Introduction to Oracle Security

中原大學應用數學系劉 立 民

Know your threats

Erasing your data Changing your data in an

undetectable manner Reading your data to compromise

your organization’s position Destroying your data

Internal and External threats

Internal threats Behind your firewall Can access your network

External threats Hacker (white hat) Cracker (black hat) Gray hat

Top security myths Myth: Hackers cause most security

breaches. In fact, 80% of data loss is to caused by insiders.

Myth: Encryption makes your data secure. In fact, encryption is only one approach to

securing data. Security also requires access control, data integrity, system availability, and auditing.

Myth: Firewalls make your data secure. In fact, 40% of Internet break-ins occur in spite

of a firewall being in place.

Who can do what

Authentication The process used to determine that a

user is who he or she claims to be Authorization

Authorization is based on matching an identity with a list of rights, priviliges, or areas of access

Typical E-Commerce Architecture

Dimensions of Data Security

Fundamental Data Security Requirements

Confidentiality

Integrity

Availability

Confidentiality

Privacy of Communications Secure Storage of Sensitive Data Authenticated Users Granular Access Control

Integrity System and object privileges control access

to application tables and system commands, so that only authorized users can change data.

Referential integrity is the ability to maintain valid relationships between values in the database, according to rules that have been defined.

A database must be protected against viruses designed to corrupt the data.

The network traffic must be protected from deletion, corruption, and eavesdropping.

Availability

Security Requirements in the Internet Environment

Promises and Problems of the Internet

Increased Data Access Much More Valuable Data Larger User Communities Hosted Systems and Exchanges

Data Security Risks Data Tampering Eavesdropping and Data Theft Falsifying User Identities Password-Related Threats Unauthorized Access to Tables and

Columns Unauthorized Access to Data Rows Lack of Accountability Complex User Management Requirements

A Matrix of Security Risks and Solutions

A Matrix of Security Risks and Solutions (Con’t)

A Matrix of Security Risks and Solutions (Con’t)

The System Security Team

Security Oracle on UNIX

How the Oracle database runs PMON, SMON, DBWR, DBW0, LGWR,

RECO, CKPT, ARCH Installing Oracle on UNIX

Create a group named oinstall for installation

Create an account called oracle to install/own the software

Oracle’s recommended groups ORA_ALL: all users allowed to access the

ORACLE_HOME directory ORADBA: users to map to the OSDBA role. ORAOPER: users to map to OSOPER role. ORASTARTUP: users who will need to start

up an instance. ORAOWNER: users who will have full

access to the operating system file.

Oracle’s group hierarchy

ORA_ALL

ORASTARTUP

ORAOPER ORAOWNER

ORADBA

Set file permissions Change the group of the ORACLE_HOME

directory to ORA_ALL and set the permission to 750 to restricts anyone who has not explicitly been added to the ORA_ALL group.

Change the group of all files and directories under ORACLE_HOME to ORAOWNER and set permission to 775.

For the ORACLE_HOME/rdbms/log and audit directories, set the permission to 750.

For the oracle executable file change the group to ORASTARTUP and set the permissions to 6710.

Advantages gained from the architecture Denies access to all users, yet allows you

to grant limited access to SQL*PLUS users Provides the ability to name OSDBA and

OSOPER users who do not have free reign over the file system.

Provides the ability to grant control of files in ORACLE_HOME to individual Unix users.

Prevents users with full control of the ORACLE_HOME from deleting audit logs and manipulating or viewing the data files.

Security of raw device A raw device is a partition on the hard drive that

is not mounted or controlled via the UNIX file system.

Use ls on /dev/rdsk directory to locate your raw devices.

Change permissions on raw devices#chown oracle /dev/rdsk/dks2d2s3#chgrp oinstall /dev/rdsk/dks2d2s3#chmod 700 /dev/rdsk/dks2d2s3

Use the raw devicecreate database TESTDBlogfile ‘/oracle/dbs/logfile1.f’ size 100k

‘/oracle/dbs/logfile2.f’ size 100kdatafile ‘/dev/rdsk/dks2d2s3’ size 10000k reuse;

Firewalls and Oracle A firewall is a single point of control on a

network, used to prevent unauthorized clients from reaching the server.

It acts as a filter, screening out unauthorized network users from using the intranet.

Firewalls are rule-based. They have a list of rules that define which clients can connect, and which cannot.

