One of the first things that I did at my former job was to turn off all external-facing network adapters to our DB machines. If you're fortunate enough that your DB resides on it's own box and not the webserver itself, then there's really no reason that you *need* to have it externally facing. There are PLENTY of solutions that you can put in place in order to still have remote access to those machines without them having an externally routable IP.
While it is possible for a hacker to compromise one machine and then access the DB machine over your internal WAN at the hosting location, the more roadblocks you put between a potential hacker and your sensitive data, the better. -M -----Original Message----- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption ------------------ Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying ???? If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -----Original Message----- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, >I am trying to find a solution to the following security issue with >MySql DB on linux > >- Someone copies the DB files to another box, starts a mysql instance, >loads the DB and presto - views the 'private' data !!! > > Well, "someone" should not have access rights to the DB files on the first hand. >Ideally I would like to know if there is any option in MySql to store >the DB files in a secure format and one that needs a key or similiar to open the DB > > If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor **************************************************************************** ***************** This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. **************************************************************************** ***************** -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
