Introduction to Oracle Security

1
Introduction to Oracle Security

• ?????????
• ? ? ?

2
Know your threats

• Erasing your data
• Changing your data in an undetectable manner
• Reading your data to compromise your
  organizations position
• Destroying your data

3
Internal and External threats

• Internal threats
• Behind your firewall
• Can access your network
• External threats
• Hacker (white hat)
• Cracker (black hat)
• Gray hat

4
Top security myths

• Myth Hackers cause most security breaches.
• In fact, 80 of data loss is to caused by
  insiders.
• Myth Encryption makes your data secure.
• In fact, encryption is only one approach to
  securing data. Security also requires access
  control, data integrity, system availability, and
  auditing.
• Myth Firewalls make your data secure.
• In fact, 40 of Internet break-ins occur in spite
  of a firewall being in place.

5
Who can do what

• Authentication
• The process used to determine that a user is who
  he or she claims to be
• Authorization
• Authorization is based on matching an identity
  with a list of rights, priviliges, or areas of
  access

6
Typical E-Commerce Architecture
7
Dimensions of Data Security
8
Fundamental Data Security Requirements

• Confidentiality
• Integrity
• Availability

9
Confidentiality

• Privacy of Communications
• Secure Storage of Sensitive Data
• Authenticated Users
• Granular Access Control

10
Integrity

• System and object privileges control access to
  application tables and system commands, so that
  only authorized users can change data.
• Referential integrity is the ability to maintain
  valid relationships between values in the
  database, according to rules that have been
  defined.
• A database must be protected against viruses
  designed to corrupt the data.
• The network traffic must be protected from
  deletion, corruption, and eavesdropping.

11
Availability
12
Security Requirements in the Internet Environment

• Promises and Problems of the Internet
• Increased Data Access
• Much More Valuable Data
• Larger User Communities
• Hosted Systems and Exchanges

13
Data Security Risks

• Data Tampering
• Eavesdropping and Data Theft
• Falsifying User Identities
• Password-Related Threats
• Unauthorized Access to Tables and Columns
• Unauthorized Access to Data Rows
• Lack of Accountability
• Complex User Management Requirements

14
A Matrix of Security Risks and Solutions
15
A Matrix of Security Risks and Solutions (Cont)
16
A Matrix of Security Risks and Solutions (Cont)
17
The System Security Team
18
Security Oracle on UNIX

• How the Oracle database runs
• PMON, SMON, DBWR, DBW0, LGWR, RECO, CKPT, ARCH
• Installing Oracle on UNIX
• Create a group named oinstall for installation
• Create an account called oracle to install/own
  the software

19
Oracles recommended groups

• ORA_ALL all users allowed to access the
  ORACLE_HOME directory
• ORADBA users to map to the OSDBA role.
• ORAOPER users to map to OSOPER role.
• ORASTARTUP users who will need to start up an
  instance.
• ORAOWNER users who will have full access to the
  operating system file.

20
Oracles group hierarchy

• ORA_ALL
• ORASTARTUP
• ORAOPER ORAOWNER
• ORADBA

21
Set file permissions

• Change the group of the ORACLE_HOME directory to
  ORA_ALL and set the permission to 750 to
  restricts anyone who has not explicitly been
  added to the ORA_ALL group.
• Change the group of all files and directories
  under ORACLE_HOME to ORAOWNER and set permission
  to 775.
• For the ORACLE_HOME/rdbms/log and audit
  directories, set the permission to 750.
• For the oracle executable file change the group
  to ORASTARTUP and set the permissions to 6710.

22
Advantages gained from the architecture

• Denies access to all users, yet allows you to
  grant limited access to SQLPLUS users
• Provides the ability to name OSDBA and OSOPER
  users who do not have free reign over the file
  system.
• Provides the ability to grant control of files in
  ORACLE_HOME to individual Unix users.
• Prevents users with full control of the
  ORACLE_HOME from deleting audit logs and
  manipulating or viewing the data files.

