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'rollHow to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'roll
PGConf APAC
 
PostgreSQL on Amazon RDS
PostgreSQL on Amazon RDSPostgreSQL on Amazon RDS
PostgreSQL on Amazon RDS
PGConf APAC
 
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Lisa Dehner
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
Ashnikbiz
 
Ad

Similar to Secure PostgreSQL deployment (20)

PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
pgdayrussia
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
Nate Lawson
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
fangjiafu
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
Lesa Cote
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
JosephLamineDIALLO
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
limsh
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
Rahul Sule
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
Nate Lawson
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
Wolfgang Kandek
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Nelson Calero
 
Protecting MySQL Network traffic
Protecting MySQL Network trafficProtecting MySQL Network traffic
Protecting MySQL Network traffic
Daniël van Eeden
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
Ram Srivastava
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Sylvain Maret
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
Yousof Alsatom
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
Nascenia IT
 
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus HaganderPG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
PG Day'14 Russia, Secure PostgreSQL Deployment, Magnus Hagander
pgdayrussia
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
Nate Lawson
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
fangjiafu
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
Lesa Cote
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
JosephLamineDIALLO
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
limsh
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
Rahul Sule
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
Nate Lawson
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
Wolfgang Kandek
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Nelson Calero
 
Protecting MySQL Network traffic
Protecting MySQL Network trafficProtecting MySQL Network traffic
Protecting MySQL Network traffic
Daniël van Eeden
 
Ssl Https Server
Ssl Https ServerSsl Https Server
Ssl Https Server
Ram Srivastava
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Sylvain Maret
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
Yousof Alsatom
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
Nascenia IT
 
Ad

More from Command Prompt., Inc (20)

Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Command Prompt., Inc
 
Backup and-recovery2
Backup and-recovery2Backup and-recovery2
Backup and-recovery2
Command Prompt., Inc
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
Command Prompt., Inc
 
Temporal Data
Temporal DataTemporal Data
Temporal Data
Command Prompt., Inc
 
Replication using PostgreSQL Replicator
Replication using PostgreSQL ReplicatorReplication using PostgreSQL Replicator
Replication using PostgreSQL Replicator
Command Prompt., Inc
 
Go replicator
Go replicatorGo replicator
Go replicator
Command Prompt., Inc
 
Pg migrator
Pg migratorPg migrator
Pg migrator
Command Prompt., Inc
 
Python utilities for data presentation
Python utilities for data presentationPython utilities for data presentation
Python utilities for data presentation
Command Prompt., Inc
 
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
Command Prompt., Inc
 
pg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQLpg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQL
Command Prompt., Inc
 
Not Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index ConstraintsNot Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index Constraints
Command Prompt., Inc
 
Implementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with TungstenImplementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with Tungsten
Command Prompt., Inc
 
Elephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forksElephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forks
Command Prompt., Inc
 
configuring a warm standby, the easy way
configuring a warm standby, the easy wayconfiguring a warm standby, the easy way
configuring a warm standby, the easy way
Command Prompt., Inc
 
Bucardo
BucardoBucardo
Bucardo
Command Prompt., Inc
 
Basic Query Tuning Primer
Basic Query Tuning PrimerBasic Query Tuning Primer
Basic Query Tuning Primer
Command Prompt., Inc
 
A Practical Multi-Tenant Cluster
A Practical Multi-Tenant ClusterA Practical Multi-Tenant Cluster
A Practical Multi-Tenant Cluster
Command Prompt., Inc
 
Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2
Command Prompt., Inc
 
Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1
Command Prompt., Inc
 
Integrating PostGIS in Web Applications
Integrating PostGIS in Web ApplicationsIntegrating PostGIS in Web Applications
Integrating PostGIS in Web Applications
Command Prompt., Inc
 
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Command Prompt., Inc
 
Backup and-recovery2
Backup and-recovery2Backup and-recovery2
Backup and-recovery2
Command Prompt., Inc
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
Command Prompt., Inc
 
Temporal Data
Temporal DataTemporal Data
Temporal Data
Command Prompt., Inc
 
Replication using PostgreSQL Replicator
Replication using PostgreSQL ReplicatorReplication using PostgreSQL Replicator
Replication using PostgreSQL Replicator
Command Prompt., Inc
 
Go replicator
Go replicatorGo replicator
Go replicator
Command Prompt., Inc
 
Pg migrator
Pg migratorPg migrator
Pg migrator
Command Prompt., Inc
 
Python utilities for data presentation
Python utilities for data presentationPython utilities for data presentation
Python utilities for data presentation
Command Prompt., Inc
 
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
Command Prompt., Inc
 
pg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQLpg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQL
Command Prompt., Inc
 
Not Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index ConstraintsNot Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index Constraints
Command Prompt., Inc
 
Implementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with TungstenImplementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with Tungsten
Command Prompt., Inc
 
Elephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forksElephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forks
Command Prompt., Inc
 
configuring a warm standby, the easy way
configuring a warm standby, the easy wayconfiguring a warm standby, the easy way
configuring a warm standby, the easy way
Command Prompt., Inc
 
Bucardo
BucardoBucardo
Bucardo
Command Prompt., Inc
 
Basic Query Tuning Primer
Basic Query Tuning PrimerBasic Query Tuning Primer
Basic Query Tuning Primer
Command Prompt., Inc
 
