ORACLE	  SECURITY	  	                                                                            	  Francisco	  Munoz	  Al...
ORACLE	  SECURITY	  TIPS	  	  	  	  	                                      Insync 2011                                    ...
Mature	  Born	  here	     Grow	  up	     Got	  Married	  Here	                  Now	  Living	  here	                      ...
The	  Rule:	  	  	  “The	  most	  important	  rule	  with	  respect	  to	  data	  is	  to	   never	   put	   yourself	   i...
Always Try it Before!	  When	  it	  comes	  to	  theory,	  “NEVER”	  believe	  anything	  you	  hear	                  or	...
6
Backup, Backup &    BackupWhy?	  Because	  bad	  stuff	          happens…	                  	                              ...
InformaBon	  Security	  Has	  Changed	  
Hacking	  Steps	  	  	  
OFFICIAL	  STATISTICS	  from	  Secret	  Service	  Germany	  
SOME	  SHORT	  FACTS	  
HIGH	  SCORE	  LIST	  
2007/2008	  SHOPPING	  LIST	  
CRISIS	  SHOPPING	  LIST	  2009	  
CONCLUSION	  
Oracle	  Security	  SoluBons	  
Oracle	  Security	  SoluBons	  
Oracle	  Security	  Components	  
DB	  ENVIRONMENT	  
Security	  Data	  in	  Rest/Access	  Control	  
WHAT	  IS	  ASO?	  
What	  Security	  Problems	  does	  ASO	                  solve?	  
ASO	  BENEFITS	  
TDE	  –	  Transparent	  Data	  EncrypBon	  
TDE	  –	  Transparent	  Data	  EncrypBon	  
TDE	  –	  Transparent	  Data	  EncrypBon	  
SECURING	  DATA	  IN	  MOTION	  
NETWORK	  ENCRYPTION	  
SECURING	  BACKUP	  
SECURING	  BACKUP	      Examples	  
DATAMASKING	  
WHAT	  IS	  DATAMASKING?	  
PREVENT	  MODIFICATIONS	  BY	    UNAUTHORIZED	  USERS	  
WHAT	  IS	  DATA	  VAULT?	  
DATA	  VAULT	  HELP	  TO	  SOLVE:	  
DATA	  VAULT	  Vs	   VPD	  and	  OLS	  
DATABASE	  VAULT	  Realms	  and	  Rule	  
DATA	  VAULT	  REPORTS	  
DATA	  VAULT	  EXAMPLES	  
HIGHLY	  SECURED	  ENVIROMENTS	              AUDIT	  VALT	  
AUDIT	  VAULT	  EXAMPLES	  
AUDIT	  VAULT	  REPORTS	  Who,	  What,	  When,	  Where	  	  
AUDIT	  VAULT	  DASHBOARD	  
AUDIT	  VAULT	  SUMMARY	  
26	  Security	  Tips	  
Some	  Oracle	  Security	  Tips	  1)	  Grant	  privileges	  only	  to	  a	  user	  or	  applicaKon	       which	   require...
Some	  Oracle	  Security	  Tips	  2)No	   administraKve	   funcKons	   are	   to	   be	       performed	   by	   an	   app...
Some	  Oracle	  Security	  Tips	  3)	   Privileges	   for	   schema	   or	   database	   owner	       objects	   should	  ...
Some	  Oracle	  Security	  Tips	  4 ) P a s s w o r d	   p r o t e c t e d	   r o l e s	   m a y	   b e	       implemented...
Some	  Oracle	  Security	  Tips	  5)Access	   to	   AdministraKve	   or	   System	   user	       accounts	   should	   be	...
Some	  Oracle	  Security	  Tips	  6)	  Do	  not	  grant	  system	  supplied	  database	  roles.	       These	  roles	  may...
Some	  Oracle	  Security	  Tips	  7)	  Database	  catalog	  access	  should	  be	  restricted.	  	       Example:	   Use	 ...
