Oracle Database Security Features in the Banking Environment. Dr. Matthias Mann, DOAG

Transcription

1 Oracle Database Security Features in the Banking Environment Dr. Matthias Mann, DOAG University of Applied Sciences, Cologne Campus Gummersbach

2 AGENDA Database User Authentication and Authorization Authentication Authorization Multi Tier Application Architectures Virtual Private Database Database Vault Advanced Security Option Transparent Data Encryption (Data at Rest) Encryption of Network Traffic (Data in Transit) Auditing 2

3 Some German Legal Requirements and Security Categories Regulation Access Control & Data Accees Separation of Duties Risk Mgmt. & Process Mgmt. 4. Finanzmarktunterstützungsgesetz Aktiengesetz Bundesdatenschutzgesetz 3

4 Database User Authentication and Authorization authentication methods: locally in the database on the client (host based) client / server (multi tier) directory based 4

5 Database User Authentication and Authorization Local Authentication SQL> create user scott profile pf_01 identified by tiger; SQL> select resource_name, limit from dba_profiles where resource_type='password' and profile ='PF_01'; RESOURCE_NAME LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 71 PASSWORD_REUSE_TIME 1 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION F_IS_PW_OK PASSWORD_LOCK_TIME DEFAULT PASSWORD_GRACE_TIME 14 5

6 Database User Authentication and Authorization Local Authentication in large organisations: several hundred databases several end users central usermanagement managing all kind of users local account management is a "nightmare" inconsistencies in database profiles no match of installed database users with actual end users reporting / inventory nearly impossible different security policies in different environments 6

7 Database User Authentication and Authorization Client Based Authentication SQL> create user scott profile pf_01 identified externally; $ whoami $ scott $ sqlplus / SQL>show user SQL>User is "scott" client host OS acts as trusted authority requires identical user scott on OS level possible local to the DB and remote (remote_os_authent) 7

8 Database User Authentication and Authorization Client Based Authentication local authentication: used in the past for "passwordless" batch operations not compatible with multi tier architectures remote authentication uncalculable security risk => should not be used alternative: wallet based authentication (client / server based) 8

9 Database User Authentication and Authorization Client / Server Based Authentication in the database have a locally identified user on the client create a wallet (password store): $ mkstore -wrl <path> -create -rw oracle oinstall 3589 Nov 13 13:19 cwallet.sso -rw oracle oinstall 3512 Nov 13 13:19 ewallet.p12 configure sqlnet.ora: sqlnet.wallet_override=true wallet_location=<path> configure naming resolution (place TNS alias in tnsnames.ora) place database user credentials in the wallet referencing the corresponding tnsnames.ora entry useful for batch accounts login using the following syntax: $ sqlplus /@<TNS Alias> 9

10 Database User Authentication and Authorization Directory based Authentication Enterprise User Security (EUS) centralized user administration capability for Oracle databases user authentication and authorization data are stored in a LDAP compliant directory password, Kerberos, X.509 certificates backward compatible => no change to application necessary 10

11 11 Database User Authentication and Authorization Directory based Authentication

12 Database User Authentication and Authorization Directory based Authentication Enterprise Directory Database Database Account(s) Enterprise Account(s) Global schema Local schema Enterprise Roles(s) Enterprise Role Global Role Local Role Database Role(s) 12

13 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (1) define directory access for DB Instance (2) let database access directory DBA / sqlplus DBA / sqlplus database server (ldap.ora) spfile once once (1) $TNS_ADMIN/ldap.ora # ldap.ora Network Configuration File: /opt/oracle/admin/bip6td/network/pfile/ldap.ora # Generated by Oracle configuration tools. DIRECTORY_SERVERS= (sybasetst1.sys.hypovereinsbank.de:10389:10636) DEFAULT_ADMIN_CONTEXT = "dc=hvb,dc=de" DIRECTORY_SERVER_TYPE = OID (2) set the directory lookup indicator alter system set ldap_directory_access=<password,ssl,none> scope=spfile; 13