23
Security of raw device

• A raw device is a partition on the hard drive
  that is not mounted or controlled via the UNIX
  file system.
• Use ls on /dev/rdsk directory to locate your raw
  devices.
• Change permissions on raw devices
• chown oracle /dev/rdsk/dks2d2s3
• chgrp oinstall /dev/rdsk/dks2d2s3
• chmod 700 /dev/rdsk/dks2d2s3
• Use the raw device
• create database TESTDB
• logfile /oracle/dbs/logfile1.f size 100k
• /oracle/dbs/logfile2.f size 100k
• datafile /dev/rdsk/dks2d2s3 size 10000k reuse

24
Firewalls and Oracle

• A firewall is a single point of control on a
  network, used to prevent unauthorized clients
  from reaching the server.
• It acts as a filter, screening out unauthorized
  network users from using the intranet.
• Firewalls are rule-based. They have a list of
  rules that define which clients can connect, and
  which cannot.

25
Firewall Approaches Approach I
26
Approach I Pros and Cons

• Pros
• The setup is simple
• Your internet computers are totally isolated from
  the external computers
• You only require the user of a single firewall
• Cons
• Both web server and database are open to any
  attach
• How to make this model work
• Updating patches and service packs
• Disabling unnecessary services
• Implementing strong passwords

27
Firewall Approaches Approach II
28
Approach II Pros and Cons

• Pros
• The setup is simple
• Low cost of the configuration
• Compare to approach I, the security is much
  tighter
• Cons
• Allowing packets through the firewall into the
  internal network weakens the security

29
Firewall Approaches Approach III
30
Approach III Pros and Cons

• Pros
• Compare to approach II, the security is much
  tighter
• Cons
• Web server remains exposed to attach
• How to make this model work
• Must harden the OS that the web server runs on
• Many security holes are discovered every day

31
Firewall Approaches Approach IV
32
Approach IV

• Pros
• Compare to approach III, the model is more robust
• It limits the ability to spoof and separated
  external machines from internal machines
• Even if the machines in the DMZ (demilitarized
  zone, area between firewalls) are compromised,
  the setup continues to protect the internal
  network from servers in the DMZ.

33
What a firewall does not prevent

• Firewalls cannot protect you from internal
  attacks
• Firewalls cannot stop a hacker who can get around
  your firewall. For instance, by calling into a
  modem on a computer that is connected to your
  internal network
• Firewalls cannot stop a hacker attacking your
  laptop when it is connected to a cable modem at
  employees home
• Firewalls cannot stop virus like Trojan horse
  inside an email.

34
Using Oracle through a firewall

• Firewalls can be implemented in two ways
• Firewalls using Oracle Connection Manager in an
  intranet environment
• Firewalls using Oracle Net Firewall Proxy in an
  internet environment

35
Oracle Connection Manager in an intranet
environment

• It can be configured to grant or deny client
  access to a particular database service or a
  computer, based on the following criteria
• Source host names or IP addresses for clients
• Destination host names or IP addresses for
  servers
• Destination database service names
• Client use of Oracle Advanced Security

36
Intranet Network Access Control with Oracle
Connection Manager
For this configuration to work, clients require
the JDBC Thin driver.
37
Oracle Net Firewall Proxy in an internet
environment

• Oracle Connection Manager functionality is
  offered by some firewall vendors through a
  software component called Oracle Net Firewall
  Proxy.
• A host computer, called an application gateway,
  runs the Oracle Connection Manager software.

38
Internet Network Access Control with an
Application Gateway
39
Ensuring Security in Three-Tier Systems

• Proxy Authentication to Ensure Three-Tier
  Security
• An important security feature for three-tier
  systems is the ability to proxy authenticated
  user identity from a middle tier to the database.
• Java Database Connectivity (JDBC)
• JDBC allows Java programs to send SQL statements
  to an object-relational database such as Oracle.
  JDBC enables a middle tier server to access a
  database on behalf of a client user by
  establishing a lightweight session for the user.
• Java applets can thus transmit data over secure
  channels.
• You can have secure connections from middle tier
  servers with Java Server Pages (JSPs) to the
  database.

