• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Databse & Technology 2 _ Francisco Munoz Alvarez _ Oracle Security Tips - Some easyways to make your DB more secure.pdf
 

Databse & Technology 2 _ Francisco Munoz Alvarez _ Oracle Security Tips - Some easyways to make your DB more secure.pdf

on

  • 1,004 views

 

Statistics

Views

Total Views
1,004
Views on SlideShare
883
Embed Views
121

Actions

Likes
0
Downloads
31
Comments
0

1 Embed 121

http://www.oraclealgerie.com 121

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Databse & Technology 2 _ Francisco Munoz Alvarez _ Oracle Security Tips - Some easyways to make your DB more secure.pdf Databse & Technology 2 _ Francisco Munoz Alvarez _ Oracle Security Tips - Some easyways to make your DB more secure.pdf Presentation Transcript

    • ORACLE  SECURITY      Francisco  Munoz  Alvarez      Oracle  ACE  Director  President  CLOUG,  LAOUC  &  NZOUG  8/9/10g/11g  OCP,  RAC  OCE,  AS  OCA,  E-­‐Business  OCP,  SQL/PLSQL  OCA,  Oracle  7  OCM  Oracle  7  &  11GR2  Beta  Tester  ITIL  CerKfied  2010  Oracle  Ace  Director  of  the  year  by  Oracle  Magazine    Blog:  www.oraclenz.com        -­‐    Email:  mbatec@hotmail.com    –  TwiXer  :  fcomunoz  Blog:  www.oracleenespanol.com    -­‐  Comunidad  Oracle:    www.oraclemania.ning.com       Oracle  Professional  Services  Manager   Revera     www.revera.co.nz      
    • ORACLE  SECURITY  TIPS           Insync 2011 Sydney, Australia          By:  Francisco  Munoz  Alvarez    
    • Mature  Born  here   Grow  up   Got  Married  Here   Now  Living  here   here   here   DBIS - Copyright 2010 3
    • The  Rule:      “The  most  important  rule  with  respect  to  data  is  to   never   put   yourself   into   an   unrecoverable  situaKon.”       The  importance  of  this  guideline  cannot  be     stressed  enough,  but  it  does  not  mean  that   you   can   never   use   time   saving   or   performance  enhancing  options.    
    • Always Try it Before!  When  it  comes  to  theory,  “NEVER”  believe  anything  you  hear   or  read  unKl  you  have  tried  it  yourself.       5
    • 6
    • Backup, Backup & BackupWhy?  Because  bad  stuff   happens…     7
    • InformaBon  Security  Has  Changed  
    • Hacking  Steps      
    • OFFICIAL  STATISTICS  from  Secret  Service  Germany  
    • SOME  SHORT  FACTS  
    • HIGH  SCORE  LIST  
    • 2007/2008  SHOPPING  LIST  
    • CRISIS  SHOPPING  LIST  2009  
    • CONCLUSION  
    • Oracle  Security  SoluBons  
    • Oracle  Security  SoluBons  
    • Oracle  Security  Components  
    • DB  ENVIRONMENT  
    • Security  Data  in  Rest/Access  Control  
    • WHAT  IS  ASO?  
    • What  Security  Problems  does  ASO   solve?  
    • ASO  BENEFITS  
    • TDE  –  Transparent  Data  EncrypBon  
    • TDE  –  Transparent  Data  EncrypBon  
    • TDE  –  Transparent  Data  EncrypBon  
    • SECURING  DATA  IN  MOTION  
    • NETWORK  ENCRYPTION  
    • SECURING  BACKUP  
    • SECURING  BACKUP   Examples  
    • DATAMASKING  
    • WHAT  IS  DATAMASKING?  
    • PREVENT  MODIFICATIONS  BY   UNAUTHORIZED  USERS  
    • WHAT  IS  DATA  VAULT?  
    • DATA  VAULT  HELP  TO  SOLVE:  
    • DATA  VAULT  Vs   VPD  and  OLS  
    • DATABASE  VAULT  Realms  and  Rule  
    • DATA  VAULT  REPORTS  
    • DATA  VAULT  EXAMPLES  
    • HIGHLY  SECURED  ENVIROMENTS   AUDIT  VALT  
    • AUDIT  VAULT  EXAMPLES  
    • AUDIT  VAULT  REPORTS  Who,  What,  When,  Where    
    • AUDIT  VAULT  DASHBOARD  
    • AUDIT  VAULT  SUMMARY  
    • 26  Security  Tips  