Firewall Approaches – Approach I

Approach I – Pros and Cons Pros

The setup is simple Your internet computers are totally isolated from the

external computers You only require the user of a single firewall

Cons Both web server and database are open to any

attach How to make this model work

Updating patches and service packs Disabling unnecessary services Implementing strong passwords

Firewall Approaches – Approach II

Approach II – Pros and Cons

Pros The setup is simple Low cost of the configuration Compare to approach I, the security is

much tighter Cons

Allowing packets through the firewall into the internal network weakens the security

Firewall Approaches – Approach III

Approach III – Pros and Cons Pros

Compare to approach II, the security is much tighter

Cons Web server remains exposed to attach

How to make this model work Must harden the OS that the web server runs

on Many security holes are discovered every day

Firewall Approaches – Approach IV

Approach IV Pros

Compare to approach III, the model is more robust

It limits the ability to spoof and separated external machines from internal machines

Even if the machines in the DMZ (demilitarized zone, area between firewalls) are compromised, the setup continues to protect the internal network from servers in the DMZ.

What a firewall does not prevent Firewalls cannot protect you from internal

attacks Firewalls cannot stop a hacker who can

get around your firewall. For instance, by calling into a modem on a computer that is connected to your internal network

Firewalls cannot stop a hacker attacking your laptop when it is connected to a cable modem at employee’s home

Firewalls cannot stop virus like Trojan horse inside an email.

Using Oracle through a firewall

Firewalls can be implemented in two ways Firewalls using Oracle Connection

Manager in an intranet environment Firewalls using Oracle Net Firewall

Proxy in an internet environment

Oracle Connection Manager in an intranet environment It can be configured to grant or deny

client access to a particular database service or a computer, based on the following criteria: Source host names or IP addresses for clients Destination host names or IP addresses for

servers Destination database service names Client use of Oracle Advanced Security

Intranet Network Access Control with Oracle Connection Manager

For this configuration to work, clients require the JDBC Thin driver.

Oracle Net Firewall Proxy in an internet environment

Oracle Connection Manager functionality is offered by some firewall vendors through a software component called Oracle Net Firewall Proxy.

A host computer, called an application gateway, runs the Oracle Connection Manager software.

Internet Network Access Control with an Application Gateway

Ensuring Security in Three-Tier Systems Proxy Authentication to Ensure Three-Tier

Security An important security feature for three-tier systems is

the ability to proxy authenticated user identity from a middle tier to the database.

Java Database Connectivity (JDBC) JDBC allows Java programs to send SQL statements to

an object-relational database such as Oracle. JDBC enables a middle tier server to access a database on behalf of a client user by establishing a lightweight session for the user.

Java applets can thus transmit data over secure channels.

You can have secure connections from middle tier servers with Java Server Pages (JSPs) to the database.

Overview of Oracle HTTP Server Security Oracle HTTP Server

It comes standard on the Oracle8i and Oracle9i database CDs.

It is a valuable tool for developing CGI or Java applications.

Most of the configuration options required for the Oracle HTTP Server are built during the Oracle install.

Oracle HTTP server user Apache as its engine

Oracle HTTP server components

Oracle HTTP Server 1.3.12.0.3a Oracle HTTP Server Extensions 9.0.1.0.0 Oracle Mod PL/SQL Gateway 3.0.9.0.7 Apache Module for Oracle Servlet Engine 9.0.1.0.0 BC4J Runtime 5.0.0.417.1 Apache Configuration for Oracle XML Developer's Kit Oracle eBusiness Management Extensions 9.0.1.0.0 Oracle HTTP Server Extensions 9.0.1.0.0

Steps for Handling URL Requests in Oracle HTTP Server

Oracle web server security Ensure the data stream cannot be viewed

or tampered with by a third party You can use SSL protocol to encrypt

Consider and address authentication and authorization to ensure valid users access and manipulate the data within the stream Host-based access control

User authentication

Oracle HTTP server SSL configuration

ssl.conf includes the SSL definitions and virtual host container.

It is located at: UNIX: ORACLE_HOME/Apache/Apache/conf Windows: ORACLE_HOME\Apache\Apache\

conf

Understanding Host-Based Access Control You use the deny, allow, and order

directives to set this type of access control.

<Directory /internalonly/> order deny, allow deny from all allow from 192.168.1 us.oracle.com</Directory>

requests originating from any IP address in the 192.168.1.* range or with the host name us.oracle.com are allowed access to files in the directory /internalonly/

Access Control for Virtual Hosts

IP-based, Name-based place the AccessConfig directive

inside a virtual host container in the server configuration file, httpd.conf ... <VirtualHost ip.address.of.host.some_domain.com> ... virtual host directives ... AccessConfig conf/access.conf </VirtualHost>

Overview of Host-Based Access Control Schemes

Controlling Access by IP Address Controlling Access by Domain

Name Controlling Access by Network or

Netmask Controlling Access with

Environment Variables

Controlling Access by IP Address

To configure IP address-based access control, use the syntax shown in the following example: <Directory /secure_only/> order deny,allow deny from all allow from 207.175.42.154 192.220.208.9 </Directory>

In this example, requests originating from all IP addresses except 207.175.42.154 and 192.220.208.9 are denied access to the /secure_only/ directory.