40
Overview of Oracle HTTP Server Security

• Oracle HTTP Server
• It comes standard on the Oracle8i and Oracle9i
  database CDs.
• It is a valuable tool for developing CGI or Java
  applications.
• Most of the configuration options required for
  the Oracle HTTP Server are built during the
  Oracle install.
• Oracle HTTP server user Apache as its engine

41
Oracle HTTP server components

• Oracle HTTP Server 1.3.12.0.3a
• Oracle HTTP Server Extensions 9.0.1.0.0
• Oracle Mod PL/SQL Gateway 3.0.9.0.7
• Apache Module for Oracle Servlet Engine 9.0.1.0.0
  
• BC4J Runtime 5.0.0.417.1
• Apache Configuration for Oracle XML Developer's
  Kit
• Oracle eBusiness Management Extensions 9.0.1.0.0
• Oracle HTTP Server Extensions 9.0.1.0.0

42
Steps for Handling URL Requests in Oracle HTTP
Server
43
Oracle web server security

• Ensure the data stream cannot be viewed or
  tampered with by a third party
• You can use SSL protocol to encrypt
• Consider and address authentication and
  authorization to ensure valid users access and
  manipulate the data within the stream
• Host-based access control
• User authentication

44
Oracle HTTP server SSL configuration

• ssl.conf includes the SSL definitions and virtual
  host container.
• It is located at
• UNIX ORACLE_HOME/Apache/Apache/conf
• Windows ORACLE_HOME\Apache\Apache\conf

45
Understanding Host-Based Access Control

• You use the deny, allow, and order directives to
  set this type of access control.
• ltDirectory /internalonly/gt
• order deny, allow
• deny from all
• allow from 192.168.1 us.oracle.com
• lt/Directorygt
• requests originating from any IP address in the
  192.168.1. range or with the host name
  us.oracle.com are allowed access to files in the
  directory /internalonly/

46
Access Control for Virtual Hosts

• IP-based, Name-based
• place the AccessConfig directive inside a virtual
  host container in the server configuration file,
  httpd.conf
• ...
• ltVirtualHost ip.address.of.host.some_domain.comgt
• ... virtual host directives ...
• AccessConfig conf/access.conf
• lt/VirtualHostgt

47
Overview of Host-Based Access Control Schemes

• Controlling Access by IP Address
• Controlling Access by Domain Name
• Controlling Access by Network or Netmask
• Controlling Access with Environment Variables

48
Controlling Access by IP Address

• To configure IP address-based access control, use
  the syntax shown in the following example
• ltDirectory /secure_only/gt
• order deny,allow
• deny from all allow from 207.175.42.154
  192.220.208.9
• lt/Directorygt
• In this example, requests originating from all IP
  addresses except 207.175.42.154 and 192.220.208.9
  are denied access to the /secure_only/ directory.

49
Controlling Access by Domain Name

• To combine domain name-based with IP
  address-based access control, use the syntax
  shown in the following example
• ltDirectory /co_backgr/gt
• order allow,deny
• allow from all
• 141.217.24.179 is the IP for
  malicious.cracker.com
• deny from malicious.cracker.com 141.217.24.179
• lt/Directorygt
• In this example all requests for directory
  /co_backgr/ are accepted except those that
  originate from the domain name malicious.cracker.c
  om or the IP address 141.217.24.179.

50
Controlling Access by Network or Netmask

• You can control access based on subsets of
  networks, specified by IP address.
• ltDirectory /payroll/gt
• order deny,allow
• deny from all allow from 10.1.0.0/255.255.0.0
• lt/Directorygt
• In this example, access is allowed from a
  network/netmask pair.

51
Controlling Access with Environment Variables

• You can use arbitrary environment variables for
  access control
• BrowserMatch Mozilla netscape_browser
• ltDirectory /mozilla-area/gt
• order deny,allow
• deny from all allow from envnetscape_browser
• lt/Directorygt
• In this example, allow access only to requests
  that come from Netscape browsers

52
Overview of User Authentication

• Basic authentication that is based on user name
  and password pairs.
• For Internet communications, SSL, (X.509) is
  usually used for transmitting sensitive
  information such as passwords and authenticating
  users to Web applications and databases.
• Oracle HTTP Server also supports single sign-on,
  which allows users to log in to multiple Web
  applications using a single user name and
  password.