    • Some  Oracle  Security  Tips  1)  Grant  privileges  only  to  a  user  or  applicaKon   which   requires   the   privilege   to   accomplish   necessary   work.   Excessive   granKng   of   unnecessary   privileges   can   compromise   security.    
    • Some  Oracle  Security  Tips  2)No   administraKve   funcKons   are   to   be   performed   by   an   applicaKon.     For   example   create   user,   delete   user,   grant   role,   grant   object  privileges,  etc.      
    • Some  Oracle  Security  Tips  3)   Privileges   for   schema   or   database   owner   objects   should   be   granted   via   a   role   and   not   explicitly.    Do  not  use  the  “ALL”  opKon  when   granKng   object   privileges,   instead   specify   the   exact  privilege  needed,  such  as  select,  update,   insert,  delete.      
    • Some  Oracle  Security  Tips  4 ) P a s s w o r d   p r o t e c t e d   r o l e s   m a y   b e   implemented   to   allow   an   applicaKon   to   control  access  to  its  data.    Thereby,  end  users   may   not   access   the   applicaKon’s   data   from   outside  the  applicaKon.      
    • Some  Oracle  Security  Tips  5)Access   to   AdministraKve   or   System   user   accounts   should   be   restricted   to   authorized   DBAs.        
    • Some  Oracle  Security  Tips  6)  Do  not  grant  system  supplied  database  roles.   These  roles  may  have  administraKve  privileges   and   the   role   privileges   may   change   with   new   releases  of  the  database.          
    • Some  Oracle  Security  Tips  7)  Database  catalog  access  should  be  restricted.     Example:   Use   “USER_VIEWS”   instead   of   “DBA_VIEWS”  for  an  Oracle  database.            
    • Some  Oracle  Security  Tips  8)  Privileges  granted  to  PUBLIC  are  accessible  to   every   user   and   should   be   granted   only   when   necessary.        
    • Some  Oracle  Security  Tips  9)   Any   password   stored   by   applicaKons   in   the   database  should  be  encrypted.          
    • Some  Oracle  Security  Tips  10)   ApplicaKons   should   not   “DROP”,   “CREATE”   or  “ALTER”  objects  within  the  applicaKon.          
    • Some  Oracle  Security  Tips  11)  UKlize  the  shared  database  infrastructure  to   share  cost  whenever  possible.            
    • Some  Oracle  Security  Tips  12)  ApplicaKons  should  not  access  the  database   with   the   same   security   as   the   owner   of   the   database   objects.   For   example   on   SQL   Server   do   not   grant   the   “dbowner”   role   and   on   Oracle   do   not   use   the   Schema   userid   to   connect  to  the  database.  Setup  another  userid   with   the   necessary   privileges   to   run   the   applicaKon.    
    • Some  Oracle  Security  Tips  13)   Database   integrity   should   be   enforced   on   the   database   using   foreign   keys   not   in   the   applicaKon   code.   This   helps   prevent   code   outside   the   applicaKon   from   creaKng   orphan   records  and/or  invalid  data.        
    • Some  Oracle  Security  Tips  14)   Do   not   hard   code   username   and   passwords   in   the   applicaKon  source  code.    •  Sqlplus  /nolog  @myscript   –  Create  a  password  file  (.password)    fmunoz      evelyn    scoX    Kger   –  Create  a  shell  script  getpwd.sh    fgrep  $1  $HOME/tools/.password  |  cut  –d  “  “  –f2   –  Use  the  script  and  the  password  file   Getpwd.sh  fmunoz  |  sqlplus  –s  fmunoz  @script  •  RMAN    rman  target  /    connect  catalog  user/pwd@catdb        