Some	  Oracle	  Security	  Tips	  8)	  Privileges	  granted	  to	  PUBLIC	  are	  accessible	  to	       every	   user	   ...
Some	  Oracle	  Security	  Tips	  9)	   Any	   password	   stored	   by	   applicaKons	   in	   the	       database	  shou...
Some	  Oracle	  Security	  Tips	  10)	   ApplicaKons	   should	   not	   “DROP”,	   “CREATE”	       or	  “ALTER”	  objects...
Some	  Oracle	  Security	  Tips	  11)	  UKlize	  the	  shared	  database	  infrastructure	  to	       share	  cost	  whene...
Some	  Oracle	  Security	  Tips	  12)	  ApplicaKons	  should	  not	  access	  the	  database	       with	   the	   same	  ...
Some	  Oracle	  Security	  Tips	  13)	   Database	   integrity	   should	   be	   enforced	   on	       the	   database	  ...
Some	  Oracle	  Security	  Tips	  14)	   Do	   not	   hard	   code	   username	   and	   passwords	   in	   the	    applic...
Some	  Oracle	  Security	  Tips	  15)	  Protect	  your	  Listener	  (Cont.):	      –  LSNRCTL>	  Set	  Current	  Listener	...
Some	  Oracle	  Security	  Tips	  15)	  Protect	  your	  Listener:	         –  	  Disable	  online	  modificaKons	         ...
Some	  Oracle	  Security	  Tips	  16)	   Ensure	   external	   users	   have	   the	   least	       privilege	  possible.	...
Some	  Oracle	  Security	  Tips	  17)	   Have	   a	   clear	   and	   well	   documented	   Backup	       and	  Recovery	 ...
Some	  Oracle	  Security	  Tips	  18)	   Implement	   an	   strong	   password	   policy	   (user	       profile)	   and	  ...
Some	  Oracle	  Security	  Tips	  19)	  All	  important	  passwords	  need	  to	  be	  saved	  in	       a	  safe	  and	  ...
Some	  Oracle	  Security	  Tips	  20)	  Install	  only	  what’s	  really	  required.	  	  	  	  	  	  	  
Some	  Oracle	  Security	  Tips	  21)	   Implement	   Audit,	   soon	   or	   later	   you	   will	   be	       ask	   to	...
Some	  Oracle	  Security	  Tips	  22)	   Create	   promoKon	   procedures	   (DEV-­‐>TEST-­‐     >PROD),	   lock	   your	 ...
Some	  Oracle	  Security	  Tips	  23)	  Implement	  an	  Indirect	  Login	  Policy	         –  Each	  user	  have	  their	...
Some	  Oracle	  Security	  Tips	  24)	  Prevent	  SYSDBA	  connecKon	         –  Sqlplus	  /	  as	  sysdba	               ...
Some	  Oracle	  Security	  Tips	  25)	  Avoid	  Risk	  ConnecKons	  (Ext.	  Procedures)	         –  Listener.ora	         ...
Some	  Oracle	  Security	  Tips	  26)	  Enable	  Data	  DicKonary	  ProtecKon	  	         Oracle	  Recommends	  that	  cus...
 	  	  	  	  PROGRAM	  The Oracle ACE Program is designed to recognize and reward members of theOracle Technology and Appl...
 	  	  	  	  PROGRAM	  
 	  	  	  	  PROGRAM	  
 	  	  	  	  PROGRAM	  
 QuesBons?	      	  
 Thank	  you	  !	      	  
