Database Reference
In-Depth Information
The best place for a server is usually with other servers in a dedicated
server room
.
Preferably it should be a room that is secure and where access is controlled with
well-defined security policies and procedures. These could range from a locked
closet (that only a few chosen people can access and which has a the server sitting on
a shelf) to a locked server cage at a large data center (that has a raised floor cooling,
24x7 on-site security, and everything in surplus). There is no one particular location
that is right for every situation, but we need to evaluate ours and make sure our
server is physically protected.
Internal network security
The security of the internal network is related to building security. If our MariaDB
server is located in a locked server closet, then we will likely be accessing it remotely
from our desk. If so, then we need to at least be aware of the security of our internal
network. Some key questions to ask our local network administrator include:
• Is there a firewall in place to prevent outside access to our network?
° If there is, great! If not, suggest that one be added.
• Is there a Wi-Fi network that is directly connected to our internal network, or
is the Wi-Fi sectioned off into its own network?
° If the Wi-Fi network is connected directly to the internal network, see
if that can be changed.
• What type of access, if any, do telecommuting employees have—VPN, SSH,
something else?
° If telecommuting employees are forced into using VPN or SSH to
connect, that is good, as both of those access methods are encrypted.
If the answer is something else, we need to find out if it is secure and
encrypted (if it isn't, we need to complain).
° Are our database users defined with
%
for the network part or
are they all restricted to
localhost
or known valid locations and
networks? The
%
character is the wildcard character and its presence
in the network part of a username means that the user named can
connect from
anywhere
, which may be convenient, but is not good
from a security standpoint.
• If we are in a large company, do different departments have their own
segregated networks, and if so do they have access to the network the
server is on?
