REMINDER
Check in on the COLLABORATE
mobile app
High Performance Security and
Virtualization for Oracle Database and
Cloud...
Program Agenda
■  SPARC SuperCluster Security Overview
■  Secure Database Consolidation Strategies
■  Secure Multi-Tier De...
Engineered Systems Security Strategy
SECURITY
AT EACH LAYER
SECURITY
BETWEEN LAYERS
SECURITY
SECURITY
SECURITY
SECURITY
SE...
SuperCluster Security Focus Areas
COMPUTE STORAGE NETWORK DATABASE
SuperCluster Security Focus Areas
Secure
Isolation
Access
Control
Data
Protection
Monitoring
and Auditing
COMPUTE STORAGE ...
SuperCluster Security Capabilities
Compute Storage Network Database
Secure
Isolation
!  Physical
!  Hypervisor-Mediated
! ...
Compute Perspective
Physical
Isolation
Domain 1
Database
Domain 1
SPARC
T5-8
Server
1
SPARC
T5-8
Server
2
Database
Zones
I...
Oracle Solaris 11 Layered Capabilities
■  Pluggable Authentication
■  Role-based Access Control
■  Fine-Grained Privileges...
Database Perspective
Instance
Isolation
Schema
Isolation
Label
Isolation
Container
Isolation
Domain 1
SPARC
T5-8
Server
Da...
Network Perspective
Domain 1
Domain 2
SPARC
T5-8
Server
Zone A
Client
Access
Network
Client
A-1
Zone C
VLAN
C
Database C-1...
Storage Perspective
ASM Disk Groups
ASM Disk Group
A-1
ASM Disk Group
A-2
Oracle Exadata
Storage Servers
ZFS Data Sets
ZFS...
Cryptographic Perspective
Database Domain
SPARC T5 Hardware
Assisted Cryptography
Zone A
Oracle Database
A-1
Client
Access...
Database Consolidation Example
InfiniBand
Network
Partition
ASM Disk Groups
RDSv3
RDSv3
InfiniBand
Network
Partition
ZFS D...
Multi-Tier Application Security
Secure	
  Isola,on	
  
Access	
  Control	
  
Data	
  Protec,on	
  
Monitoring	
  and	
  Au...
Multi-Tier Network Isolation
InfiniBand Partitioning Strategy
ZFS
Storage
(Web)
RDSv3
Application Domain
Database Domain
S...
Multi-Tier Network Isolation
End to End Deployment Scenario
Client
Access
Network
Application Domain
Database Domain
SPARC...
Encrypted and Immutable Zones
■  Read-Only Non-Global Zone
▪  Protects the system binaries from
malicious or accidental ta...
Multi-tier Deployment Scenario
Immutable and Encrypted Zones and InfiniBand Partitions
Database
Access
Network
InfiniBand
...
Cryptographic Isolation: Multi-Tier Scenario
InfiniBand
Network
Partition
#1
SPARC T5 Hardware
Assisted Cryptography
Clien...
Security Performance on SuperCluster T5-8
Multi-Tier Application Security – SSL/TLS, TDE and
Encrypted ZFS
•  RSA-­‐2048	
...
SuperCluster Security Summary
Complete
•  Layered, Defense in Depth From Applications to Disk
•  Lifecycle Data Protection...
Additional Resources
■  Oracle SuperCluster T5-8 Platform Security Principles and
Capabilities
▪  http://www.oracle.com/te...
Questions?
Upcoming SlideShare
Loading in …5
×

High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications

1,089 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,089
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications

  1. 1. REMINDER Check in on the COLLABORATE mobile app High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications Prepared by: Glenn Brunette, Ramesh Nagappan Oracle Corporation
  2. 2. Program Agenda ■  SPARC SuperCluster Security Overview ■  Secure Database Consolidation Strategies ■  Secure Multi-Tier Deployment Architectures ■  Summary and Q&A
  3. 3. Engineered Systems Security Strategy SECURITY AT EACH LAYER SECURITY BETWEEN LAYERS SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY BETWEEN SYSTEMS SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY
  4. 4. SuperCluster Security Focus Areas COMPUTE STORAGE NETWORK DATABASE
  5. 5. SuperCluster Security Focus Areas Secure Isolation Access Control Data Protection Monitoring and Auditing COMPUTE STORAGE NETWORK DATABASE
  6. 6. SuperCluster Security Capabilities Compute Storage Network Database Secure Isolation !  Physical !  Hypervisor-Mediated !  Kernel-Mediated !  Physical !  ASM Instances !  ZFS Data Sets !  Physical (Ethernet) !  Ethernet VLANs !  InfiniBand Partitions !  Pluggable DBs !  Instances, Schema !  Labels Access Control !  RBAC !  LDOM Administration !  Zone Administration !  ZFS Administration !  ASM Security !  NFS Security !  IP Filter, Switch ACLs !  Audit Vault and Database Firewall !  Roles and Privileges !  Database Vault !  Mandatory Realms Data Protection !  Immutable Zones !  Read-Only Mounts !  Extended Policies !  ZFS Encryption !  LOFI Encryption !  TDE !  SSH !  SSL / TLS !  IPsec / IKE !  Virtual Private DB !  Data Redaction !  Data Masking Monitoring and Auditing !  Solaris Auditing !  Reliable Syslog !  BART !  ZFS Storage Appliance Auditing !  Exadata Storage Auditing !  IP Filter (Logging) !  Switch Logs !  Database Auditing !  Audit Vault and Database Firewall
  7. 7. Compute Perspective Physical Isolation Domain 1 Database Domain 1 SPARC T5-8 Server 1 SPARC T5-8 Server 2 Database Zones Isolation Domain 1 SPARC T5-8 Server Zone A Database Zone B Database Zone C Database Zone D Database POSIX Isolation Domain 1 SPARC T5-8 Server Database Database Database Database Hypervisor Isolation Domain 1 Database Domain 2 Database Hypervisor! SPARC T5-8 Server Electrical Isolation Domain 1 Database Domain 2 Database SPARC M6-32 Server Secure   Isola,on   Access   Control   Data   Protec,on   Monitoring   and  Audi,ng  
  8. 8. Oracle Solaris 11 Layered Capabilities ■  Pluggable Authentication ■  Role-based Access Control ■  Fine-Grained Privileges ■  Extended File Access Controls ■  Application Sandboxing ■  Hardware-Assisted Cryptography ■  Network Security Controls ■  Dynamic Resource Controls ■  Auditing and Monitoring Secure   Isola,on   Access   Control   Data   Protec,on   Monitoring   and  Audi,ng  
  9. 9. Database Perspective Instance Isolation Schema Isolation Label Isolation Container Isolation Domain 1 SPARC T5-8 Server Database Database Database Database Domain 1 SPARC T5-8 Server Database Schema Schema Schema Schema Domain 1 SPARC T5-8 Server Database Schema Domain 1 SPARC T5-8 Server Container Database Pluggable Database Pluggable Database Pluggable Database Pluggable Database Secure   Isola,on   Access   Control   Data   Protec,on   Monitoring   and  Audi,ng  
  10. 10. Network Perspective Domain 1 Domain 2 SPARC T5-8 Server Zone A Client Access Network Client A-1 Zone C VLAN C Database C-1 Client C-1 IPsec / SSL Zone B Database A-1 IPMPA-1 VLAN A-1-0 VLAN A-1-1 Database B-1 Adding Cryptographic Isolation Layer 2 VNIC and VLAN Isolation IPMPB-1 VNIC B-1-0 VNIC B-1-1 net1 net0 Client B-1 VLAN A Network B