A Practical Multi-Tenant Cluster
A Practical Multi-Tenant ClusterA Practical Multi-Tenant Cluster
A Practical Multi-Tenant Cluster
Command Prompt., Inc
 
Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2
Command Prompt., Inc
 
Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1
Command Prompt., Inc
 
Integrating PostGIS in Web Applications
Integrating PostGIS in Web ApplicationsIntegrating PostGIS in Web Applications
Integrating PostGIS in Web Applications
Command Prompt., Inc
 

Secure PostgreSQL deployment

  • 1. Secure PostgreSQL Deployments JDCon-East 2010 Philadelphia, PA Magnus Hagander Redpill Linpro AB
  • 2. There's much to security ● Identify the threats ● Apply the correct measures – Don't do things just because you can
  • 3. Not in this talk ● Application security ● Data Access Control ● Data Encryption ● etc ● etc
  • 4. Definitely not in this talk ● Unix vs Windows ● Linux vs BSD ● SELinux/SEPostgreSQL ● Any other religion
  • 5. In this talk! ● Authentication methods ● Connection security
  • 6. Authentication methods ● How do we determine who the user is ● When do we determine who the user is
  • 7. pg_hba.conf ● Lets you use different auth methods from different clients ● Not just limited to username/password ● For convenience or security ● Internal or external
  • 8. pg_hba.conf local all all trust host all all 127.0.0.1/32 trust host webdb webuser 10.0.0.0/24 md5 host all @dba 192.168.0.0/24 gss
  • 9. Trust Authentication ● Any user can be anyone he/she claims to be!
  • 10. Trust Authentication ● Any user can be anyone he/she claims to be! ● Anyone think this is a bad idea?
  • 11. Username/password ● Normally, use md5 method – crypt has been removed, avoid plaintext ● What everybody does ● What everybody expects
  • 12. LDAP authentication ● To the client, username/password ● Backend verification is off-loaded to directory server ● Common in enterprise deployments ● Password policies, expiry, etc
  • 13. LDAP authentication ● Single password not single signon PostgreSQL ct Server onne 1. C sw o rd pa s qu est ord 2. Re assw e nd p 3. S Client LDAP Server
  • 14. LDAP news in 9.0 ● search/bind combination ● Can use non-cn fields in login – Anything that's LDAP searchable – Common choice: uid
  • 15. RADIUS (new in 9.0) ● Remote Authentication Dial In User Service ● Simple single-packet UDP service ● Original use-case: ISP dialup ● Common for one-time passwords, etc ● Good policy frameworks
  • 16. Kerberos/GSSAPI/SSPI ● Single signon ● Same benefits as LDAP (mostly) ● Most common: Active Directory ● («krb5» is deprecated)
  • 17. Kerberos/GSSAPI/SSPI ● Single password not single signon PostgreSQL t Server nt ticke 3. Prese 1. Req u est tic ket Client 2. Ret urn tic KDC ket
  • 18. PAM ● Provided by OS ● Can do password, LDAP, etc ● Can also do Kerberos & friends ● One-time passwords – RSA SecurID, Vasco, etc – RADIUS (no need in 9.0)
  • 19. SSL
  • 20. SSL secured connections ● Encryption ● Man-in-the-middle protection ● Authentication
  • 21. SSL secured connections ● Enabled on the server (ssl=yes) – Platform quirks! ● Optionally required through pg_hba ● Optionally required in libpq
  • 22. SSL secured connections ● Need to protect data in both directions ● For example username/password ● Must know before connection is started – Unknown equals unprotected
  • 23. SSL encryption ● SSL always requires a server certificate ● Can be self-signed ● Does not need to be known by client
  • 24. Certificate chains Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
  • 25. Certificate chains Self-signed certificate Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
  • 27. Threats handled by SSL: Eavesdropping SELECT * FROM secret_stuff Client Server
  • 28. Eavesdropping ● Prevented by encrypting all data ● Key negotiation is automatic – On initial connection – After 512Mb traffic ● Server certificate used but not verified
  • 29. Key renegotiation ● Broken in the SSL protocol – OOPS! ● Fixed SSL libraries are available ● Broken fixes were pushed by vendors ● ssl_renegotiation_limit = 512MB
  • 30. Threats handled by SSL: Man in the middle Valid SSL session Valid SSL session Fake server Client Server
  • 31. SSL server verification ● On top of encryption ● Validate that the server is who it claims to be ● CA issues certificate, can be self- signed ● CA certificate known by client
  • 32. Threats handled by SSL: Man in the middle Valid SSL session Fake server Client Server
  • 33. SSL client authentication ● On top of encryption ● Normally on top of server verificateion, but not necessary ● CA issued certificate on client ● Match CN on certificate to user id ● Protect client certificate!
  • 34. SSL client authentication PostgreSQL te Server ertifica esent c 1. Pr Client
  • 35. SSL client certificates ● Can also be used together with other authentication ● Require client certificate ● Also require e.g. username/password
  • 36. SSL in libpq ● Controlled by sslmode parameter ● Or environment PGSSLMODE ● For security, must be set on client – Remember, unknown = unsecure
  • 37. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 38. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 39. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 40. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 41. Not a bad idea: ipsec ● If already deployed ● Application transparent ● Global policies ● Integrated management ● Somebody Elses Problem?
  • 42. Secure PostgreSQL Deployments Questions? [email protected] Twitter: @magnushagander http://blog.hagander.net