Two-tier versus three-and multi-level architectures
Under a two-DMS system architecture is an understanding, in which the client directly with the database management system connects. In a three-stage system combines the client (Client-I) with another computer, which acts as a server to this client and himself client (Client-II) on the database management system logs in as. The latter usually runs on a third computer. For a two-level system the following features are characteristic:
- Each user must DBMS DBMS-user entered are the inside and replaced by an interactive link. The purpose of the database server, open TCP port must be accessible to the client for. This connection can be both with the 'official client program' as well as with other operating system type tools to use it, such as ODBC within Excel, a VBScript, ADO connects with the one or the mail merge function of a word processor. DBMS bugs are discovered in an interactive user increase its own rights which allow, so such exploits this connection to be used on.
- If a user own concept implemented before saving a record further review the conditions on which client has no direct access, so must the rights of the connection will be upgraded. Or is it second, then opened a stronger connection. The password needed for this requires the client to register. Either it is encrypted on the client or it was saved by his own client application passed the. In both cases, there is the password on the client before. If this gap is used, then the database can perform all operations for which permission has a stronger connection. Is this an account - based on the database - the maximum rights, it can be manipulated at will.
- Creates the client after changing a record one additional logging, chopped client may skip this fuse or, for strong rights, then delete one sufficiently. A logging or a security that requires a cooperative client is worthless. A logging (a security) is only useful if they were also destructive of a client and can not skip the user name, account of which the action is running on, also logged.
A three-level system allows a separation of the different access levels and should have the following characteristics:
- Users work on the client and there I give a user name and password. The program used for this report with these data to the client-II, that examines the information via a dedicated connection to the DBMS by comparison with self-defined lines in tables. The password for this connection is the client-II announced that he is a firewall from the client-I separated. This means that access attempts on other TCP ports on the client-II is not possible. Users are not assigned to users within the DBMS. Bugs in the DBMS, an upgrade of their rights and allow the application require a valid set so that no longer pose too much risk because users are no longer in the vicinity of the situation in which they could test such a Bug.
- On the client software is very diverse-I. Both a browser and access to bsp. an Internet server as a client-II port 80 communicate with the data as HTML pages or Web services makes available as a. It is crucial that the client I own does not do any security checks, but all the information through the firewall to the client II-forwards and be responsible only for the optical processing of results.
- The entire business logic of the application (business rules), the bsp. a mask entered the data in multiple tables distributed to stores and they may not be the client I run on. It is true that on the client-I single, read-only fields bsp. are represented inactive. But this must merely a visual aid only. The business logic on the client-II and the stored procedures on the database server must ensure that any passed value fields are ignored for read-only.
- According to the principle of minimum rights, the connection must be from the client to the DBMS-II minimal. This concerns the question of what rights the account within the DBMS is equipped with with which the client-II at the DBMS logs. Within a DBMS, there are different levels of rights:
- Actions as a system administrator with access to all databases, creating new databases and users
- Actions as a database owner: The user is allowed within its database tables and objects, create, modify and delete users, manage, but can new databases or other system users do not create.
- Actions as an admin DDL (Data Definition Language-Admin): This user may perform all the Sql commands, views, stored procedures) in the current database can be created and modified objects (tables with what. It is thus an owner of these objects. However, it can not delete the database objects to manage much of the security, which he does not possess.
- Actions as a Data Reader / Writer Data within a database: such users can not delete or create objects and tables, however, he has read and write access to all tables
- Actions with Select / Insert / Update / Delete rights to each table. This limits read or write access to the selected tables one. This allows a user records within a table with a command to change all that all persons 'Horst Maier' called that all salaries or € set to be 12:00. The database is not physically destroyed, their content has become useless.
- Exclusive execution of stored procedures with clearly defined actions. A stored procedure is a piece of code, the admin has been created by the DDL, multiple actions, own security checks before changing data, may include among other things, and what the client-II, only the execute permission to receive. If the owner of the DDL-Admin for additional inspections necessary tables, so the client can perform this procedure in full-II, although he right of access to each table does not.
A small example of the structure of such procedures:
Code:
Create Procedure _insert_Artikel
@ ProductName nvarchar (50)
@ Item price money,
- Is replaced with a correct user name / PWD
- A random string, with which he
- Identifies with all of the following actions
@ Str_lToken nvarchar (50)
- Output parameters are returned
@ I_errDetail int output,
@ I_Result int output
Ace
Declare @ int i_tranc
- Security
- Hat @ str_lToken the right to include in item data?
- If not, it returns -1
- Real number codes are used here for table / law
Set @ i_Result check_ExecuteRight = ('article',
'Insert', @ str_lToken)
If (@ i_Result = -1)
- Demolition
Begin
- Information that right was denied, is derived
- Later produced the error text
Set @ i_errDetail = 833
Return
End
- Start a transaction if it is not working yet
If (@ @ TRANCOUNT = 0)
Begin
Set @ i_tranc = 1
Begin Transaction
End
- Run the appropriate command sequence
Insert Into Article
(Article name, article price)
VALUES (@ ProductName, @ item price)
- Get the new ID
Set @ i_Result Scope_Identity = ()
If (@ i_Result> 0)
- Insertion was successful, so is logged:
- Table, line, user and date
Write_protocol_Row Execute ('article',
@ I_Result, str_lToken @, getDate ())
If (@ i_tranc = 1)
Commit Transaction
Return @ i_Result
In terms of system security systems are acceptable, where the client-II allow access only via stored procedures. II was hacked client, so that the hacker connect to the DBMS is open, he can only perform these procedures. Normally, a procedure by different users on the same connection will be started in as she checked herself in the beginning, if the exporting user action is entitled to this. Does the hacker, the stored procedure without a valid @ of str_lToken, they will destroy this already own examination after. However, where the hacker is an internal staff that is a valid concern @ str_lToken has, it can perform actions than those which he can do on the interactive screens already, it succeeds in upgrading its own no rights. However, it must do so nor the names of all stored procedures to find out first what the data changes cause. Logs all changes to the stored procedure, so this logging even created if the procedure under such an attack is executed, a client can not skip this.
Systems such as mySql, stored procedures do not support those who require that the entire Sql code generated on the client-II and each request will be sent to the DBMS to. It is a connection with Select/Insert/Update- and Delete rights to the tables necessary, so that under (5) above actions chopped client at a feasible II. A recording can only be made by her client-II, so it is now over the bar. From the point of missing stored procedures architectures, these systems are unsuitable for reasonable. If the risk of a hacked client-II appears negligible and if the code against sql injections, their use is justifiable.
Bookmarks