Scribd Logo
Upload

Welcome to Scribd!

  • Oracle Security

    Uploaded by

    Utkarsh Sethi
    101 views26 pages
    Oracle database security.from the application perspective. By martin nystrom. Oracle network architecture authentication and credentials can be. OS authentication Userid / password x.509 certificates Smart card Etc.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Oracle database security.from the application perspective. By martin nystrom. Oracle network architecture authentication and credentials can be. OS authentication Userid / password x.509 certificates Smart card Etc.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    101 views26 pages

    Oracle Security

    Uploaded by

    Utkarsh Sethi
    Oracle database security.from the application perspective. By martin nystrom. Oracle network architecture authentication and credentials can be. OS authentication Userid / password x.509 certificates Smart card Etc.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Oracle Database

    Security
    …from the application perspective

    Martin Nystrom
    September 2003
    Purpose
     In scope: application security of Oracle
    databases

     Out of scope: system security of Oracle


    databases
    Agenda
     Oracle architecture
     System architecture
     Network architecture
     Common Oracle objects
     Schema/object security
     Java security
     Application integration techniques
     Current challenges at Cisco
    Grossly oversimplified Oracle
    network architecture
    Client host ONS server
    Oracle ONS query Oracle
    client 1526 Names
    software service

    SQL*Net (Net8)

    1521
    Database server TNS
    (ADDRESS=(PROTOCOL=TCP) Listener
    (HOST=db.company.com)
    (PORT=1521))

    Database

    Oracle architecture
    Oracle networking example

    fields-sj-1 ons-sj
    Oracle ONS query Oracle
    client 1526 Names
    software service

    1521
    cmrsdb TNS
    (ADDRESS=(PROTOCOL=TCP) Listener
    (HOST=cmrsdb.cisco.com)
    (PORT=1521))

    cmrs

    Oracle architecture
    Simplified Oracle
    Network Architecture w/OCM
    Host #1
    Oracle
    client OCM Server
    Allowed
    software 1521
    TNS
    Listener Host #1
    Host #2

    Host #2 rejected
    Oracle
    client rejected 1521
    software Database server TNS
    Listener

    Host #3
    Database
    Oracle
    client
    software
    Oracle architecture
    SQL*Net
     Introduced in Oracle V5
     Renamed “Net8” in Oracle8
     Supports multiple protocols (TCP/IP,
    DECnet, SPX/IPX, etc.)

    Oracle architecture
    Authentication & credentials
     Can be…
     OS authentication
     Userid/password
     X.509 certificates
     Smart card
     Etc.
     Stored in Oracle
     As MD5 hash
     …not so for dblinks or FND_USERS

    Oracle architecture
    Authentication & credentials (cont.)
     Transport encryption
     DES encryption of db-selected random number
    w/user’s password hash
     OS-integrated authentication available too
     Password changes travel unencrypted
     Password management features available
     Aging & expiration
     History (e.g., can prohibit reuse of last 3 passwords)
     Composition & complexity (e.g., require letters +
    numbers)
     Account lockout
    Common Oracle objects
    Database instance

    schema stored
    schema
    procedure
    view

    function
    table
    table
    trigger

    index

    Public area
    synonym
    Oracle object security
    grant select on
    EMPLOYEES to ASOK;

    orders candidates
    customers
    employees

    asok’s schema alice’s schema

    all_users

    Public objects
    Oracle role-based security
    hr_steward grant all privileges
    on EMPLOYEES to role
    HR_STEWARD;

    grant HR_STEWARD to
    CATBERT;
    DBA

    candidates

    employees

    hrdata schema
    Database links
    Create database link EMPLINK
    connect to DOGBERT identified
    by CISCO123 using HR_DB;

    ECOMMERCE_DB HR_DB

    orders
    employees

    EMPLINK

    dogbert’s schema dogbert’s schema


    Java security in Oracle
    • System classes loaded by default, accessible & shared by all sessions

    com.cisco.ipc.* com.cisco.myapp.calc

    wally session dilbert session

    java.* oracle.aurora.* oracle.jdbc.*

    Java server classes (common, read-only)


    Java security in Oracle
     System classes loaded in shared area
     Users can load classes
     Into their own schema/session
     Can grant execution rights to other users
     Permissions
     Stored in Oracle objects, not files
     Stored in PolicyTable table
     Granted by DBA or JAVA_ADMIN roles
    • “call dbms_java.grant_permission(
    “mnystrom”,
    “java.util.SocketPermission”,
    “localhost:1024-”,
    “connect”)
     2 privilege models
     Invoker’s rights
     Definer’s rights (setuid)
    Invoker’s rights

    com.cisco.myapp.calc
    com.cisco.ipc.*

    salary salary

    dogbert’s schema alice’s schema


    Definer’s rights

    com.cisco.myapp.calc
    com.cisco.ipc.*

    salary salary

    dogbert’s schema alice’s schema


    Access beyond the database
     Languages: PL/SQL or Java
     Techniques: Stored procs or functions
     Examples
     Execute, read, write local files
     Make and receive network calls (HTTP, MMX, etc.)
     Access data in remote databases
     Send mail

    Database server

    Database

    /oracle/apps/
    Auditing
     Obviously impacts database performance
     Writes high-level info to a common table
     Database user
     Object (table, role, etc.)
     Action (select, insert, etc.)
     Date/time
     Currently enabled on-request to DBA team
     Difficult to trace actions to a live human
     Can correlate with IP address
    Common integration techniques
     Shared database schemas
     Separate schemas/dbs
     Grant direct access to each other’s schemas
     Grant only stored proc access
    Typical modern application

    application

    orders customers

    application schema
    Shared schemas

    Application Application
    #1 #2

    insert
    update
    select
    select delete
    insert
    select
    update
    grant
    orders
    customers

    application #2’s schema


    Shared objects

    Application Application
    #1 #2

    insert
    update
    select delete
    select
    insert select
    update grant

    orders
    customers

    Application #1’s schema Application #2’s schema


    Shared, protected objects

    Application Application
    #1 #2

    insert
    update
    select delete
    execute
    insert select
    update grant

    orders
    stored customers
    procedure

    Application #1’s schema Application #2’s schema


    Application-level integration
    •Shared libraries
    Application •MMX Application
    #1 •Web services #2
    •IIOP

    insert
    update
    select delete
    insert select
    update grant

    orders
    customers

    Application #1’s schema Application #2’s schema


    Current problems in industry
     Account management
     Passwords never changed
     Accounts/passwords widely known
    • All developers
    • cgi-bin trees
    • CVS source repositories
     Privileges too broad
     No data stewardship
     No segregation/special protection for sensitive
    data

    You might also like