Oracle Database Security …from the application perspective Martin Nystrom September 2003.

Slides:



Advertisements
Similar presentations
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Advertisements

Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Chapter 7 HARDENING SERVERS.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Administering User Security
Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.
Telnet/SSH: Connecting to Hosts Internet Technology1.
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Oracle for Software Developers. What is a relational database? Data is represented as a set of two- dimensional tables. (rows and columns) One or more.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Auditing Authentication & Authorization in Banner
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
SEC835 Practical aspects of security implementation Part 1.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
I NTRODUCTION OF W EEK 7  Assignment Discussion  Graded: (Creation of Database) (All submitted!)  Naming standard, Logical to physical design.
7 Copyright © 2004, Oracle. All rights reserved. Administering Users.
Oracle 10g Database Administrator: Implementation and Administration Chapter 2 Tools and Architecture.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Oracle Database Security …from the application perspective.
Transactions, Roles & Privileges Oracle and ANSI Standard SQL Lecture 11.
IST 318 Database Administration Lecture 9 Database Security.
Protocols Monil Adhikari. Agenda Introduction Port Numbers Non Secure Protocols FTP HTTP Telnet POP3, SMTP Secure Protocols HTTPS.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
13 Copyright © Oracle Corporation, All rights reserved. Controlling User Access.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Oracle9i Performance Tuning Chapter 11 Advanced Tuning Topics.
7 Copyright © 2007, Oracle. All rights reserved. Administering User Security.
1 Chapters 21, 22, 23, 37  Ch. 21: SQL*Loader  Ch. 22: Database Links, Oracle Net  Ch. 23: Materialized Views (aka Snapshots)  Ch. 37: Data Dictionary.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
1 Copyright © 2009, Oracle. All rights reserved. Controlling User Access.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
19 Copyright © 2008, Oracle. All rights reserved. Security.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Controlling User Access
Installing TMG & Choosing a Client Type
CS320 Web and Internet Programming SQL and MySQL
Securing Data with SQL Server 2016
Configuring and Troubleshooting Routing and Remote Access
Introduction To Database Systems
Server Concepts Dr. Charles W. Kann.
Introduction to SQL Server 2000 Security
Working at a Small-to-Medium Business or ISP – Chapter 7
Chapter 3: Windows7 Part 4.
Working at a Small-to-Medium Business or ISP – Chapter 7
Telnet/SSH Connecting to Hosts Internet Technology.
File Transfer Protocol
Working at a Small-to-Medium Business or ISP – Chapter 7
CS3220 Web and Internet Programming SQL and MySQL
(Authentication / Authorization)
CS3220 Web and Internet Programming SQL and MySQL
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Oracle Database Security …from the application perspective Martin Nystrom September 2003

Purpose  In scope: application security of Oracle databases  Out of scope: system security of Oracle databases

Agenda  Oracle architecture System architecture System architecture Network architecture Network architecture  Common Oracle objects  Schema/object security  Java security  Application integration techniques  Current challenges at Cisco

Database server Grossly oversimplified Oracle network architecture Database Client host 1521 TNS Listener SQL*Net (Net8) Oracle client software Oracle architecture ONS server Oracle Names service ONS query 1526 (ADDRESS=(PROTOCOL=TCP) (HOST=db.company.com) (PORT=1521))

(ADDRESS=(PROTOCOL=TCP) (HOST=cmrsdb.cisco.com) (PORT=1521)) cmrsdb Oracle networking example cmrs fields-sj TNS Listener Oracle client software Oracle architecture ons-sj Oracle Names service ONS query 1526

Database server Simplified Oracle Network Architecture w/OCM Database 1521 TNS Listener Host #1 Oracle client software OCM Server Host #2 Oracle client software Host #3 Oracle client software 1521 TNS Listener rejected Allowed Host #1 Host #2 rejected Oracle architecture

SQL*Net  Introduced in Oracle V5  Renamed “Net8” in Oracle8  Supports multiple protocols (TCP/IP, DECnet, SPX/IPX, etc.) Oracle architecture

