Oracle Security Presentation

986 views

Published on

Some tips and ideas to secure your Oracle Database

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
986
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
52
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Oracle Security Presentation

  1. 1. ORACLE SECURITY Francisco Munoz Alvarez Oracle ACE Director President CLOUG, LAOUC & NZOUG IOUC LA Spokesperson 8/9/10g/11g OCP, RAC OCE, AS OCA, E-Business OCP, SQL/PLSQL OCA, Oracle 7 OCM Oracle 7, 11GR2 & OVM 3.1 Beta Tester ITIL Certified 2010 Oracle Ace Director of the year by Oracle Magazine Blog: http://oraclenz.wordpress.com - Email: mbatec@hotmail.com – Twitter : fcomunoz Oracle Professional Services Manager Revera www.revera.co.nz
  2. 2. ORACLE SECURITY TIPS APAC OTN Tour 2012 By: Francisco Munoz Alvarez
  3. 3. Born here Grow up here Got Married Here DBIS - Copyright 2010 Mature here Now Living here 3
  4. 4. The Rule: “The most important rule with respect to data is to never put yourself into an unrecoverable situation.” The importance of this guideline cannot be stressed enough, but it does not mean that you can never use time saving or performance enhancing options.
  5. 5. Always Try it Before! When it comes to theory, “NEVER” believe anything you hear or read until you have tried it yourself. 5
  6. 6. 6
  7. 7. Backup, Backup & Backup Why? Because bad stuff happens… 7
  8. 8. Information Security Has Changed
  9. 9. Hacking Steps
  10. 10. OFFICIAL STATISTICS from Secret Service Germany
  11. 11. SOME SHORT FACTS
  12. 12. HIGH SCORE LIST
  13. 13. 2007/2008 SHOPPING LIST
  14. 14. CRISIS SHOPPING LIST 2009
  15. 15. CONCLUSION
  16. 16. Oracle Security Solutions
  17. 17. Oracle Security Solutions
  18. 18. Oracle Security Components
  19. 19. DB ENVIRONMENT
  20. 20. Security Data in Rest/Access Control
  21. 21. WHAT IS ASO?
  22. 22. What Security Problems does ASO solve?
  23. 23. ASO BENEFITS
  24. 24. TDE – Transparent Data Encryption
  25. 25. TDE – Transparent Data Encryption
  26. 26. TDE – Transparent Data Encryption
  27. 27. SECURING DATA IN MOTION
  28. 28. NETWORK ENCRYPTION
  29. 29. SECURING BACKUP
  30. 30. SECURING BACKUP Examples
  31. 31. DATAMASKING
  32. 32. WHAT IS DATAMASKING?
  33. 33. PREVENT MODIFICATIONS BY UNAUTHORIZED USERS
  34. 34. WHAT IS DATA VAULT?
  35. 35. DATA VAULT HELP TO SOLVE:
  36. 36. DATA VAULT Vs VPD and OLS
  37. 37. DATABASE VAULT Realms and Rule
  38. 38. DATA VAULT REPORTS
  39. 39. DATA VAULT EXAMPLES
  40. 40. HIGHLY SECURED ENVIROMENTS AUDIT VALT
  41. 41. AUDIT VAULT EXAMPLES
  42. 42. AUDIT VAULT REPORTS Who, What, When, Where
  43. 43. AUDIT VAULT DASHBOARD
  44. 44. AUDIT VAULT SUMMARY
  45. 45. 27 Security Tips
  46. 46. Some Oracle Security Tips 1) Grant privileges only to a user or application which requires the privilege to accomplish necessary work. Excessive granting of unnecessary privileges can compromise security.
  47. 47. Some Oracle Security Tips 2)No administrative functions are to be performed by an application. For example create user, delete user, grant role, grant object privileges, etc.
  48. 48. Some Oracle Security Tips 3) Privileges for schema or database owner objects should be granted via a role and not explicitly. Do not use the “ALL” option when granting object privileges, instead specify the exact privilege needed, such as select, update, insert, delete.
  49. 49. Some Oracle Security Tips 4)Password protected roles may be implemented to allow an application to control access to its data. Thereby, end users may not access the application’s data from outside the application.
  50. 50. Some Oracle Security Tips 5)Access to Administrative or System user accounts should be restricted to authorized DBAs.
  51. 51. Some Oracle Security Tips 6) Do not grant system supplied database roles. These roles may have administrative privileges and the role privileges may change with new releases of the database.
  52. 52. Some Oracle Security Tips 7) Database catalog access should be restricted. Example: Use “USER_VIEWS” instead of “DBA_VIEWS” for an Oracle database.
  53. 53. Some Oracle Security Tips 8) Privileges granted to PUBLIC are accessible to every user and should be granted only when necessary.
  54. 54. Some Oracle Security Tips 9) Any password stored by applications in the database should be encrypted.
  55. 55. Some Oracle Security Tips 10) Applications should not “DROP”, “CREATE” or “ALTER” objects within the application.
  56. 56. Some Oracle Security Tips 11) Utilize the shared database infrastructure to share cost whenever possible.