14 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (3) register database in directory (3) display database instance in directory: DBA / dbca directory / wallet on database server wallet for database directory credentials > ldapsearch -h sybasetst1 -p D cn=admin -w ovd_1 "cn=bip6td" cn=bip6td,cn=oraclecontext,dc=hvb,dc=de orcloraclehome=/opt/oracle/product/ orclservicetype=db orcldbglobalname=bip6td userpassword={ssha}3ycckn62gpafzch4dqzxzdke8yyvo2l6b0p5bq== orclcommonrpwdattribute={sasl-md5}kmmejqpwit46aiis/h542q== orclsystemname=orainfra1 orclnetdescstring=(description=(address=(protocol=tcp)(host=bip6td)(port=1561))(connect_data=(se RVICE_NAME=BIP6TD))) orclsid=bip6td orclnetdescname=000:cn=description_0 cn=bip6td orclversion= objectclass=top objectclass=orclservice objectclass=orcldbserver objectclass=orclapplicationentity objectclass=orcldbserver_92 14

15 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (4) create enterprise user directory admin directory once > ldapsearch -h sybasetst1 -p D cn=admin -w ovd_1 "uid=p863061" uid=p863061,ou=people,dc=hvb,dc=de uid=p objectclass=inetorgperson objectclass=organizationalperson objectclass=person objectclass=top objectclass=orcluser objectclass=orcluserv2 givenname=matthias sn=mann cn=matthias Mann authpassword;orclcommonpwd={ssha}f5dxazpwlyxm3en48id9rl8blx9+y7oi1fp/fa== 15

16 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (5) create shared schema DBA / sqlplus database (5) Shared Schema SQL>create user db_entry identified globally as ''; SQL>grant create session to db_entry; SQL> select username, password from dba_users where username = 'DB_ENTRY'; USERNAME PASSWORD DB_ENTRY GLOBAL 16

17 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (6) create directory entry for schema (7) assign schema to database user management / ESM user management / ESM directory directory once once (8) assign directory user to schema user management / ESM directory once (9) Authentication end user workplace need to know her amd password 17

18 Database User Authentication and Authorization Directory based Authentication (9) Authentication (login into database) sqlplus p SQL*Plus: Release Production on Sat Jul 4 14:07: Copyright (c) 1982, 2005, Oracle. All Rights Reserved. Enter password: Connected to: Oracle Database 10g Enterprise Edition Release bit Production SQL> select sys_context ('userenv','external_name') "Directory User", user schema, sys_context ('userenv','db_name') database from dual; Directory User SCHEMA DATABASE uid=p863061,ou=people,dc=hvb,dc=de DB_ENTRY BIP6TD 18

19 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (10) create global database role (11) grant privileges to global role DBA / sqlplus DBA / sqlplus database database once once (10,11) Global database Role and Privileges SQL> connect / as sysdba Connected. SQL> create role r_read_global identified globally; SQL> grant r_catalog to r_read_global; 19

20 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (12) create Enterprise Role (13) map global role to enterprise role user management / ESM user management / ESM Directory Directory once (12,13) Role Mapping > ldapsearch -h sybasetst1 -p D cn=admin -w ovd_1 "cn=r_eus01" cn=r_eus01,cn=oracledefaultdomain,cn=oracledbsecurity,cn=products,cn=oraclecontext,dc=hvb,dc=de orcldbserverrole=cn=bip6td,cn=oraclecontext,dc=hvb,dc=de,globalrole=r_read_global uniquemember=uid=p863061,ou=people,dc=hvb,dc=de cn=r_eus01 objectclass=top objectclass=orcldbenterpriserole objectclass=orclprivilegegroup objectclass=groupofuniquenames objectclass=orcldbenterpriserole_82 objectclass=orcldbenterpriserole_10i 20

