Oracle Database Security and Audit



Similar documents
ORACLE INSTANCE ARCHITECTURE

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

Software design (Cont.)

TIBCO Spotfire Platform IT Brief

MEGA Web Application Architecture Overview MEGA 2009 SP4

Advantages of Server-side Database Auditing. By SoftTree Technologies, Inc.

Alliance Key Manager Solution Brief

StreamServe Persuasion SP5 StreamStudio

Configuring Nex-Gen Web Load Balancer

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Administration Guide

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Chapter 17. Transport-Level Security

Securing Data in Oracle Database 12c

Table of Contents. Introduction. Audience. At Course Completion

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

ITG Software Engineering

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

An Oracle White Paper January A Technical Overview of New Features for Automatic Storage Management in Oracle Database 12c

Architecture Guidelines Application Security

CS 356 Lecture 28 Internet Authentication. Spring 2013

Oracle Database 11g: Security. What you will learn:

Oracle Database 11g: Security

D50323GC20 Oracle Database 11g: Security Release 2

Configuration Guide BES12. Version 12.2

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

Xerox DocuShare Security Features. Security White Paper

MySQL Strategy. Morten Andersen, MySQL Enterprise Sales. Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Oracle WebLogic Server 11g Administration

msuite5 & mdesign Installation Prerequisites

Oracle Recovery Manager

6231A - Maintaining a Microsoft SQL Server 2008 Database

Configuration Guide BES12. Version 12.1

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Centralized Oracle Database Authentication and Authorization in a Directory

About the Author About the Technical Contributors About the Technical Reviewers Acknowledgments. How to Use This Book

About Network Data Collector

IONA Security Platform

S y s t e m A r c h i t e c t u r e

Oracle Exam 1z0-599 Oracle WebLogic Server 12c Essentials Version: 6.4 [ Total Questions: 91 ]

Security Policy Revision Date: 23 April 2009

ORACLE DATABASE: ADMINISTRATION WORKSHOP I

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Enabling secure communication for a Tivoli Access Manager Session Management Server environment

Feature and Technical

Avamar Backup and Data De-duplication Exam

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Oracle Database 11g: Security Release 2

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Content Server Installation Guide

HOB WebSecureProxy as an SSL Terminal for Clients

Oracle Database 11g: Administration Workshop I Release 2

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

IBM Tivoli Storage Manager Version Introduction to Data Protection Solutions IBM

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Oracle Enterprise Manager

Service Level Agreement (SLA) Arcplace Backup Enterprise Service

Jitterbit Technical Overview : Microsoft Dynamics CRM

Configuration Guide BES12. Version 12.3

1z0-102 Q&A. DEMO Version

Rob Zoeteweij CUSTOMER CASE CONFIGURATION MANAGEMENT PROVISIONING & AUTOMATED PATCHING

Oracle Database 11g: Administration Workshop I Release 2

ACE Management Server Deployment Guide VMware ACE 2.0

Qualogy M. Schildmeijer. Whitepaper Oracle Exalogic FMW Optimization

Objectif. Participant. Prérequis. Pédagogie. Oracle Database 11g - Administration Workshop I Release 2. 5 Jours [35 Heures]

SAS 9.3 Intelligence Platform

FIFTH EDITION. Oracle Essentials. Rick Greenwald, Robert Stackowiak, and. Jonathan Stern O'REILLY" Tokyo. Koln Sebastopol. Cambridge Farnham.

EAC Decision on Request for Interpretation (Operating System Configuration)

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

WebSphere Training Outline

UNIVERSITY AUTHORISED EDUCATION PARTNER (WDP)

Active Directory Compatibility with ExtremeZ-IP

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

CA Identity Manager. Installation Guide (WebLogic) r12.5 SP8

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

Online Transaction Processing in SQL Server 2008

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Configuring Security Features of Session Recording

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

Oracle Database 10g: Security Release 2

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cisco ASA. Administrators

Technical. Overview. ~ a ~ irods version 4.x

Secure Installation and Operation of Your Xerox Multi-Function Device. Version 1.0 August 6, 2012

Planning the Installation and Installing SQL Server

Oracle Database Security and Audit

Last Updated: July STATISTICA Enterprise Server Security

Securing Data on Microsoft SQL Server 2012

ClockWork Enterprise 5

Veeam Cloud Connect. Version 8.0. Administrator Guide

Apigee Gateway Specifications

Cross-domain Identity Management System for Cloud Environment

Oracle Net Services for Oracle10g. An Oracle White Paper May 2005

WEBLOGIC SERVER MANAGEMENT PACK ENTERPRISE EDITION

TIBCO Spotfire Statistics Services Installation and Administration Guide

SAS 9.4 Intelligence Platform

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Transcription:

Copyright 2014, Oracle Database Security and Audit Beyond Checklists Learning objectives Understand Oracle architecture Database Listener Oracle connection handshake Client/server architecture Authentication methods Password protection Copyright 2014, Oracle architecture Architecture of an Oracle database instance Oracle Real Application Cluster (RAC) Control Oracle networking architecture Oracle Automatic Storage Management (ASM) Oracle Enterprise Manager (OEM) 12c Cloud Copyright 2014,

