Security Options in Oracle, the matrix of what`s

Transcript Security Options in Oracle, the matrix of what`s

Security Options in Oracle
The Matrix of What’s Available
Rich Niemiec, TUSC ([email protected])
www.tusc.com
(Thanks to Kevin Loney, Kim Floss, Mary Ann Davidson)
Copyright ©2001 TUSC All Rights Reserved
Presentation
Goals/Non-Goals
• Goals
– Target Key Areas Security
– Target Key scripts
– Target tips that are most useful
• Non-Goals
– Learn ALL aspects of Security
• Will take weeks to months
• Need experience as well
• What you’ll need depends on your system
Copyright ©2002 TUSC All Rights Reserved
Overview
•
•
•
•
•
•
•
•
•
•
What are you Guarding Against?
Getting into databases
Password Protection
Outside the Application
Effective Auditing
Laying the Groundwork for Success
Biometrics
Oracle9i Changes
Summary
Helpful Scripts (FYI)
3
What are you guarding against?
• External malice
– Denial of service attacks
– Theft of data
• Internal disclosure
– Source of most attempts
– Particular issue in poor economy
• transient workforce adds to threat level
• Who:
• Disgruntled employees
• Criminals
• Bored college students
• Vendors
Competitors
Terrorists
Curious individuals
4
Security Breaches on the Rise!
• Company Security Breaches*:
1999
2000
2001
2002
62%
70%
85%
90%
90
80
70
60
50
40
30
Security
Breaches
20
10
0
1999
2000
2001
2002
*CSI/FBI Surveys over the past 4 years
5
CERT Trends
Computer Emergency Response Team (CERT)
•
•
•
•
•
Automation and Speed of Attack are increasing.
Attack tools are more sophisticated.
Attackers are discovering vulnerabilities quicker.
Firewalls are more permeable.
Threats from infrastructure attacks are on the rise
(such as denial of service and worms).
*CSI/FBI Surveys over the past 4 years
6
Oracle9i Security Checklist
1. Install only the products you’re using
2. Lock and expire default user accounts
3. Change default passwords & enforce password
management
4. Enable dictionary protection
5. Practice principle of least privilege
6. Enforce access controls effectively
7. Restrict network access
a. Use a firewall
b. Don’t poke any holes through the firewall
c. Prevent listener access
(set ADMIN_RESTRICTIONS_listenername=ON)
7
Oracle9i Security Checklist
d. Allow/Deny access based on network IP
(tcp.validnode_checking=YES,
tcp.excluded_nodes={list the IP’s},
tcp.invited_nodes={list the IP’s})
e. Encrypt network traffic (Oracle Advanced Security)
f. Make the O/S more restrictive
8.Apply all Oracle Security Patches –
http://metalink.oracle.com and
http://otn.oracle.com/deploy/security/alerts.htm
9. Report security issues or vulnerabilities to Oracle:
[email protected]
http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf
8
Oracle Security Alerts
9
Oracle Security Alerts
Username/Password
http://otn.oracle.com/deploy/security/pdf/webdb_bugpost.pdf “If
customers grant public access to PL/SQL procedures, in particular …
OWA, SYS & DBMS …it may be possible to invoke through a URL and
10
cause SQL statements to be executed on back-end Oracle database."
Oracle Security Alerts
http://www.sans.org/top20/#index
11
Preventing attacks
• Protect every copy of the data!
• Restrict access to backups
– Establish procedures and access logs
• Restrict copying sensitive data to Development
and Test databases
• Restrict database links into Production
• Restrict physical access to the hardware
• Restrict physical access to the network
• Protect/Dispose hardware appropriately
12
Common open doors
• SYS/change_on_install
• SYSTEM/manager
• WEBDB/webdb
– full DBA access, factory settings
• Demo developer accounts
– SCOTT/tiger, ADAMS/wood, JONES/steel,
BLAKE/paper, CLARK/cloth
•
•
•
•
CTXSYS/ctxsys - Used by interMedia Text servers
TRACESVR/trace - supports Oracle Trace
others: ORDSYS, OUTLN, MDSYS, MTSSYS
Third Party Application Providers!
13
Main Options
•
•
•
•
•
•
•
Basic login/password protection with locking
Roles – A group of privileges for use with groups
Data Encryption for storage in the database
Auditing at the statement, user or record level
Encrypts data sent over wire client/server
Oracle utilizes SSL from browser to App. server
Oracle performs checksumming to ensure that the
data sent was not tampered with on the way.
• Virtual Private Databases to give a customer or
B2B partner only access to their own data.
• Oracle Label Security allows record level security
with label with privileges required to access it.
14
Advanced options
RADIUS (Remote Access Dial-In User Service)
– Secures remote access to network.
– Industry Standard
– ORACLE RADIUS is an Oracle implementation of
RADIUS that allows the Oracle database to
provide authentication and authorization (serving
as the proxy to the RADIUS server).