21 Database User Authentication and Authorization Directory based Authentication Step Description Who / Tool Where Comment (14) Authorization end user workplace 21 (14) Authorization sqlplus p SQL> desc dba_tablespaces; Name Null? Type TABLESPACE_NAME NOT NULL VARCHAR2(30) BLOCK_SIZE NOT NULL NUMBER INITIAL_EXTENT NUMBER NEXT_EXTENT NUMBER MIN_EXTENTS NOT NULL NUMBER MAX_EXTENTS NUMBER PCT_INCREASE NUMBER MIN_EXTLEN NUMBER STATUS VARCHAR2(9) CONTENTS VARCHAR2(9) LOGGING VARCHAR2(9) FORCE_LOGGING VARCHAR2(3) EXTENT_MANAGEMENT VARCHAR2(10) ALLOCATION_TYPE VARCHAR2(9) PLUGGED_IN VARCHAR2(3) SEGMENT_SPACE_MANAGEMENT VARCHAR2(6) DEF_TAB_COMPRESSION VARCHAR2(8) RETENTION VARCHAR2(11) BIGFILE VARCHAR2(3)

22 Database User Authentication and Authorization Proxy Authentication Basic Principle: SQL>create user proxy identified by proxypw; SQL>grant connect to proxy; SQL>alter user client grant connect to proxy; SQL>connect proxy[client]/proxypw SQL> select sys_context('userenv','current_schema') CURRENT_SCHEMA, sys_context('userenv','session_user') SESSION_USER, sys_context('userenv','proxy_user') PROXY_USER from dual; CURRENT_SCHEMA SESSION_USER PROXY_USER client client proxy 22

23 Database User Authentication and Authorization Proxy Authentication Flexibility Authorization Granularity SQL>alter user A grant connect through B with all roles except < >; SQL>alter user A grant connect through B with no roles; SQL>alter user A grant connect through B with role C; Authentication SQL>alter user A grant connect through B authentication required; for use with EUS SQL>alter user A grant connect through B authenticated using Distinguished Name; SQL>alter user A grant connect through Enterprise Users; 23

24 Database User Authentication and Authorization Authorization Oracle authorization is based on a privilege model through which you can allow or deny access to data, actions or processing. Object Privileges select, insert, update, delete, execute can be granted, revoked with grant option Granularity: on column level Procedures BE CAREFUL!!! can be executed with definer (default!!) or invoker rights (Example 1) depending how they are defined never allow SQL injection as string into a procedure 24

25 Database User Authentication and Authorization Authorization System Privileges right to perform an action without a qualification on what the action is applied to ~ 200 different system privs create table, create user, drop profile, create tablespace admin option ~ 100 ANY privileges (BE CAREFUL!!!) drop any table Best Practice separate DDL and DML privileges into different users 25

26 Database User Authentication and Authorization Authorization Database Roles named groups of privileges easy and transparent administration avoid complex hierarchies (Risk!) default roles (alter user default role ) Default: ALL (all roles granted subsequently are default roles) max_enabled_roles password protected roles are possible PUBLIC: not a role and not a user, but: any user is automatically assigned all privileges granted to PUBLIC 26

27 Database User Authentication and Authorization Authorization Secure Application Roles (see Code Example 2) allow you to dynamically control privileges through application logic can only be set by a procedure can be enabled by logon trigger or dynamically within the current session 27

28 Database User Authentication and Authorization Authorization ACLs and Network Services revoke execute privilege for sensitive packeages from PUBLIC UTL_TCP: open TCP/IP connection in PL/SQL UTL_SMTP: send mail from PL/SQL UTL_HTTP: HTTP request over TCP/IP from PL/SQL starting with Oracle 11 ACL have tp be defined to grant access to network services to a database user (dbms_network_acl_admin) 28

29 Database User Authentication and Authorization Security Challenges with Multi-Tier Application Architectures Multi Tier Architecture 29

30 Database User Authentication and Authorization Security Challenges with Multi-Tier Application Architectures end user is captured by middle tier middle tier instead of database is authenticating the end user middle tier needs to invoke roles and privileges in the database on behalf of the end user challenges with regard to data access control: identify the "real" end user authenticate the end user => access limitation to objects and actions in the database audit user activities in the database 30

31 Database User Authentication and Authorization Security Challenges with Multi-Tier Application Architectures Architecture Approaches 1. Pass through (Client / Server) 1:1 relationship end user : db user user authentication in the database unsuitable for Web Applications 2. middle tier is responsible for user security in DB application user account has all privs for all end users in the system (contradicts the "least privilege" principle) difficult to audit 31

