Since one layer of security on a couple of the ports of my server is a set of firewall rules restricting access to certain IPs, I wonder how strong a barrier this is.

I know IPs can be spoofed, but each of the attack methods I am aware of (not counting DOS attacks) requires some form of man-in-the-middle to hijack a legitimate session after it was authenticated in the beginning.

This possibility seems to me to be rather remote, but I wonder if I am wrong. Specifically, I am concerned about TCP port 3306, which is used for updating MySQL databases.

Any opinions?

If you need to send sensative data over the internet, I suggest you use a vpn to prevent "man in the middle" type attacks. If you are running mysql and do not require any connections to it from outside hosts, just disable networking part of it so it only accepts connections to the unix socket.

Originally posted by genlee
If you need to send sensative data over the internet, I suggest you use a vpn to prevent "man in the middle" type attacks.
Thanks.

I know I could get better security with a VPN, but I'm wondering how vulnerable I am without one. I use a mySQL connection to update the back-end databse for our web site, which of course does require a connection to an outside host.

The security measures in place are:


Firewall rules and MySQL host login definition limiting the host to trusted IPs
Stong password on the remote MySQL account.
Limited privilegs to the remote MySQL account
A low limit on MySQL's max_connect_errors, which shuts off access to a host after several unsuccesful logins.


My data is not "sensitive" in the sense of national security or monetary value, but it is mine and I don't want it messed with.

So I'm trying to weigh the risk of not having a VPN.

http://www.securityfocus.com/infocus/1674

http://www.securityfocus.com/archive/105/271718

Theses articles will explain it better than i will..

Mysql has native support for ssl connections. Just need to create some server/client certs, tell mysqld to use the server certs and copy the client ones over to the other machine to use. There is a howto on the mysql site. You can require the user to have a cert signed by the generated CA on the mysqld which would make it impossible for anyone to connect unless they can steal the cert from your client.

Originally posted by genlee
Mysql has native support for ssl connections. ...
I am exploring that, thanks. My immediate problem is that this is a Windows box, and the MySQL binary distribution for Windows apparently does not support SSL. Perhaps this will be remedied in the future.

The problem, BTW, appears to be a licensing issue:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=bbvdsu%241il%241%40FreeBSD.csie.NCTU.edu.tw

One can compile and build their own Windows version from source to include SSL, but I'm too lazy and C-challenged to do this.

Hmm... do any of the Windows SSH packages have port forwarding? You could tunnel SQL connections through SSH (that's what we do, since we set this up prior to embedded SSL).

As for risk level unencrypted, you are certainly vulnerable to man-in-the-middle and on-subnet attacks. I wouldn't trust this on a dedicated server or broadband hookup, since you don't know quite what's on your subnet. Blind sequence prediction is expensive unless you know you will get something of value from a successful hijack.

So... you will probably be okay, but I wouldn't trust it for anything you can't afford to leak.

Originally posted by hiryuu
Hmm... do any of the Windows SSH packages have port forwarding? You could tunnel SQL connections through SSH (that's what we do, since we set this up prior to embedded SSL).

As for risk level unencrypted, you are certainly vulnerable to man-in-the-middle and on-subnet attacks. I wouldn't trust this on a dedicated server or broadband hookup, since you don't know quite what's on your subnet. Blind sequence prediction is expensive unless you know you will get something of value from a successful hijack.

So... you will probably be okay, but I wouldn't trust it for anything you can't afford to leak.
I don't know about SSH.

When you mention risks on a dedicated-server subnet, do you mean upstream in the hosting provider's network? I had not thought of that.

I'm not that concerned about the data being passively intercepted; ultimately it is all being published anyway. But I would not want anyone to be able to write or alter data on its way to the server.

In the dedicated server case, I meant you usually have a dozen or more servers all hooked into a switch, and that switch is hooked into the router. The router only knows that a certain IP range (subnet) goes to a given switch. Any server on that switch can pass themselves off as the owner of any IP in that subnet (IP spoofing).

So a less than scrupulous fellow customer reroutes your IP for a moment, notices mysql traffic coming in, and lets it slide back. They put up a quick mysql server and snag the IP again. Now they can save the mysql traffic as it comes in and pull the login and password out of it.

I see. You're talking about another server spoofing my server's IP. I was worried about someone spoofing the remote, trusted IP of a MySQL client, and I don't see how that can happen there.

Also, in the scenario you pose, doesn't this generate a bunch of network errors at the switch or router, with two servers claiming the same static IP? So the local NOC admins would be alerted?

Not errors, per se, but the router may log arp changes.