Upcoming SlideShare
Loading in …5
×

Databse & Technology 2 _ Francisco Munoz Alvarez _ Oracle Security Tips - Some easyways to make your DB more secure.pdf

1,481 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,481
On SlideShare
0
From Embeds
0
Number of Embeds
239
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Databse & Technology 2 _ Francisco Munoz Alvarez _ Oracle Security Tips - Some easyways to make your DB more secure.pdf

  1. 1. ORACLE  SECURITY      Francisco  Munoz  Alvarez      Oracle  ACE  Director  President  CLOUG,  LAOUC  &  NZOUG  8/9/10g/11g  OCP,  RAC  OCE,  AS  OCA,  E-­‐Business  OCP,  SQL/PLSQL  OCA,  Oracle  7  OCM  Oracle  7  &  11GR2  Beta  Tester  ITIL  CerKfied  2010  Oracle  Ace  Director  of  the  year  by  Oracle  Magazine    Blog:  www.oraclenz.com        -­‐    Email:  mbatec@hotmail.com    –  TwiXer  :  fcomunoz  Blog:  www.oracleenespanol.com    -­‐  Comunidad  Oracle:    www.oraclemania.ning.com       Oracle  Professional  Services  Manager   Revera     www.revera.co.nz      
  2. 2. ORACLE  SECURITY  TIPS           Insync 2011 Sydney, Australia          By:  Francisco  Munoz  Alvarez    
  3. 3. Mature  Born  here   Grow  up   Got  Married  Here   Now  Living  here   here   here   DBIS - Copyright 2010 3
  4. 4. The  Rule:      “The  most  important  rule  with  respect  to  data  is  to   never   put   yourself   into   an   unrecoverable  situaKon.”       The  importance  of  this  guideline  cannot  be     stressed  enough,  but  it  does  not  mean  that   you   can   never   use   time   saving   or   performance  enhancing  options.    
  5. 5. Always Try it Before!  When  it  comes  to  theory,  “NEVER”  believe  anything  you  hear   or  read  unKl  you  have  tried  it  yourself.       5
  6. 6. 6
  7. 7. Backup, Backup & BackupWhy?  Because  bad  stuff   happens…     7
  8. 8. InformaBon  Security  Has  Changed  
  9. 9. Hacking  Steps      
  10. 10. OFFICIAL  STATISTICS  from  Secret  Service  Germany  
  11. 11. SOME  SHORT  FACTS  
  12. 12. HIGH  SCORE  LIST  
  13. 13. 2007/2008  SHOPPING  LIST  
  14. 14. CRISIS  SHOPPING  LIST  2009  
  15. 15. CONCLUSION  
  16. 16. Oracle  Security  SoluBons  
  17. 17. Oracle  Security  SoluBons  
  18. 18. Oracle  Security  Components  
  19. 19. DB  ENVIRONMENT  
  20. 20. Security  Data  in  Rest/Access  Control  
  21. 21. WHAT  IS  ASO?  
  22. 22. What  Security  Problems  does  ASO   solve?  
  23. 23. ASO  BENEFITS  
  24. 24. TDE  –  Transparent  Data  EncrypBon  
  25. 25. TDE  –  Transparent  Data  EncrypBon  
  26. 26. TDE  –  Transparent  Data  EncrypBon  
  27. 27. SECURING  DATA  IN  MOTION  
  28. 28. NETWORK  ENCRYPTION  
  29. 29. SECURING  BACKUP  
  30. 30. SECURING  BACKUP   Examples  
  31. 31. DATAMASKING  
  32. 32. WHAT  IS  DATAMASKING?  
  33. 33. PREVENT  MODIFICATIONS  BY   UNAUTHORIZED  USERS  
  34. 34. WHAT  IS  DATA  VAULT?  
  35. 35. DATA  VAULT  HELP  TO  SOLVE:  
  36. 36. DATA  VAULT  Vs   VPD  and  OLS  
  37. 37. DATABASE  VAULT  Realms  and  Rule  
  38. 38. DATA  VAULT  REPORTS  
  39. 39. DATA  VAULT  EXAMPLES  
  40. 40. HIGHLY  SECURED  ENVIROMENTS   AUDIT  VALT  
  41. 41. AUDIT  VAULT  EXAMPLES  
  42. 42. AUDIT  VAULT  REPORTS  Who,  What,  When,  Where    
  43. 43. AUDIT  VAULT  DASHBOARD  
  44. 44. AUDIT  VAULT  SUMMARY  
  45. 45. 26  Security  Tips  
  46. 46. Some  Oracle  Security  Tips  1)  Grant  privileges  only  to  a  user  or  applicaKon   which   requires   the   privilege   to   accomplish   necessary   work.   Excessive   granKng   of   unnecessary   privileges   can   compromise   security.    