32 Database User Authentication and Authorization Security Challenges with Multi-Tier Application Architectures 3. Re Authentication of the end user in the DB application forwards login information to the DB for authentication 4. end user to session mapping via token passing true end user not known to the DB token can be used for auditing connection pooling (dbms_session.set_client_identifier) 5. Proxy Authentication makes use of enterprise directory as trusted authority 32

33 Database User Authentication and Authorization Security Challenges with Multi-Tier Application Architectures Advantages separate application logic from data storage enable appserver to access DB convenient browser client interface (thin client) 33

34 Virtual Private Database implementation of Fine Grained Access Control for tables, views, synonyms application independent, enforced by the DB policies on row- or column level uses query rewriting technique Code Example 3a: Use an application context to define a namespace Code Example 3b: Use Row Level Security Policy 34

35 Virtual Private Database Query db user application context (namespace) Rewrite RLS Policy Predicate Object 35

36 Virtual Private Database Default Userenv Context Oracle provides a default application context for each database session: USERENV with the following information: session_user current_user current_schema external_name client_identifier client_info proxy_user audited_cursorid entryid sessionid isdba ip_address db_name host network_protocol authentication_type policy_invoker current_sql 36

37 Virtual Private Database Default Userenv Context SQL>select sys_context('userenv','session_user') from dual; 37

38 Database Vault on top of built in database security mechanisms control of access to application data based on business requirements prevention of unauthorized access of highly privileged database accounts following legal / business requirements (ANY privs) 38

39 39 Database Vault

40 Database Vault Components DB Vault Component Realms Command Rules Factors Rule Sets Secure application roles Description Boundaries within the Oracle database that act like a firewall to prevent privileged users from using their special privileges to access application data Security rules that control the execution of database commands Environmental parameters (IP address, Authentication method) that can be used with Database Vault command rules and realms to create trusted paths to data, defining who, when, where and how applications, data and databases are accessed Collection of one or more rules that you can associate with other components (a realm authorization, command rule, factor assignment): it evaluates to true or false based on the evaluation of each rule it contains and the evaluation type. Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set. 40

41 Database Vault Separation of Duties Function Security Administrator Account Administrator DBA Application Administrator Responsibility Realms, Rule Sets, Command Rules, Factors Database Accounts and Profiles Backup / Recovery Tuning Startup/Shutdown Patching/Upgrade Schema Management Privilege Management within application schema / users scope before introducing DBV think about processes!!! 41

42 42 Database Vault Realms

43 Database Vault Realms realm checking is done before the use of ANY privs and for grant and revoke of roles within the realm normal object or system privileges are not affected use realms when you protect groups of objects from DBA or other privileged users 43

44 44 Database Vault Realms

45 Database Vault Rule Sets Rule Sets rule sets are used from within command rules are composed of rules (PL/SQL expressions => true/false) OR and AND rulesets Examples: Enabled Disabled Allow Sessions 45

46 46 Database Vault Rule Sets

47 47 Database Vault Rule Sets

48 Database Vault Command Rules global rules that are checked for every access and for all users can be used to secure any statement Example: begin dvsys.dbms_macadm.create_command_rule( command => 'DROP TABLE', rule_set_name => 'Disabled', object_owner => 'SCOTT', object_name => 'EMP', enabled => 'Y'); end; / 48

49 49 Database Vault Command Rules

50 Database Vault Factors, Secure Application Roles Factors variables used within rules custom factors may be built (e.g. source_program) Built In Factors: client IP database domain enterprise identity proxy user Secure Application Roles like "normal" secure application roles (are set using pl/sql procedures) DBV secure application roles are are enabled using DV rule sets 50

51 Advanced Security Option Transparent Data Encryption (Data at Rest) Oracle TDE provide two types of encryption: Column Encryption: individual application table columns such as credit card and social security numbers. This requires a deep knowledge of the columns that must be encrypted Tablespace Encryption: tablespace encryption eliminates the complexities of identifying and encrypting individual columns since ALL the data stored on the tablespace is automatically encrypted 51

52 Advanced Security Option Transparent Data Encryption (Data at Rest) Tablespace Encryption: automatically encrypts data written to storage by the Oracle database, If database files or storage disks are stolen from original servers, data cannot be decrypted and read on different server No storage overhead Supports all data types, foreign keys, indexes 52

