CN103425940A - Database safety reinforcing method and device - Google Patents
Database safety reinforcing method and device Download PDFInfo
- Publication number
- CN103425940A CN103425940A CN2013103597698A CN201310359769A CN103425940A CN 103425940 A CN103425940 A CN 103425940A CN 2013103597698 A CN2013103597698 A CN 2013103597698A CN 201310359769 A CN201310359769 A CN 201310359769A CN 103425940 A CN103425940 A CN 103425940A
- Authority
- CN
- China
- Prior art keywords
- source address
- database
- database server
- port
- data access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a database safety reinforcing method, which comprises the following steps that an IPsec strategy is built and activated in a database server; a port of the database server and a source address range allowing the access into the database server are obtained; and the access right of the database server is set according to the activated IPsec strategy, and clients beyond the source address range are forbidden to access the port of the database server. In addition, the invention also discloses a database safety reinforcing device. The database does not need to be stopped in the database reinforcing process, the influence cannot be caused on a service system, in addition, the operation steps are simple, the fault can be easily eliminated when abnormity occurs after the implementation completion, and the return step is very simple and can be realized only through stopping the use of the IPsc strategy. Therefore, the implementation is simple, a great amount of labor and time can be saved, and in addition, the implementation risk is low.
Description
Technical field
The present invention relates to the Database security technology field, relate in particular to a kind of database security reinforcement means and a kind of database security bracing means.
Background technology
Current most of enterprise and public institution, government department have all disposed data base management system (DBMS), provide the services such as the storage of data and inquiry with it for application system, so its security are very important.But most of data base management system (DBMS) due to deployment time early, cause data base management system (DBMS) to have more security breaches because version is low.Traditional solution is the upgrade data base management system, or patch is installed and is carried out the leak reparation.But this need to stop database service, the data base management system is upgraded or patch is installed, therefore in implementation process, cause application system to access.And the step complexity of upgrade data base management system, also may cause operation system because some abnormal occurrencies appear in compatibility issue after upgrading, abnormal rear troubleshooting difficulty occurs, if want rollback more loaded down with trivial details, need expend the plenty of time.In sum, traditional solution implementation process complexity, risk is larger, and the data base administrator often hesitates to implement.
Summary of the invention
Database reinforcement means implementation process complexity based on traditional, the problem that risk is larger, the invention provides a kind of database security reinforcement means and a kind of database security bracing means.
A kind of database security reinforcement means comprises the following steps:
Set up and activate an IPsec strategy in database server;
Obtain the source address scope of port and the described database server of permission access of described database server;
The access rights of described database server are set according to the described IPsec strategy activated, forbid the port of the described database server of client-access outside described source address scope.
With general technology, compare, database security reinforcement means of the present invention is not done any change to program and the associated documents of data base management system, only on the main frame aspect, serve port and the source address to database service filtered, and only allows the service of specific main frame (as application server) accessing database.In the process that database is reinforced, without stopping database, operation system is not impacted, and operation steps is simple, if occur abnormal after having implemented, also can fix a breakdown relatively easily, the rollback step is also very simple, and the IPsec strategy that only needs to stop using gets final product.Therefore implement simply, can save a large amount of manpowers and time, and it to be little to implement risk.Use the present invention to carry out security hardening to database, both guaranteed normally accessing database of client, can guarantee that again other All hosts can't detect this database service, the risk of having avoided the database leak to cause.
A kind of database security bracing means, comprise active module, acquisition module and module be set;
Described active module, for setting up and activate an IPsec strategy at database server;
Described acquisition module, for the port that obtains described database server and the source address scope that allows the described database server of access;
The described module that arranges, arrange the access rights of described database server for the described IPsec strategy according to activating, forbid the port of the described database server of client-access outside described source address scope.
With general technology, compare, database security bracing means of the present invention is not done any change to program and the associated documents of data base management system, only on the main frame aspect, serve port and the source address to database service filtered, and only allows the service of specific main frame (as application server) accessing database.In the process that database is reinforced, without stopping database, operation system is not impacted, and operation steps is simple, if occur abnormal after having implemented, also can fix a breakdown relatively easily, the rollback step is also very simple, and the IPsec strategy that only needs to stop using gets final product.Therefore implement simply, can save a large amount of manpowers and time, and it to be little to implement risk.Use the present invention to carry out security hardening to database, both guaranteed normally accessing database of client, can guarantee that again other All hosts can't detect this database service, the risk of having avoided the database leak to cause.