53
Basic Authentication and Authorization with
mod_auth

• Authentication Configuration Directives

54
Using Secure Sockets Layer (SSL) to Authenticate
Users

• mod_ossl is the Oracle Secure Sockets Layer (SSL)
  implementation in use with the Oracle database
• mod_ossl replaces mod_ssl in the Oracle HTTP
  Server distribution.
• A tool is provided to enable you to migrate from
  mod_ssl to mod_ossl, and convert your text
  certificates to Oracle wallets.

55
Differences between mod_ossl and mod_ssl
56
The mod_ssl directives

• SSLRandomSeed
• SSLCertificateFile
• SSLCertificateKeyFile
• SSLCertificateChainFile
• SSLCACertificateFile
• SSLCACertificatePath
• SSLVerifyDepth

57
SSL Secures Internet and Oracle Communications
58
PKI Implementation in Oracle Advanced Security

• Public Key Infrastructure (PKI) approach is an
  emerging means of achieving security and single
  sign-on, adding extra value to the Oracle
  Advanced Security option.
• Components of Oracle Public Key
  Infrastructure-Based Authentication
• PKI Integration and Interoperability

59
Components of Oracle Public Key
Infrastructure-Based Authentication

• Secure Sockets Layer
• Oracle Call Interface
• Trusted Certificates
• X.509 Version 3 Certificates
• Oracle Wallets
• Oracle Wallet Manager
• Oracle Enterprise Login Assistant
• Oracle Internet Directory
• Oracle Enterprise Security Manager

60
Oracle Wallets

• An Oracle wallet is a container in which
  certificates and trusted certificates are stored
  and managed
• There is no need for real time checking with the
  certificate authority.
• These data structures securely store a user
  private key, a user certificate, and a set of
  trusted certificates.

61
Proxy Authentication in a Multi-tier Environment
62
PKI Integration and Interoperability

• PKCS 12 Support
• Wallets Stored in Oracle Internet Ditrcotry
• Multiple Certificate Support
• Strong Wallet Encryption

63
Oracle PKI Implementation Summary

• PKI provides an important security infrastructure
  to a network.
• SSL secures not only Oracle Net, but also other
  protocols such as IIOP (Internet Inter-ORB
  Protocol), giving Oracle the ability to work with
  thin clients and Enterprise JavaBeans (EJB).
• Certificates not only authenticate clients to
  servers, but they also authenticate servers to
  other servers.

64
Public-Key Encryption

• Also called asymmetric encryption
• involves a pair of keys
• a public key
• a private key
• Each public key is published, and the
  corresponding private key is kept secret.
• Based on modular arithmetic

65
How PKI works

• Knapsack problem

66
How PKI works (Cont)

• Create a new Knapsack values(642, 2311, 18)
• X 1 4 6 12 25 51 105 210 421 850
• Yi (Xi 642) 2311
• Y 642 257 1541 771 2184 388 391 782 2206 304
  public key
• Encode and encrypt message with the public key
• An encrypted value 4895 can be derived very
  quickly
• ( 4895 18 ) 2311 gt 292
• 292 1 4 6 12 25 51 105
  210 421 850
• 4895 642 257 1541 771 2184 388 391 782
  2206 304
• 0 0 1 0 1
  1 0 1 0 0

67
Certificate Authorities

• A certificate authority (CA) is a trusted third
  party which certifies that other entities--users,
  databases, administrators, clients, servers--are
  who they say they are.
• A certificate authority might be an external
  company that offers certificate services, or an
  internal organization

68
Certificates

• A certificate is like an electronic passport
  which proves the identity of a user or device
  that seeks to access the network.
• The certificate ensures that the entity's
  information is correct and that the public key
  actually belongs to that entity.
• A certificate is created when an entity's public
  key is signed by a trusted identity (a
  certificate authority).

69
Information kept in a certificate

• the certificate users name
• an expiration date
• a unique serial number assigned to the
  certificate by the CA
• the users public key
• information about the rights and uses associated
  with the certificate
• the name of the certificate authority that issued
  the certificate
• the CAs signature
• an algorithm identifier that identifies which
  algorithm was used to sign the certificate