Security Assistance

ZibingsCoder

This is a post for advice. I am faced with the task of creating a network of affiliate sites that utilize a single database for user information (very basic explanation, it's a bit more complicated, but, this works for now). This is very similar to the network that Yahoo, etc, have created, where you create one login and it is your login across many different websites.

My problem is this. All of these sites will be hosted on the same server/cluster, but not all on the same domain. I am a bit worried about security for accessing the database information (it is a MySQL database). So far, I have come up with using a sort of 'remote procedure call' system that will only allow a third party site to do certain things with the database, thus keeping the access keys for the main database secure (I think.). Security is not one of my best subjects, so I thought I'd see if any of you have some advice/ideas/suggestions for me in this case. I'll be happy to explain the system in more detail if required, but, for now I'll hold off with this.

Thanks in advance. 🙂

twilson

What is your main concern someone will get at or try to do?

Do you have full control over the mySQL server? You can create new logins for mySQL, etc?

Peace,
Tom 🙂

ZibingsCoder

For one thing, we have to make sure that the information included in the main database isn't available to anyone, considering it will be personal information (most notably email addresses, street addresses, phone numbers, and of course...passwords (encrypted though)).

I do have full control over the database system, and let me outline what I've come up with so far.

Different affiliates are created in a table that called entityData. Inside this table is information for each entity, but most importantly a few keys and hostmasks to help in validating data from the entity to the main system.

There is another table called tokenData, which stores access tokens for the RPC's on the main server. Every 15 minutes, the main server will create new tokens, and send data to RPCs placed on the entity servers (which is data stored in the entityData table of course).

The entity RPCs will verify where the information is coming from as best as possible using hostmask and IP information, as well as a few assigned keys which will be changed on occassion by hand.

If the information seems to be coming from the main server, it will decode the encrypted information, and setup a new access token for itself. Once it has completed doing so, it will send a command to yet another RPC on the main server with its identification keys.

The main server's second RPC will verify as best as possible that the data is coming from a valid entity. If so, it will delete the old access tokens (this is in order to make sure that packet loss and other types of lag won't cause hiccups in the service) from being valid. (On a side note, access tokens will only ever remain for 2 full cycles. If an entity fails to update its token with the server, the old token will work for only another 15 minutes before it is removed)

With all of this, the access tokens allow the entity servers to query other RPCs on the main server, which will handle database queries without allowing the entities to actually interact with the database.

I'm very open to ideas here, I need to make sure this is as secure as possible without giving up too much in the way of speed/efficiency. 🙂

drawmack

set the database server up so it will only accept connections from servers within a list of specified IP addresses with a specified, internal, domain name (this domain name must differ significantly from the internet domain name). That should protect the database from unauthorized connections.

ZibingsCoder

I don't want them to have complete access (even if it is only read-access) to the database. I just want them to be able to get this or that which they need.

drawmack

Have you tried looking through these things: http://dev.mysql.com/doc/mysql/search.php?q=access+permissions&lang=en&charset=iso-8859-1

ZibingsCoder

Maybe I'm missing something, but that doesn't seem to allow me to restrict the actual queries I want them to be able to make. Also, it's a bit of a hack for me to be able to create new users for the database the way things are setup.

drawmack

That was just a return on search for access control, here is a more specific link: http://dev.mysql.com/doc/mysql/en/Privilege_system.html

You basically have two choices:

1) Control who can access the server the database resides on, thereby also restricting who can access the database.

2) Control access to the database with the dbms's priviledge system.

For what you actually want to do option 1 is ruled out, though it should still be implemented because it adds another layer to your security on the system, which is always a good thing.

This leaves you with the second option. Basically you're going to have to create different accounts for each user level, not necesarily for each user. As far as I know you can't control the queries they run except by controling the fields and tables they can see/update.

For example if all acounts are made through a central point then only this server needs write access to the entire user table. However if you tracking people through the site then all the domains will need write access to this information.

ZibingsCoder

Yes, but I just told you that I can't easily do that the way the server cluster is setup...

drawmack

Originally posted by ZibingsCoder
Yes, but I just told you that I can't easily do that the way the server cluster is setup...

I don't understand why the cluster setup affects the database access priviledges????

ZibingsCoder

Well, no offense or anything, you don't really need to understand why, just that it does. I'm really just looking for an analysis of the system I have planned to see what possible holes there would be in it. That way, if its too much of a pain to make secure, I'll look into alternative routes for the system.