    • Some  Oracle  Security  Tips  15)  Protect  your  Listener  (Cont.):   –  LSNRCTL>  Set  Current  Listener  <ip_address>   –  LSNRCTL>  Set  rawmode  on   –  LSNRCTL>  Services   –  LSNRCTL>  Stop   –  LSNRCTL>  Set  startup_waitme  20   –  LSNRCTL>  Set  logfile  redo01a   –  LSNRCTL>  Set  log_directory  ‘/u01/app/oracle/redo’  
    • Some  Oracle  Security  Tips  15)  Protect  your  Listener:   –   Disable  online  modificaKons   •  LSNRCTL>  Admin_restricKons  _<listener_name>=ON   •  LSNRCTL>  Change_password   •  LSNRCTL>  Save_config        
    • Some  Oracle  Security  Tips  16)   Ensure   external   users   have   the   least   privilege  possible.              
    • Some  Oracle  Security  Tips  17)   Have   a   clear   and   well   documented   Backup   and  Recovery  Strategy              
    • Some  Oracle  Security  Tips  18)   Implement   an   strong   password   policy   (user   profile)   and   force   all   users   to   change   their   passwords  constantly  .            
    • Some  Oracle  Security  Tips  19)  All  important  passwords  need  to  be  saved  in   a  safe  and  replaced  when  changed.              
    • Some  Oracle  Security  Tips  20)  Install  only  what’s  really  required.              
    • Some  Oracle  Security  Tips  21)   Implement   Audit,   soon   or   later   you   will   be   ask   to   tell   who   changed   that.   Please,   implement  a  purge  strategy.            
    • Some  Oracle  Security  Tips  22)   Create   promoKon   procedures   (DEV-­‐>TEST-­‐ >PROD),   lock   your   producKon   environment   and   test   environment.   Don’t   forget   to   implement  and  document  a  change  register.          
    • Some  Oracle  Security  Tips  23)  Implement  an  Indirect  Login  Policy   –  Each  user  have  their  own  login  account   –  Allow   connecKons   to   oracle   account   (OS)   only   thru  sudo   –  This  will  leaves  an  audit  trail  of  acKons        
    • Some  Oracle  Security  Tips  24)  Prevent  SYSDBA  connecKon   –  Sqlplus  /  as  sysdba   •  Change  SQLNET.ORA  SQLNET.AUTHENTICATION_SERVICES=(NONE)            
    • Some  Oracle  Security  Tips  25)  Avoid  Risk  ConnecKons  (Ext.  Procedures)   –  Listener.ora   •  (ADDRESS_LIST  =    (ADDRESS  =  (PROTOCOL  =  IPC)                                                (KEY    =    EXTPROC))     Remove  this  lines,  or  move  to  a  different  listener        
    • Some  Oracle  Security  Tips  26)  Enable  Data  DicKonary  ProtecKon     Oracle  Recommends  that  customers  implement  data  dicKonary  protecKon  to  prevent   users  who  have  the  “ANY”  system  privileges  to  modify  or  harm  the  Oracle  data  dicKonary.    Set  07_DICTIONARY_ACCESSIBILITY  parameter  to  FALSE.        
    •          PROGRAM  The Oracle ACE Program is designed to recognize and reward members of theOracle Technology and Applications communities for their contributions to thosecommunities. These individuals are technically proficient (when applicable) andwillingly share their knowledge and experiences.The program comprises two levels: Oracle ACE and Oracle ACE Director.The former designation is Oracles way of saying "thank you" to communitycontributors for their efforts; we (and the community) appreciate theirenthusiasm. The latter designation is for community enthusiasts who not onlyshare their knowledge (usually in extraordinary ways), but also want to increasetheir community advocacy and work more proactively with Oracle to findopportunities for the same. In this sense, Oracle ACE is "backward looking" andOracle ACE Director is "forward looking."
    •          PROGRAM  
    •          PROGRAM  
    •          PROGRAM  
    •  QuesBons?    
    •  Thank  you  !