Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Database Security …from the application perspective Martin Nystrom September 2003.

Published byLilian McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Oracle Database Security …from the application perspective Martin Nystrom September 2003."— Presentation transcript:

1 Oracle Database Security …from the application perspective Martin Nystrom September 2003

2 Purpose  In scope: application security of Oracle databases  Out of scope: system security of Oracle databases

3 Agenda  Oracle architecture System architecture System architecture Network architecture Network architecture  Common Oracle objects  Schema/object security  Java security  Application integration techniques  Current challenges at Cisco

4 Database server Grossly oversimplified Oracle network architecture Database Client host 1521 TNS Listener SQL*Net (Net8) Oracle client software Oracle architecture ONS server Oracle Names service ONS query 1526 (ADDRESS=(PROTOCOL=TCP) (HOST=db.company.com) (PORT=1521))

5 (ADDRESS=(PROTOCOL=TCP) (HOST=cmrsdb.cisco.com) (PORT=1521)) cmrsdb Oracle networking example cmrs fields-sj-1 1521 TNS Listener Oracle client software Oracle architecture ons-sj Oracle Names service ONS query 1526

6 Database server Simplified Oracle Network Architecture w/OCM Database 1521 TNS Listener Host #1 Oracle client software OCM Server Host #2 Oracle client software Host #3 Oracle client software 1521 TNS Listener rejected Allowed Host #1 Host #2 rejected Oracle architecture

7 SQL*Net  Introduced in Oracle V5  Renamed “Net8” in Oracle8  Supports multiple protocols (TCP/IP, DECnet, SPX/IPX, etc.) Oracle architecture

8 Authentication & credentials  Can be… OS authentication OS authentication Userid/password Userid/password X.509 certificates X.509 certificates Smart card Smart card Etc. Etc.  Stored in Oracle As MD5 hash As MD5 hash …not so for dblinks or FND_USERS …not so for dblinks or FND_USERS Oracle architecture

9 Authentication & credentials (cont.)  Transport encryption DES encryption of db-selected random number w/user’s password hash DES encryption of db-selected random number w/user’s password hash OS-integrated authentication available too OS-integrated authentication available too Password changes travel unencrypted Password changes travel unencrypted  Password management features available Aging & expiration Aging & expiration History (e.g., can prohibit reuse of last 3 passwords) History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + numbers) Composition & complexity (e.g., require letters + numbers) Account lockout Account lockout

10 Common Oracle objects Database instance schema Public area schema tableview trigger index stored procedure function table synonym

11 Oracle object security grant select on EMPLOYEES to ASOK; alice’s schema employees candidates asok’s schema orderscustomers Public objects all_users

12 Oracle role-based security hrdata schema employees candidates hr_steward grant all privileges on EMPLOYEES to role HR_STEWARD; grant HR_STEWARD to CATBERT; DBA

13 Database links dogbert’s schema orders EMPLINK dogbert’s schema employees HR_DBECOMMERCE_DB Create database link EMPLINK connect to DOGBERT identified by CISCO123 using HR_DB;

14 Java security in Oracle dilbert sessionwally session Java server classes (common, read-only) java.* oracle.aurora.*oracle.jdbc.* com.cisco.ipc.* com.cisco.myapp.calc System classes loaded by default, accessible & shared by all sessions

15 Java security in Oracle  System classes loaded in shared area  Users can load classes Into their own schema/session Into their own schema/session Can grant execution rights to other users Can grant execution rights to other users  Permissions Stored in Oracle objects, not files Stored in Oracle objects, not files Stored in PolicyTable table Stored in PolicyTable table Granted by DBA or JAVA_ADMIN roles Granted by DBA or JAVA_ADMIN roles “call dbms_java.grant_permission(“call dbms_java.grant_permission(“mnystrom”,“java.util.SocketPermission”,“localhost:1024-”,“connect”)  2 privilege models Invoker’s rights Invoker’s rights Definer’s rights (setuid) Definer’s rights (setuid)

16 Invoker’s rights alice’s schemadogbert’s schema com.cisco.ipc.* com.cisco.myapp.calc salary

17 Definer’s rights alice’s schemadogbert’s schema com.cisco.ipc.* com.cisco.myapp.calc salary

18 Access beyond the database Database server Database /oracle/apps/  Languages: PL/SQL or Java  Techniques: Stored procs or functions  Examples Execute, read, write local files Execute, read, write local files Make and receive network calls (HTTP, MMX, etc.) Make and receive network calls (HTTP, MMX, etc.) Access data in remote databases Access data in remote databases Send mail Send mail

19 Auditing  Obviously impacts database performance  Writes high-level info to a common table Database user Database user Object (table, role, etc.) Object (table, role, etc.) Action (select, insert, etc.) Action (select, insert, etc.) Date/time Date/time  Currently enabled on-request to DBA team  Difficult to trace actions to a live human Can correlate with IP address Can correlate with IP address

20 Common integration techniques  Shared database schemas  Separate schemas/dbs Grant direct access to each other’s schemas Grant direct access to each other’s schemas Grant only stored proc access Grant only stored proc access

21 Typical modern application application schema orderscustomers application

22 Shared schemas application #2’s schema orderscustomers Application #1 Application #2 select insert update insert update delete select grant select

23 Shared objects Application #1’s schema orders Application #1 Application #2 select insert update Application #2’s schema customers insert update delete select grant select

24 Shared, protected objects Application #1’s schema orders Application #1 Application #2 select insert update Application #2’s schema customers insert update delete select grant execute stored procedure

25 Application-level integration Application #1’s schema orders Application #1 Application #2 select insert update Application #2’s schema customers insert update delete select grant Shared libraries MMX Web services IIOP

26 Current problems in industry  Account management Passwords never changed Passwords never changed Accounts/passwords widely known Accounts/passwords widely known All developersAll developers cgi-bin treescgi-bin trees CVS source repositoriesCVS source repositories  Privileges too broad  No data stewardship  No segregation/special protection for sensitive data

Download ppt "Oracle Database Security …from the application perspective Martin Nystrom September 2003."

Similar presentations

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.

Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Administering User Security

Administering User Security
Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Oracle for Software Developers. What is a relational database? Data is represented as a set of two- dimensional tables. (rows and columns) One or more.

Oracle for Software Developers. What is a relational database? Data is represented as a set of two- dimensional tables. (rows and columns) One or more.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
Chapter 101. 2 Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.

Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Similar presentations

Ads by Google