Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright ©2001 TUSC All Rights Reserved Security Options in Oracle The Matrix of What’s Available Rich Niemiec, TUSC (Thanks.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright ©2001 TUSC All Rights Reserved Security Options in Oracle The Matrix of What’s Available Rich Niemiec, TUSC (Thanks."— Presentation transcript:

1 Copyright ©2001 TUSC All Rights Reserved Security Options in Oracle The Matrix of What’s Available Rich Niemiec, TUSC (rich@tusc.com) www.tusc.com (Thanks to Kevin Loney, Kim Floss, Mary Ann Davidson)

2 Copyright ©2002 TUSC All Rights Reserved Presentation Goals/Non-Goals Goals –Target Key Areas Security –Target Key scripts –Target tips that are most useful Non-Goals –Learn ALL aspects of Security Will take weeks to months Need experience as well What you’ll need depends on your system

3 3 Overview What are you Guarding Against? Getting into databases Password Protection Outside the Application Effective Auditing Laying the Groundwork for Success Biometrics Oracle9i Changes Summary Helpful Scripts (FYI)

4 4 What are you guarding against? External malice –Denial of service attacks –Theft of data Internal disclosure –Source of most attempts –Particular issue in poor economy transient workforce adds to threat level Who: Disgruntled employeesCompetitors CriminalsTerrorists Bored college studentsCurious individuals Vendors

5 5 Security Breaches on the Rise! Company Security Breaches*: 1999 62% 200070% 200185% 200290% *CSI/FBI Surveys over the past 4 years

6 6 CERT Trends Automation and Speed of Attack are increasing. Attack tools are more sophisticated. Attackers are discovering vulnerabilities quicker. Firewalls are more permeable. Threats from infrastructure attacks are on the rise (such as denial of service and worms). *CSI/FBI Surveys over the past 4 years Computer Emergency Response Team (CERT)

7 7 Oracle9i Security Checklist 1. Install only the products you’re using 2. Lock and expire default user accounts 3. Change default passwords & enforce password management 4. Enable dictionary protection 5. Practice principle of least privilege 6. Enforce access controls effectively 7. Restrict network access a. Use a firewall b. Don’t poke any holes through the firewall c. Prevent listener access (set ADMIN_RESTRICTIONS_listenername=ON)

8 8 Oracle9i Security Checklist d. Allow/Deny access based on network IP (tcp.validnode_checking=YES, tcp.excluded_nodes={list the IP’s}, tcp.invited_nodes={list the IP’s}) e. Encrypt network traffic (Oracle Advanced Security) f. Make the O/S more restrictive 8.Apply all Oracle Security Patches – http://metalink.oracle.com and http://otn.oracle.com/deploy/security/alerts.htm 9. Report security issues or vulnerabilities to Oracle: secalert_us@oracle.com http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf

9 9 Oracle Security Alerts

10 10 Oracle Security Alerts http://otn.oracle.com/deploy/security/pdf/webdb_bugpost.pdf “If customers grant public access to PL/SQL procedures, in particular … OWA, SYS & DBMS …it may be possible to invoke through a URL and cause SQL statements to be executed on back-end Oracle database." Username/Password

11 11 Oracle Security Alerts http://www.sans.org/top20/#index

12 12 Preventing attacks Protect every copy of the data! Restrict access to backups –Establish procedures and access logs Restrict copying sensitive data to Development and Test databases Restrict database links into Production Restrict physical access to the hardware Restrict physical access to the network Protect/Dispose hardware appropriately

13 13 Common open doors SYS/change_on_install SYSTEM/manager WEBDB/webdb –full DBA access, factory settings Demo developer accounts –SCOTT/tiger, ADAMS/wood, JONES/steel, BLAKE/paper, CLARK/cloth CTXSYS/ctxsys - Used by interMedia Text servers TRACESVR/trace - supports Oracle Trace others: ORDSYS, OUTLN, MDSYS, MTSSYS Third Party Application Providers!

14 14 Main Options Basic login/password protection with locking Roles – A group of privileges for use with groups Data Encryption for storage in the database Auditing at the statement, user or record level Encrypts data sent over wire client/server Oracle utilizes SSL from browser to App. server Oracle performs checksumming to ensure that the data sent was not tampered with on the way. Virtual Private Databases to give a customer or B2B partner only access to their own data. Oracle Label Security allows record level security with label with privileges required to access it.

15 15 Advanced options RADIUS (Remote Access Dial-In User Service) –Secures remote access to network. –Industry Standard –ORACLE RADIUS is an Oracle implementation of RADIUS that allows the Oracle database to provide authentication and authorization (serving as the proxy to the RADIUS server). –This is often used with smartcards and biometrics.