The accompanying drawing explanation
The schematic flow sheet that Fig. 1 is database security reinforcement means of the present invention;
Fig. 2 treatment scheme schematic diagram that to be database security reinforcement means of the present invention mated port and source address;
The structural representation that Fig. 3 is database security bracing means of the present invention.
Embodiment
For further setting forth the technological means that the present invention takes and the effect obtained, below in conjunction with accompanying drawing and preferred embodiment, to technical scheme of the present invention, know and complete description.
Referring to Fig. 1, is the schematic flow sheet of database security reinforcement means of the present invention.
Database security reinforcement means of the present invention comprises the following steps:
S101 sets up and activates an IPsec strategy in database server;
S102 obtains the port of described database server and allows the source address scope of the described database server of access;
S103 arranges the access rights of described database server according to the described IPsec strategy activated, forbid the port of the described database server of client-access outside described source address scope.
In step S101, set up and activate an IPsec strategy and can relatively easily realize in database server.IPsec is the assembly of operating system bottom, the server OS of the operating system of current main flow, and Windows2003, Windows2008, IBM AIX, HP-UX, the LINUX acquiescence has all been installed this assembly.The present invention is that the IPsec that utilizes system to carry carries out security hardening for database server.
On the database server of supporting IPsec, set up the IPsec strategy, utilize the IPsec strategy to connecting the machine database service port (as 1521 of Oracle, MS-SQL 1433) packet carry out the source address filtration, only allow specific source address (as application server IP) accessing database serve port, forbid that any other address accesses local database service.
Take AIX system as example, carry out smitty ips4_start and can activate the IPsec service.
In step S102, obtain the port of described database server, as 1433 of 1521 and the MS-SQL of Oracle, below will take and allow 192.168.0.100 to access 1521 ports to be elaborated as example.
As one of them embodiment, described source address scope is IP address range.
The IP address can represent the device address in network, is widely used, and has good compatibility.
In step S103, the access rights of described database server are set according to the described IPsec strategy activated, forbid the port of the described database server of client-access outside described source address scope.
As one of them embodiment, after the described described IPsec strategy according to activating arranges the step of access rights of described database server, comprise the following steps:
After the port of described database server receives data access request, detect the source address of described data access request whether within described source address scope;
If the source address of described data access request, within described source address scope, allows this request.
If data access request, within described source address scope, represents this address accessible database, therefore can allow this request.Guaranteed so normally accessing database of client, business can normally complete.
As one of them embodiment, after the described described IPsec strategy according to activating arranges the step of access rights of described database server, comprise the following steps:
After the port of described database server receives data access request, detect the source address of described data access request whether within described source address scope;
If the source address of described data access request, outside described source address scope, is refused this request.
If data access request outside described source address scope, represents this address inaccessible database, therefore refuse this request.Do like this and can guarantee that other All hosts can't detect this database service, the risk of having avoided the database leak to cause.
Preferred embodiment take AIX system as example as one, the present invention carried out to the method for database security reinforcing and make an explanation:
Carry out smitty ips4_start and activate the IPsec service;
Carry out smitty ips4_conf_filter, add following two rules (take and allow 192.168.0.100 to access 1521 ports as example) here:
N?permit192.168.0.100255.255.255.2550.0.0.00.0.0.0yes?all?any0eq1521both?both?no?all?packets0all0none;
M?deny0.0.0.00.0.0.00.0.0.00.0.0.0yes?all?any0eq1521both?both?no?all?packets0all0none;
Rule N mono-allows 192.168.0.100 access the machine 1521 ports, and regular M forbids all IP access the machine 1521 ports, because the IPsec strategy is mated from top to bottom, when adding, need carry out according to above sequencing, and M is larger than N.
After having applied above IPsec strategy, when database server is received the request of access of client, IPsec will be mated the port and the source address that connect, and its treatment scheme as shown in Figure 2.
Refer to Fig. 2, treatment scheme schematic diagram port and source address mated for database security reinforcement means of the present invention.When database server is received the connection request of other main frames, the IPsec assembly is mated the packet of receiving, if the port connected is the database service port, the scope that whether the detection resources address is allowing, if, allow this connection to set up, if source address, not in allowed band, is refused this request.
With general technology, compare, database security reinforcement means of the present invention is not done any change to program and the associated documents of data base management system, only on the main frame aspect, serve port and the source address to database service filtered, and only allows the service of specific main frame (as application server) accessing database.In the process that database is reinforced, without stopping database, operation system is not impacted, and operation steps is simple, if occur abnormal after having implemented, also can fix a breakdown relatively easily, the rollback step is also very simple, and the IPsec strategy that only needs to stop using gets final product.Therefore implement simply, can save a large amount of manpowers and time, and it to be little to implement risk.Use the present invention to carry out security hardening to database, both guaranteed normally accessing database of client, can guarantee that again other All hosts can't detect this database service, the risk of having avoided the database leak to cause.