Copyright 2014, Oracle RDBMS Architecture Oracle database is not just a data store Complex system - like an operating system Networking services (FIFO pipes, etc.) and support for many protocols (TCP, etc.) File subsystem (space allocation, deletion, reuse, recovery, corruption detection, etc.) Job schedulers Kernel interrupts and instrumentation XML storage and processing Shared memory and memory pools Interprocess communication (IPC) and threading Large object storage and processing Encryption support at the data storage and network layers (strong algorithms, SSL support) Multiple authentication methods (database, Kerberos, LDAP, etc.) What is an Oracle instance? Composed of many subsystems This is same regardless if you are speaking of a single instance database, RAC database, or ASM database Based on UNIX architecture Software (executables, shared libraries, JAR files, etc) Disk files (database files, log files, control files) Shared memory Copyright 2014, Copyright 2014,

Copyright 2014, RAC Architecture High availability solution Multiple computers open and access one database instance Transparent application failover (network layer) Copyright 2014, ASM Architecture Disk volume manager for Oracle database configurations system Commonly used in Real Application Cluster (RAC) But, it can be used in a stand-alone single instance Implemented with a small Oracle companion database ASM database instance is not used to store client data - ever! Copyright 2014,

Copyright 2014, OEM 12c Infrastructure to manage, monitor, provision, and baseline enterprise computing platforms Oracle database repository (OMR) Web and application servers (OMS) Management agent (OMA) Console (OMC) Operating system configuration Database - single instance, RAC, and ASM services non-oracle databases via plugins Sensitive data discovery and mapping (Real Application Testing - RAT) Really, anything you want to monitor and/or manage and/ or test Copyright 2014, Deployed to target servers Web servers Database Copyright 2014,

Copyright 2014, Oracle networking http://docs.oracle.com/cd/e11882_01/server.112/e16508/ dist_pro.htm#cncpt006 Database and database application are separated into a client/server architecture Client runs the database application SQL*Plus, Desktop programs, web applications, etc. Server runs the Oracle database software Functions for concurrent, shared data access Client/server architecture Copyright 2014, Oracle listener Server side process Traffic manager Incoming client connection requests Establishes a pathway to the database instance Copyright 2014,

Copyright 2014, Connection handshake pre-11g 05Logon! Essentially the same process regardless of database version. Client software such as SQL*Plus starts a connection with SQL>connect system/ manager Copyright 2014, The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the The server receives the request, gets the hash and generates the session key Copyright 2014,

Copyright 2014, The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the The server send the session key to the client 1) The client evaluates the Oracle password algorithm and generates the password hash 2) The password hash is used to decrypt the session key The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the At this point it is possible to enumerate users in the database Copyright 2014, 1) The client evaluates the Oracle password algorithm and generates the password hash 2) The password hash is used to decrypt the session key The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the The client evaluates the hash and decrypts the session key Copyright 2014,

Copyright 2014, 1) The client evaluates the Oracle password algorithm and generates the password hash 2) The password hash is used to decrypt the session key Client encrypts the clear text password using the session key as the new key Send encrypted password = AUTH_PASSWORD The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the At this point, if we know the hash and have access to SQL*Net trace files we can decrypt the password 1) The client evaluates the Oracle password algorithm and generates the password hash 2) The password hash is used to decrypt the session key The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the Client encrypts the clear text password using the session key as the new key Send encrypted password = AUTH_PASSWORD The server gets the password, creates the hash and checks if login can proceed The server decrypts the session key, evaluates the password algorithm, and compares the hash with sys.user$.password or sys.user$.spare4 Copyright 2014, 1) The client evaluates the Oracle password algorithm and generates the password hash 2) The password hash is used to decrypt the session key The server retrieves the hash from sys.user$, generates a random number, and encrypts the random number with the Client encrypts the clear text password using the session key as the new key Send encrypted password = AUTH_PASSWORD The server decrypts the session key, evaluates the password algorithm, and compares the hash with sys.user$.password or sys.user$.spare4 Session can begin to send and receive data from the database Begin Session If the hashes match, session is started Copyright 2014,

Copyright 2014, Client/server architectures Dedicated server architecture Server process created on behalf of each client process Shared server architecture Dispatcher directs incoming requests to pool of shared server processes Database resident connection pooling Connection pool of dedicated servers for typical Web application scenarios Dedicated server process Copyright 2014, Shared server process Copyright 2014,

Copyright 2014, Database resident connection pooling Oracle networking Establish and maintain connection between client and database Based on the OSI architecture Stack based architecture 3 basic type of connections Client/Server Connections Java Connections Web client connections http://docs.oracle.com/cd/b28359_01/network.111/b28316/ architecture.htm#i1048731! http://en.wikipedia.org/wiki/osi_model Copyright 2014, Q&A Copyright 2014,

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information