  47. 47. Some  Oracle  Security  Tips  2)No   administraKve   funcKons   are   to   be   performed   by   an   applicaKon.     For   example   create   user,   delete   user,   grant   role,   grant   object  privileges,  etc.      
  48. 48. Some  Oracle  Security  Tips  3)   Privileges   for   schema   or   database   owner   objects   should   be   granted   via   a   role   and   not   explicitly.    Do  not  use  the  “ALL”  opKon  when   granKng   object   privileges,   instead   specify   the   exact  privilege  needed,  such  as  select,  update,   insert,  delete.      
  49. 49. Some  Oracle  Security  Tips  4 ) P a s s w o r d   p r o t e c t e d   r o l e s   m a y   b e   implemented   to   allow   an   applicaKon   to   control  access  to  its  data.    Thereby,  end  users   may   not   access   the   applicaKon’s   data   from   outside  the  applicaKon.      
  50. 50. Some  Oracle  Security  Tips  5)Access   to   AdministraKve   or   System   user   accounts   should   be   restricted   to   authorized   DBAs.        
  51. 51. Some  Oracle  Security  Tips  6)  Do  not  grant  system  supplied  database  roles.   These  roles  may  have  administraKve  privileges   and   the   role   privileges   may   change   with   new   releases  of  the  database.          
  52. 52. Some  Oracle  Security  Tips  7)  Database  catalog  access  should  be  restricted.     Example:   Use   “USER_VIEWS”   instead   of   “DBA_VIEWS”  for  an  Oracle  database.            
  53. 53. Some  Oracle  Security  Tips  8)  Privileges  granted  to  PUBLIC  are  accessible  to   every   user   and   should   be   granted   only   when   necessary.        
  54. 54. Some  Oracle  Security  Tips  9)   Any   password   stored   by   applicaKons   in   the   database  should  be  encrypted.          
  55. 55. Some  Oracle  Security  Tips  10)   ApplicaKons   should   not   “DROP”,   “CREATE”   or  “ALTER”  objects  within  the  applicaKon.          
  56. 56. Some  Oracle  Security  Tips  11)  UKlize  the  shared  database  infrastructure  to   share  cost  whenever  possible.            
  57. 57. Some  Oracle  Security  Tips  12)  ApplicaKons  should  not  access  the  database   with   the   same   security   as   the   owner   of   the   database   objects.   For   example   on   SQL   Server   do   not   grant   the   “dbowner”   role   and   on   Oracle   do   not   use   the   Schema   userid   to   connect  to  the  database.  Setup  another  userid   with   the   necessary   privileges   to   run   the   applicaKon.    
  58. 58. Some  Oracle  Security  Tips  13)   Database   integrity   should   be   enforced   on   the   database   using   foreign   keys   not   in   the   applicaKon   code.   This   helps   prevent   code   outside   the   applicaKon   from   creaKng   orphan   records  and/or  invalid  data.        
  59. 59. Some  Oracle  Security  Tips  14)   Do   not   hard   code   username   and   passwords   in   the   applicaKon  source  code.    •  Sqlplus  /nolog  @myscript   –  Create  a  password  file  (.password)    fmunoz      evelyn    scoX    Kger   –  Create  a  shell  script  getpwd.sh    fgrep  $1  $HOME/tools/.password  |  cut  –d  “  “  –f2   –  Use  the  script  and  the  password  file   Getpwd.sh  fmunoz  |  sqlplus  –s  fmunoz  @script  •  RMAN    rman  target  /    connect  catalog  user/pwd@catdb        
  60. 60. Some  Oracle  Security  Tips  15)  Protect  your  Listener  (Cont.):   –  LSNRCTL>  Set  Current  Listener  <ip_address>   –  LSNRCTL>  Set  rawmode  on   –  LSNRCTL>  Services   –  LSNRCTL>  Stop   –  LSNRCTL>  Set  startup_waitme  20   –  LSNRCTL>  Set  logfile  redo01a   –  LSNRCTL>  Set  log_directory  ‘/u01/app/oracle/redo’  
  61. 61. Some  Oracle  Security  Tips  15)  Protect  your  Listener:   –   Disable  online  modificaKons   •  LSNRCTL>  Admin_restricKons  _<listener_name>=ON   •  LSNRCTL>  Change_password   •  LSNRCTL>  Save_config        
  62. 62. Some  Oracle  Security  Tips  16)   Ensure   external   users   have   the   least   privilege  possible.              