Traditional method need be upgraded accordingly according to type of database and version, and the present invention is applicable to various type of database and version, only need to know that the port of database service gets final product, this method need be used the IPsec assembly on operating system in addition, therefore need guarantee that the operating system of database server is supported the IPsec assembly.
Therefore, use this method to carry out security hardening to database, both guaranteed the normal accessing database of application server, can guarantee that again other All hosts can't detect this database service, therefore also avoided the database leak to be utilized by the hacker.
Referring to Fig. 3, is the structural representation of database security bracing means of the present invention.
Database security bracing means of the present invention, comprise active module 301, acquisition module 302 and module 303 be set;
Described active module 301, for setting up and activate an IPsec strategy at database server;
Described acquisition module 302, for the port that obtains described database server and the source address scope that allows the described database server of access;
The described module 303 that arranges, arrange the access rights of described database server for the described IPsec strategy according to activating, forbid the port of the described database server of client-access outside described source address scope.
As one of them embodiment, the present invention also comprises detection module and control module;
Described detection module, after receiving data access request for the port at described database server, detect the source address of described data access request whether within described source address scope;
Described control module, within described source address scope the time, allow this request for the source address when described data access request.
If data access request, within described source address scope, represents this address accessible database, therefore can allow this request.Guaranteed so normally accessing database of client, business can normally complete.
As one of them embodiment, the present invention also comprises detection module and control module;
Described detection module, after receiving data access request for the port at described database server, detect the source address of described data access request whether within described source address scope;
Described control module, outside described source address scope the time, refuse this request for the source address when described data access request.
If data access request outside described source address scope, represents this address inaccessible database, therefore refuse this request.Do like this and can guarantee that other All hosts can't detect this database service, the risk of having avoided the database leak to cause.
As one of them embodiment, described source address scope is IP address range.
The IP address can represent the device address in network, is widely used, and has good compatibility.
With general technology, compare, database security bracing means of the present invention is not done any change to program and the associated documents of data base management system, only on the main frame aspect, serve port and the source address to database service filtered, and only allows the service of specific main frame (as application server) accessing database.In the process that database is reinforced, without stopping database, operation system is not impacted, and operation steps is simple, if occur abnormal after having implemented, also can fix a breakdown relatively easily, the rollback step is also very simple, and the IPsec strategy that only needs to stop using gets final product.Therefore implement simply, can save a large amount of manpowers and time, and it to be little to implement risk.Use the present invention to carry out security hardening to database, both guaranteed normally accessing database of client, can guarantee that again other All hosts can't detect this database service, the risk of having avoided the database leak to cause.
The above embodiment has only expressed several embodiment of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.
Claims (8)
1. a database security reinforcement means, is characterized in that, comprises the following steps:
Set up and activate an IPsec strategy in database server;
Obtain the source address scope of port and the described database server of permission access of described database server;
The access rights of described database server are set according to the described IPsec strategy activated, forbid the port of the described database server of client-access outside described source address scope.
2. database security reinforcement means according to claim 1, is characterized in that, after the described described IPsec strategy according to activating arranges the step of access rights of described database server, comprises the following steps:
After the port of described database server receives data access request, detect the source address of described data access request whether within described source address scope;
If the source address of described data access request, within described source address scope, allows this request.
3. database security reinforcement means according to claim 1, is characterized in that, after the described described IPsec strategy according to activating arranges the step of access rights of described database server, comprises the following steps:
After the port of described database server receives data access request, detect the source address of described data access request whether within described source address scope;
If the source address of described data access request, outside described source address scope, is refused this request.
4. database security reinforcement means according to claim 1, is characterized in that, described source address scope is IP address range.
5. a database security bracing means, is characterized in that, comprises active module, acquisition module and module is set;
Described active module, for setting up and activate an IPsec strategy at database server;
Described acquisition module, for the port that obtains described database server and the source address scope that allows the described database server of access;
The described module that arranges, arrange the access rights of described database server for the described IPsec strategy according to activating, forbid the port of the described database server of client-access outside described source address scope.
6. database security bracing means according to claim 5, is characterized in that, also comprises detection module and control module;
Described detection module, after receiving data access request for the port at described database server, detect the source address of described data access request whether within described source address scope;
Described control module, within described source address scope the time, allow this request for the source address when described data access request.