– This is often used with smartcards and biometrics.
15
Advanced options
1.
2.
3.
4.
5.
6.
A user logs in by entering a connect string, passcode, or
other value. The client system passes this data to the
Oracle database server.
The Oracle database server, acting as the RADIUS client,
passes the data from the Oracle client to the RADIUS
server.
The RADIUS server passes the data to the appropriate
authentication server, such as Smart Card or SecurID ACE
for validation.
The authentication server sends either an Access Accept or
an Access Reject message back to the RADIUS server.
The RADIUS server passes this response to the Oracle
database server / RADIUS client.
The Oracle database server / RADIUS client passes the
16
response back to the Oracle client.
Advanced options
17
Security Requirements
• Privacy & Integrity of
communications
Encryption (RC4,
DES, MD5, etc.)
• Strong user authentication
X.509v3 Certificates,
smart cards, biometric
• Access control
Fine-grained Access
Control Policies
• User Account Management
LDAP Directory
Integration
• Flexibility & Cost Avoidance
Security Standards
(FIPS 140, Common
Criteria)
Comprehensive,
granular auditing
• Accountability
Copyright ©2002 TUSC All Rights Reserved
Biometrics
www.biometrics.org
19
Fingerprint Scanning
www.identix.com
20
Fingerprint Scanning
• One of the fastest scanning available.
• Currently in use a method to log into the system
without remembering a password.
• Disallows multiple logins
• Saves money on forgotten password help desk
time.
• Best to have a two-part authorization which
includes both the password and finger scan.
• www.finger-scan.com
21
Hand Scanning
• www.peninsulatime.com
22
Hand Scanning
• An excellent use for this is time clocks.
• Ensures that the employee is physically
present.
• Many time clocks allow for the easy
integration with the database.
• www.hand-scan.com
23
Face Scanning
• www.identix.com
24
Face Scanning
•
•
•
•
This was used at the Super Bowl (Viisage).
Much more complex than finger/hand scans.
Based on MIT “eigenfaces” technology.
It’s non-intrusive, but faces can have multiple
expressions due to coughing, breathing, blinking,
talking and other gestures. Yet, currently, this can
be accomplished in seconds.
• www.facial-scan.com
• The main providers are:
– Visionics (www.visionics.com) - Merged with Identix
25
– Viisage (www.viisage.com)
Retinal Scanning
• This was the type of (fictitious) scan in the
movie Minority Report.
• This type of scan is available currently.
• The blood vessels in the back of the eye are
scanned.
• www.retina-scan.com
26
Iris Scanning
• This is less intrusive than retinal scans.
• It Scans the iris (colored part) of the eye.
• www.iris-scan.com
• www.accessexcellence.org
27
Other Types of Biometrics
• Voice Scanning
• Signature Scanning
• Smart Card
• Gesture Recognition
28
Put a Basic Plan Together
(CERT has detailed plans)
1. Vulnerability Analysis – Identify systems that might
be a target of an infrastructure attack: Create a
vulnerability analysis (with periodic updates).
Determine minimal infrastructure.
2. Remedial Plan – Based on the vulnerability, create a
remedial plan with timelines for implementing as
well as responsibilities and funding.
3. Warning – Immediately establish a department to
warn of significant attacks and enhance the system
for detecting and analyzing attacks.
4. Response – Have a team identified to respond by
isolating the problem, minimizing the damage and
29
ensuring survivability.
From Security to Survivability
30
From Security to Survivability
Computer Emergency Response Team (CERT)
• Resistance to Repel Attacks
• Recognition of Attacks and extent of
damage.
• Recovery of essential services during
attacks and full services after an attack.
• Survivability should involve solutions that
can transcend the system itself.
31
Summary
•
•
•
•
•
•
•
•
•
What are you Guarding Against?
Getting into databases
Password Protection
Outside the Application
Effective Auditing
Laying the Groundwork for Success
Helpful Scripts
Oracle9i Changes
Summary
32
References
www.tusc.com
www.cert.org
www.finger-scan.org
www.retina-scan.org
www.face-scan.org
www.oracle.com
www.biometrics.org
www.hand-scan.org
www.iris-scan.org
www.sans.org
Practical ways to secure your corporate information, Donald
Shepard, Oracle Corp., www.poug.org
Secure configuration guide for Oracle9iR2; Oracle, June 2002
Oracle gurus: Mary Ann Davidson, Kristy Browder and Sudhayer
Neither TUSC, Oracle, IOUG nor the author guarantee this document to be
error-free. Please provide comments and/or questions to [email protected].
Copyright ©2002 TUSC All Rights Reserved
Contact Information
Rich Niemiec: [email protected]
This presentation will be available on the
TUSC Web Site
Copyright ©2001 TUSC All Rights Reserved
www.tusc.com
(800) 755-TUSC