  57. 57. Some Oracle Security Tips 12) Applications should not access the database with the same security as the owner of the database objects. For example on SQL Server do not grant the “dbowner” role and on Oracle do not use the Schema userid to connect to the database. Setup another userid with the necessary privileges to run the application.
  58. 58. Some Oracle Security Tips 13) Database integrity should be enforced on the database using foreign keys not in the application code. This helps prevent code outside the application from creating orphan records and/or invalid data.
  59. 59. Some Oracle Security Tips 14) Do not hard code username and passwords in the application source code. • Sqlplus /nolog @myscript – Create a password file (.password) fmunoz evelyn scott tiger – Create a shell script getpwd.sh fgrep $1 $HOME/tools/.password | cut –d “ “ –f2 – Use the script and the password file Getpwd.sh fmunoz | sqlplus –s fmunoz @script • RMAN rman target / connect catalog user/pwd@catdb
  60. 60. Some Oracle Security Tips 15) Protect your Listener : – – – – – – – LSNRCTL> Set Current Listener <ip_address> LSNRCTL> Set rawmode on LSNRCTL> Services LSNRCTL> Stop LSNRCTL> Set startup_waittime 20 LSNRCTL> Set logfile redo01a LSNRCTL> Set log_directory ‘/u01/app/oracle/redo’
  61. 61. Some Oracle Security Tips 15) Protect your Listener (Cont.): – Disable online modifications • LSNRCTL> Admin_restrictions _<listener_name>=ON – Set Password (<= 9i) • LSNRCTL> Change_password • LSNRCTL> Save_config – Disable OS Authentication • LOCAL_OS_AUTHENTICATION_<Listener_name>=OFF
  62. 62. Some Oracle Security Tips 16) Ensure external users have the least privilege possible.
  63. 63. Some Oracle Security Tips 17) Have a clear and well documented Backup and Recovery Strategy
  64. 64. Some Oracle Security Tips 18) Implement an strong password policy (user profile) and force all users to change their passwords constantly .
  65. 65. Some Oracle Security Tips 19) All important passwords need to be saved in a safe and replaced when changed.
  66. 66. Some Oracle Security Tips 20) Install only what’s really required.
  67. 67. Some Oracle Security Tips 21) Implement Audit, soon or later you will be ask to tell who changed that. Please, implement a purge strategy.
  68. 68. Some Oracle Security Tips 22) Create promotion procedures (DEV->TEST>PROD), lock your production environment and test environment. Don’t forget to implement and document a change register.
  69. 69. Some Oracle Security Tips 23) Implement an Indirect Login Policy – Each user have their own login account – Allow connections to oracle account (OS) only thru sudo – This will leaves an audit trail of actions #sudo –u oracle sqlplus / as sysdba
  70. 70. Some Oracle Security Tips 24) Prevent SYSDBA connection – Sqlplus / as sysdba • Change SQLNET.ORA SQLNET.AUTHENTICATION_SERVICES=(NONE)
  71. 71. Some Oracle Security Tips 25) Avoid Risk Connections (Ext. Procedures) – Listener.ora • (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC) (KEY = EXTPROC)) Remove this lines, or move to a different listener
  72. 72. Some Oracle Security Tips 26) Enable Data Dictionary Protection Oracle Recommends that customers implement data dictionary protection to prevent users who have the “ANY” system privileges to modify or harm the Oracle data dictionary. Set 07_DICTIONARY_ACCESSIBILITY parameter to FALSE.
  73. 73. Some Oracle Security Tips 27) Create your own metadata repository. Use datapump for this $ expdp user/password content=metadata_only full=y directory=datapump dumpfile=metadata_24112010.dmp $ impdp user/password directory=datapump dumpfile= metadata_24112010.dmp sqlfile=metadata_24112010.sql
  74. 74. PROGRAM The Oracle ACE Program is designed to recognize and reward members of the Oracle Technology and Applications communities for their contributions to those communities. These individuals are technically proficient (when applicable) and willingly share their knowledge and experiences. The program comprises two levels: Oracle ACE and Oracle ACE Director. The former designation is Oracle's way of saying "thank you" to community contributors for their efforts; we (and the community) appreciate their enthusiasm. The latter designation is for community enthusiasts who not only share their knowledge (usually in extraordinary ways), but also want to increase their community advocacy and work more proactively with Oracle to find opportunities for the same. In this sense, Oracle ACE is "backward looking" and Oracle ACE Director is "forward looking."
  75. 75. PROGRAM
  76. 76. PROGRAM
  77. 77. PROGRAM
  78. 78. Questions?
  79. 79. Thank you !

×