7. database security bracing means according to claim 5, is characterized in that, also comprises detection module and control module;
Described detection module, after receiving data access request for the port at described database server, detect the source address of described data access request whether within described source address scope;
Described control module, outside described source address scope the time, refuse this request for the source address when described data access request.
8. database security bracing means according to claim 5, is characterized in that, described source address scope is IP address range.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103597698A CN103425940A (en) | 2013-08-16 | 2013-08-16 | Database safety reinforcing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103597698A CN103425940A (en) | 2013-08-16 | 2013-08-16 | Database safety reinforcing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103425940A true CN103425940A (en) | 2013-12-04 |
Family
ID=49650660
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013103597698A Pending CN103425940A (en) | 2013-08-16 | 2013-08-16 | Database safety reinforcing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103425940A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104732149A (en) * | 2013-12-18 | 2015-06-24 | 国家电网公司 | Method and device for reinforcing operating system |
| CN113065161A (en) * | 2021-04-21 | 2021-07-02 | 湖南快乐阳光互动娱乐传媒有限公司 | Security control method and device for Redis database |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350796A (en) * | 2008-08-25 | 2009-01-21 | 深圳市同方多媒体科技有限公司 | Method and system for providing and obtaining internet customization service |
| CN102045379A (en) * | 2009-10-15 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and system for IP storage and storage equipment |
| CN102474499A (en) * | 2009-07-10 | 2012-05-23 | 瑞典爱立信有限公司 | Method for selecting an IPsec policy |
| CN102724189A (en) * | 2012-06-06 | 2012-10-10 | 杭州华三通信技术有限公司 | Method and device for controlling user URL (uniform resource locator) access |
-
2013
- 2013-08-16 CN CN2013103597698A patent/CN103425940A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350796A (en) * | 2008-08-25 | 2009-01-21 | 深圳市同方多媒体科技有限公司 | Method and system for providing and obtaining internet customization service |
| CN102474499A (en) * | 2009-07-10 | 2012-05-23 | 瑞典爱立信有限公司 | Method for selecting an IPsec policy |
| CN102045379A (en) * | 2009-10-15 | 2011-05-04 | 杭州华三通信技术有限公司 | Method and system for IP storage and storage equipment |
| CN102724189A (en) * | 2012-06-06 | 2012-10-10 | 杭州华三通信技术有限公司 | Method and device for controlling user URL (uniform resource locator) access |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104732149A (en) * | 2013-12-18 | 2015-06-24 | 国家电网公司 | Method and device for reinforcing operating system |
| CN104732149B (en) * | 2013-12-18 | 2018-04-06 | 国家电网公司 | The reinforcement means and device of operating system |
| CN113065161A (en) * | 2021-04-21 | 2021-07-02 | 湖南快乐阳光互动娱乐传媒有限公司 | Security control method and device for Redis database |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10735964B2 (en) | Associating services to perimeters | |
| US8839354B2 (en) | Mobile enterprise server and client device interaction | |
| CN106326699B (en) | Server reinforcing method based on file access control and process access control | |
| US8578374B2 (en) | System and method for managing virtual machines | |
| DE102016201361A1 (en) | Manage firmware updates for integrated components within mobile devices | |
| CN1885788B (en) | Network safety protection method and system | |
| US10187386B2 (en) | Native enrollment of mobile devices | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| CN102236764B (en) | Method and monitoring system for Android system to defend against desktop information attack | |
| CN109379347B (en) | Safety protection method and equipment | |
| CN101409714A (en) | Firewall system based on virtual machine | |
| WO2015050620A2 (en) | Method and system for backing up and restoring a virtual file system | |
| DE112012001389T5 (en) | Secure execution of an unsecured app on a device | |
| US20140289864A1 (en) | Method and apparatus for securing a computer | |
| US9208310B2 (en) | System and method for securely managing enterprise related applications and data on portable communication devices | |
| CN110073335B (en) | Managing coexistence of applications and multiple user device management | |
| US20180365412A1 (en) | Time limited application enablement | |
| CN102880817A (en) | Running protection method for computer software product | |
| CN104580185A (en) | Method and system for network access control | |
| US9971902B2 (en) | Terminal device, method for protecting terminal device, and terminal management server | |
| CN102799801A (en) | Method and system for killing viruses of mobile equipment by utilizing mobile memory | |
| US10860304B2 (en) | Enforcement of updates for devices unassociated with a directory service | |
| DE102005035736B4 (en) | Safe correction software installation for WWAN systems | |
| CN103425940A (en) | Database safety reinforcing method and device | |
| CN112836203A (en) | Method for realizing android system equipment management and control based on kernel customization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20131204 |