  63. 63. Some  Oracle  Security  Tips  17)   Have   a   clear   and   well   documented   Backup   and  Recovery  Strategy              
  64. 64. Some  Oracle  Security  Tips  18)   Implement   an   strong   password   policy   (user   profile)   and   force   all   users   to   change   their   passwords  constantly  .            
  65. 65. Some  Oracle  Security  Tips  19)  All  important  passwords  need  to  be  saved  in   a  safe  and  replaced  when  changed.              
  66. 66. Some  Oracle  Security  Tips  20)  Install  only  what’s  really  required.              
  67. 67. Some  Oracle  Security  Tips  21)   Implement   Audit,   soon   or   later   you   will   be   ask   to   tell   who   changed   that.   Please,   implement  a  purge  strategy.            
  68. 68. Some  Oracle  Security  Tips  22)   Create   promoKon   procedures   (DEV-­‐>TEST-­‐ >PROD),   lock   your   producKon   environment   and   test   environment.   Don’t   forget   to   implement  and  document  a  change  register.          
  69. 69. Some  Oracle  Security  Tips  23)  Implement  an  Indirect  Login  Policy   –  Each  user  have  their  own  login  account   –  Allow   connecKons   to   oracle   account   (OS)   only   thru  sudo   –  This  will  leaves  an  audit  trail  of  acKons        
  70. 70. Some  Oracle  Security  Tips  24)  Prevent  SYSDBA  connecKon   –  Sqlplus  /  as  sysdba   •  Change  SQLNET.ORA  SQLNET.AUTHENTICATION_SERVICES=(NONE)            
  71. 71. Some  Oracle  Security  Tips  25)  Avoid  Risk  ConnecKons  (Ext.  Procedures)   –  Listener.ora   •  (ADDRESS_LIST  =    (ADDRESS  =  (PROTOCOL  =  IPC)                                                (KEY    =    EXTPROC))     Remove  this  lines,  or  move  to  a  different  listener        
  72. 72. Some  Oracle  Security  Tips  26)  Enable  Data  DicKonary  ProtecKon     Oracle  Recommends  that  customers  implement  data  dicKonary  protecKon  to  prevent   users  who  have  the  “ANY”  system  privileges  to  modify  or  harm  the  Oracle  data  dicKonary.    Set  07_DICTIONARY_ACCESSIBILITY  parameter  to  FALSE.        
  73. 73.          PROGRAM  The Oracle ACE Program is designed to recognize and reward members of theOracle Technology and Applications communities for their contributions to thosecommunities. These individuals are technically proficient (when applicable) andwillingly share their knowledge and experiences.The program comprises two levels: Oracle ACE and Oracle ACE Director.The former designation is Oracles way of saying "thank you" to communitycontributors for their efforts; we (and the community) appreciate theirenthusiasm. The latter designation is for community enthusiasts who not onlyshare their knowledge (usually in extraordinary ways), but also want to increasetheir community advocacy and work more proactively with Oracle to findopportunities for the same. In this sense, Oracle ACE is "backward looking" andOracle ACE Director is "forward looking."
  74. 74.          PROGRAM  
  75. 75.          PROGRAM  
  76. 76.          PROGRAM  
  77. 77.  QuesBons?    
  78. 78.  Thank  you  !    

×