53 Advanced Security Option Transparent Data Encryption (Data at Rest) Encryption keys are the secrets used in combination with an encryption algorithm to encrypt data Transparent Data Encryption uses a 2-tier key architecture for flexible and non-intrusive key rotation and least operational and performance impact Each application table with at least one encrypted column has its own table key, which is applied to all encrypted columns in that table. each encrypted tablespace has its own tablespace key. Are managed automatically no human interaction Each of these keys is encrypted with the TDE master encryption key, which is stored outside of the database in an external security module: Oracle Wallet. Transparent Data Encryption supports standard encryption algorithms including AES256, AES192, AES128 and 3DES168 53

54 Advanced Security Option Transparent Data Encryption (Data at Rest) Wallet Types Standard Requires manual password entry to open the wallet and make the master key available. Not possible to read data without the password Auto-Login Created from the standard wallet, no password entry required, enables unattended DB startup. Local Auto-Login Similar to Auto-Login Wallet, but only works on the database machine where it was created. Password required if data is read on different server/machines. All types of Wallets guarantee the following: Protected by password entry and strong encryption periodic password rotation Enables separation of duties between the Security Administrator and the Database Administrator OS permissions and file system features can lock-down the wallet and establish separation of duties 54

55 Advanced Security Option Transparent Data Encryption (Data at Rest) Integration with other Database features Feature Compression Backup / Restore Export / Import High Availability (Dataguard) Replication (Streams, Golden Gate) Comment compression bevor encryption double encryption for backups avoided optional export encryption transparent, DR site encryption optional transparent 55

56 Advanced Security Option Transparent Data Encryption (Data at Rest) Wallet and Password Management Wallet Backup: Backup the wallet in a separate location from the encrypted data. Wallet can be backed up with standard Oracle and third party products/architectures Strong Wallet Password: Password can be split with different custodians Person A enters the first part of the password before Person B enters the 2nd half of the password, without Person B being able to see what Person A typed into the password field possible to have remote management for wallet and passwords 56

57 57 Advanced Security Option Transparent Data Encryption (Data at Rest)

58 Advanced Security Option Network Traffic Encryption (Data in Transit) client and server negotiate encryption parameters Parameter sqlnet.encryption_server/client sqlnet.encryption_types_server/client sqlnet.crypto_checksum_server/client sqlnet.crypto_checksum_types_server/client Comment rejected accepted requested required encryption algorithm rejected accepted requested required checksum types 58

59 59 Auditing Why?

60 60 Auditing What?

61 Auditing Standard Out of the Box Standard Auditing audit_trail : { none os db [, extended] xml [, extended] } AUD$ or OS Files XML Files or name-value delimited text files Audit Command Qualifiers: when successful when unsuccessful both (default) by session by access Statement Auditing Object Auditing Privilege Auditing 61

62 Auditing Standard Out of the Box mandatory auditing: DB Startup / Shutdown sysdba logon changes to audit_trail administrator auditing audit_sys_operations: true => OS Files syslog auditing: audit_syslog_level=<valid syslog facility> prevents possibility for altering audit records by DBA log aggregation on remote collection servers 62

63 Auditing Fine Grained Auditing standard auditing: "all or nothing" possibility to specify granular conditions for creating audit records configuration via policies begin end; / dbms_fga.add_policy( object_schema=>'scott', object_name=>'emp', policy_name=>'emp_access', audit_columns=>'sal', audit_conditions=>'sal>9999', statement_types=>'select', audit_column_options=>'dbms_fga.any_columns', audit_trail=>'dbms_fga.xml + DBMS_FGA.EXTENDED' handler_schema='secadm' handler_module=>'rt_alert'); 63

64 Auditing Admin Views DBA_COMMON_AUDIT_TRAIL DBA_AUDIT_TRAIL (standard Auditing) V$XML_AUDIT_TRAIL (standard Auditing) DBA_FGA_AUDIT_TRAIL (fine grained Auditing) SYS.AUD$ (table) <audit_file_dest>/*.xml (OS files) SYS.FGA_LOG$ (table) 64

65 65 Auditing Audit Vault