16 16 Advanced options 1.A user logs in by entering a connect string, passcode, or other value. The client system passes this data to the Oracle database server. 2.The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server. 3.The RADIUS server passes the data to the appropriate authentication server, such as Smart Card or SecurID ACE for validation. 4.The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server. 5.The RADIUS server passes this response to the Oracle database server / RADIUS client. 6.The Oracle database server / RADIUS client passes the response back to the Oracle client.

17 17 Advanced options

18 Copyright ©2002 TUSC All Rights Reserved Security Requirements Privacy & Integrity of communications Strong user authentication Access control User Account Management Flexibility & Cost Avoidance Accountability Encryption (RC4, DES, MD5, etc.) X.509v3 Certificates, smart cards, biometric Fine-grained Access Control Policies LDAP Directory Integration Security Standards (FIPS 140, Common Criteria) Comprehensive, granular auditing

19 19 Biometrics www.biometrics.org

20 20 Fingerprint Scanning www.identix.com

21 21 Fingerprint Scanning One of the fastest scanning available. Currently in use a method to log into the system without remembering a password. Disallows multiple logins Saves money on forgotten password help desk time. Best to have a two-part authorization which includes both the password and finger scan. www.finger-scan.com

22 22 Hand Scanning www.peninsulatime.com

23 23 Hand Scanning An excellent use for this is time clocks. Ensures that the employee is physically present. Many time clocks allow for the easy integration with the database. www.hand-scan.com

24 24 Face Scanning www.identix.com

25 25 Face Scanning This was used at the Super Bowl (Viisage). Much more complex than finger/hand scans. Based on MIT “eigenfaces” technology. It’s non-intrusive, but faces can have multiple expressions due to coughing, breathing, blinking, talking and other gestures. Yet, currently, this can be accomplished in seconds. www.facial-scan.com The main providers are: –Visionics (www.visionics.com) - Merged with Identix –Viisage (www.viisage.com)

26 26 Retinal Scanning This was the type of (fictitious) scan in the movie Minority Report. This type of scan is available currently. The blood vessels in the back of the eye are scanned. www.retina-scan.com

27 27 Iris Scanning This is less intrusive than retinal scans. It Scans the iris (colored part) of the eye. www.iris-scan.com www.accessexcellence.org

28 28 Other Types of Biometrics Voice Scanning Signature Scanning Smart Card Gesture Recognition

29 29 Put a Basic Plan Together 1.Vulnerability Analysis – Identify systems that might be a target of an infrastructure attack: Create a vulnerability analysis (with periodic updates). Determine minimal infrastructure. 2.Remedial Plan – Based on the vulnerability, create a remedial plan with timelines for implementing as well as responsibilities and funding. 3.Warning – Immediately establish a department to warn of significant attacks and enhance the system for detecting and analyzing attacks. 4.Response – Have a team identified to respond by isolating the problem, minimizing the damage and ensuring survivability. (CERT has detailed plans)

30 30 From Security to Survivability

31 31 From Security to Survivability Resistance to Repel Attacks Recognition of Attacks and extent of damage. Recovery of essential services during attacks and full services after an attack. Survivability should involve solutions that can transcend the system itself. Computer Emergency Response Team (CERT)

32 32 Summary What are you Guarding Against? Getting into databases Password Protection Outside the Application Effective Auditing Laying the Groundwork for Success Helpful Scripts Oracle9i Changes Summary

33 Copyright ©2002 TUSC All Rights Reserved www.tusc.com www.oracle.com www.cert.org www.biometrics.org www.finger-scan.org www.hand-scan.org www.retina-scan.org www.iris-scan.org www.face-scan.org www.sans.org Practical ways to secure your corporate information, Donald Shepard, Oracle Corp., www.poug.orgwww.poug.org Secure configuration guide for Oracle9iR2; Oracle, June 2002 Oracle gurus: Mary Ann Davidson, Kristy Browder and Sudhayer Neither TUSC, Oracle, IOUG nor the author guarantee this document to be error-free. Please provide comments and/or questions to rich@tusc.com. References

34 Copyright ©2001 TUSC All Rights Reserved Contact Information Rich Niemiec: rich@tusc.com This presentation will be available on the TUSC Web Site www.tusc.com (800) 755-TUSC

Download ppt "Copyright ©2001 TUSC All Rights Reserved Security Options in Oracle The Matrix of What’s Available Rich Niemiec, TUSC (Thanks."

Similar presentations

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google