Controlling Access by Domain Name

To combine domain name-based with IP address-based access control, use the syntax shown in the following example: <Directory /co_backgr/> order allow,deny allow from all # 141.217.24.179 is the IP for malicious.cracker.com deny from malicious.cracker.com 141.217.24.179 </Directory>

In this example all requests for directory /co_backgr/ are accepted except those that originate from the domain name malicious.cracker.com or the IP address 141.217.24.179.

Controlling Access by Network or Netmask

You can control access based on subsets of networks, specified by IP address. <Directory /payroll/> order deny,allow deny from all allow from 10.1.0.0/255.255.0.0 </Directory>

In this example, access is allowed from a network/netmask pair.

Controlling Access with Environment Variables

You can use arbitrary environment variables for access control BrowserMatch ^Mozilla netscape_browser<Directory /mozilla-area/>

order deny,allow deny from all allow from env=netscape_browser

</Directory>

In this example, allow access only to requests that come from Netscape browsers

Overview of User Authentication Basic authentication that is based on

user name and password pairs. For Internet communications, SSL,

(X.509) is usually used for transmitting sensitive information such as passwords and authenticating users to Web applications and databases.

Oracle HTTP Server also supports single sign-on, which allows users to log in to multiple Web applications using a single user name and password.

Basic Authentication and Authorization with mod_auth Authentication Configuration Directives

Using Secure Sockets Layer (SSL) to Authenticate Users

mod_ossl is the Oracle Secure Sockets Layer (SSL) implementation in use with the Oracle database

mod_ossl replaces mod_ssl in the Oracle HTTP Server distribution.

A tool is provided to enable you to migrate from mod_ssl to mod_ossl, and convert your text certificates to Oracle wallets.

Differences between mod_ossl and mod_ssl

The mod_ssl directives

SSLRandomSeed SSLCertificateFile SSLCertificateKeyFile SSLCertificateChainFile SSLCACertificateFile SSLCACertificatePath SSLVerifyDepth

SSL Secures Internet and Oracle Communications

PKI Implementation in Oracle Advanced Security

Public Key Infrastructure (PKI) approach is an emerging means of achieving security and single sign-on, adding extra value to the Oracle Advanced Security option. Components of Oracle Public Key

Infrastructure-Based Authentication PKI Integration and Interoperability

Components of Oracle Public Key Infrastructure-Based Authentication

Secure Sockets Layer Oracle Call Interface Trusted Certificates X.509 Version 3 Certificates Oracle Wallets Oracle Wallet Manager Oracle Enterprise Login Assistant Oracle Internet Directory Oracle Enterprise Security Manager

Oracle Wallets An Oracle wallet is a container in which

certificates and trusted certificates are stored and managed

There is no need for real time checking with the certificate authority.

These data structures securely store a user private key, a user certificate, and a set of trusted certificates.

Proxy Authentication in a Multi-tier Environment

PKI Integration and Interoperability

PKCS #12 Support

Wallets Stored in Oracle Internet

Ditrcotry

Multiple Certificate Support

Strong Wallet Encryption

Oracle PKI Implementation Summary PKI provides an important security

infrastructure to a network. SSL secures not only Oracle Net, but

also other protocols such as IIOP (Internet Inter-ORB Protocol), giving Oracle the ability to work with thin clients and Enterprise JavaBeans (EJB).

Certificates not only authenticate clients to servers, but they also authenticate servers to other servers.

Public-Key Encryption Also called asymmetric encryption involves a pair of keys

a public key a private key

Each public key is published, and the corresponding private key is kept secret.

Based on modular arithmetic

How PKI works

Knapsack problem

How PKI works (Con’t) Create a new Knapsack values （ 642, 2311, 18 ）

X: 1 4 6 12 25 51 105 210 421 850 Yi = (Xi * 642) % 2311 Y: 642 257 1541 771 2184 388 391 782 2206 304

[public key] Encode and encrypt message with the public

key An encrypted value 4895 can be derived very quickly

( 4895 * 18 ) % 2311 => 292292 = 1 4 6 12 25 51 105 210 421 8504895 = 642 257 1541 771 2184 388 391 782 2206 304

0 0 1 0 1 1 0 1 0 0

Certificate Authorities

A certificate authority (CA) is a trusted third party which certifies that other entities--users, databases, administrators, clients, servers--are who they say they are.

A certificate authority might be an external company that offers certificate services, or an internal organization

Certificates A certificate is like an electronic passport

which proves the identity of a user or device that seeks to access the network.

The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.

A certificate is created when an entity's public key is signed by a trusted identity (a certificate authority).

Information kept in a certificate the certificate user’s name an expiration date a unique serial number assigned to the

certificate by the CA the user’s public key information about the rights and uses

associated with the certificate the name of the certificate authority that

issued the certificate the CA’s signature an algorithm identifier that identifies which

algorithm was used to sign the certificate