Authentication & credentials  Can be… OS authentication OS authentication Userid/password Userid/password X.509 certificates X.509 certificates Smart card Smart card Etc. Etc.  Stored in Oracle As MD5 hash As MD5 hash …not so for dblinks or FND_USERS …not so for dblinks or FND_USERS Oracle architecture

Authentication & credentials (cont.)  Transport encryption DES encryption of db-selected random number w/user’s password hash DES encryption of db-selected random number w/user’s password hash OS-integrated authentication available too OS-integrated authentication available too Password changes travel unencrypted Password changes travel unencrypted  Password management features available Aging & expiration Aging & expiration History (e.g., can prohibit reuse of last 3 passwords) History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + numbers) Composition & complexity (e.g., require letters + numbers) Account lockout Account lockout

Common Oracle objects Database instance schema Public area schema tableview trigger index stored procedure function table synonym

Oracle object security grant select on EMPLOYEES to ASOK; alice’s schema employees candidates asok’s schema orderscustomers Public objects all_users

Oracle role-based security hrdata schema employees candidates hr_steward grant all privileges on EMPLOYEES to role HR_STEWARD; grant HR_STEWARD to CATBERT; DBA

Database links dogbert’s schema orders EMPLINK dogbert’s schema employees HR_DBECOMMERCE_DB Create database link EMPLINK connect to DOGBERT identified by CISCO123 using HR_DB;

Java security in Oracle dilbert sessionwally session Java server classes (common, read-only) java.* oracle.aurora.*oracle.jdbc.* com.cisco.ipc.* com.cisco.myapp.calc System classes loaded by default, accessible & shared by all sessions

Java security in Oracle  System classes loaded in shared area  Users can load classes Into their own schema/session Into their own schema/session Can grant execution rights to other users Can grant execution rights to other users  Permissions Stored in Oracle objects, not files Stored in Oracle objects, not files Stored in PolicyTable table Stored in PolicyTable table Granted by DBA or JAVA_ADMIN roles Granted by DBA or JAVA_ADMIN roles “call dbms_java.grant_permission(“call dbms_java.grant_permission(“mnystrom”,“java.util.SocketPermission”,“localhost:1024-”,“connect”)  2 privilege models Invoker’s rights Invoker’s rights Definer’s rights (setuid) Definer’s rights (setuid)

Invoker’s rights alice’s schemadogbert’s schema com.cisco.ipc.* com.cisco.myapp.calc salary

Definer’s rights alice’s schemadogbert’s schema com.cisco.ipc.* com.cisco.myapp.calc salary

Access beyond the database Database server Database /oracle/apps/  Languages: PL/SQL or Java  Techniques: Stored procs or functions  Examples Execute, read, write local files Execute, read, write local files Make and receive network calls (HTTP, MMX, etc.) Make and receive network calls (HTTP, MMX, etc.) Access data in remote databases Access data in remote databases Send mail Send mail

Auditing  Obviously impacts database performance  Writes high-level info to a common table Database user Database user Object (table, role, etc.) Object (table, role, etc.) Action (select, insert, etc.) Action (select, insert, etc.) Date/time Date/time  Currently enabled on-request to DBA team  Difficult to trace actions to a live human Can correlate with IP address Can correlate with IP address

Common integration techniques  Shared database schemas  Separate schemas/dbs Grant direct access to each other’s schemas Grant direct access to each other’s schemas Grant only stored proc access Grant only stored proc access

Typical modern application application schema orderscustomers application

Shared schemas application #2’s schema orderscustomers Application #1 Application #2 select insert update insert update delete select grant select

Shared objects Application #1’s schema orders Application #1 Application #2 select insert update Application #2’s schema customers insert update delete select grant select

Shared, protected objects Application #1’s schema orders Application #1 Application #2 select insert update Application #2’s schema customers insert update delete select grant execute stored procedure

Application-level integration Application #1’s schema orders Application #1 Application #2 select insert update Application #2’s schema customers insert update delete select grant Shared libraries MMX Web services IIOP

Current problems in industry  Account management Passwords never changed Passwords never changed Accounts/passwords widely known Accounts/passwords widely known All developersAll developers cgi-bin treescgi-bin trees CVS source repositoriesCVS source repositories  Privileges too broad  No data stewardship  No segregation/special protection for sensitive data

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.