  11. 11. Storage Perspective ASM Disk Groups ASM Disk Group A-1 ASM Disk Group A-2 Oracle Exadata Storage Servers ZFS Data Sets ZFS Data Set C-1 ZFS Data Set D-1 Sun ZFS Storage Appliance InfiniBand Network Partition: 0xFFFF Protocol: RDSv3 Partition: 0x8503 Protocol: NFS / IPoIB Oracle VM Server for SPARC Database Domain Oracle Solaris 11 Zone (Zone A) Oracle Database 11g Release 2 Instance A-1 Oracle Database 11g Release 2 Instance A-2 Application Domain Zone C Oracle Database 11g Release 2 Instance C-1 Zone D Oracle Database 11g Release 2 Instance D-1
  12. 12. Cryptographic Perspective Database Domain SPARC T5 Hardware Assisted Cryptography Zone A Oracle Database A-1 Client Access Network SSL InfiniBand Network Partition Intel AES-NI Hardware Assisted Cryptography Client A-1 Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken) SSL Certificate A-1 Oracle Solaris Cryptographic Framework ASM Disk Groups Disk Group A-1 Oracle Exadata Storage Servers Encrypted Tablespaces ZFS Data Sets Data Sets A-1 Encrypted Backups Export Files Sun ZFS Storage Appliance RDSv3 NFSv4 TDE Master Key A-1
  13. 13. Database Consolidation Example InfiniBand Network Partition ASM Disk Groups RDSv3 RDSv3 InfiniBand Network Partition ZFS Data Sets NFS NFS Oracle Exadata Storage Servers Sun ZFS Storage Appliance Database Domain Application Domain SPARC T5-8 Server Zone A Database A-1 Zone C Database C-1 Zone D Database D-1 Database A-2 Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Client Access Network Management Network
  14. 14. Multi-Tier Application Security Secure  Isola,on   Access  Control   Data  Protec,on   Monitoring  and  Audi,ng   Presenta,on   Data   Compute   Storage   Network   Service   Logic  
  15. 15. Multi-Tier Network Isolation InfiniBand Partitioning Strategy ZFS Storage (Web) RDSv3 Application Domain Database Domain SPARC T5-8 Server App to DB Web to App 0x0503 0x8751 0x8761 0x8761 Exadata Storage 0xFFFF0x0751 ZFS Storage (App) 0x0513 0x8503 0x8513 0xFFFFZone C Database Server Zone A Web Server Zone B Application Server Oracle Exadata Storage Servers Sun ZFS Storage Appliance Client Access Network VLAN A Client A HTTPS
  16. 16. Multi-Tier Network Isolation End to End Deployment Scenario Client Access Network Application Domain Database Domain SPARC T5-8 Server Zone A Database A Zone B Database B VLAN B Client B HTTPS VLAN A HTTPS Client A InfiniBandNetworkPartitions IPoIB for NFSv4, iSCSI Application B Share (0x8503) Application A Share (0x8513) Database A Share (0x8523) Database B Share (0x8533) RDSv3 Database A ASM DG (0xFFFF) Database B ASM DG (0xFFFF) IPoIB/TCP (0x0751) IPoIB/TCP (0x8751) SDP (0x0752) SDP (0x8752) Zone B Application B Zone A Application A Zone C Load Balancing Proxy
  17. 17. Encrypted and Immutable Zones ■  Read-Only Non-Global Zone ▪  Protects the system binaries from malicious or accidental tampering ▪  MWAC Policy (Strict or Fixed) ▪  Can be augmented with additional read only ZFS data sets to protect specific applications, data sets, etc. ■  Encrypted Non-Global Zone Root ▪  ZFS encryption implemented on iSCSI LUNs from ZFS Storage Appliance ▪  Leverages FIPS 140-2 validated cryptography ▪  Secure key storage using Solaris Softtoken Keystore or Oracle Key Manager Read Only Read Only Read Only Read Only WriteableWriteable Writeable Writeable Writeable Writeable* Read Only Writeable* Read Only Read Only Read Only Read Only /, /usr /lib, … /etc /var other None Flexible Fixed Strict Solaris 11 Immutable Zone Options
  18. 18. Multi-tier Deployment Scenario Immutable and Encrypted Zones and InfiniBand Partitions Database Access Network InfiniBand Partition (RDSv3) 0xFFFF WebLogic Access Network InfiniBand Partition (IPoIB) Cohere nce Access Net (IPoIB) Coherence Access Network InfiniBand Partition (IPoIB) Limited SPARC T4-4 Server Solaris 11 Domain Immutable Solaris Zone (app01) Immutable Solaris Zone (app02) Weblogic Server Cluster (app-cluster) WLS 12c (as-app01-01, TCP/8001) WLS 12c (as-app01-02, TCP 8002) WLS 12c (as-app02-01, TCP/8001) WLS 12c (as-app02-02, TCP/8002) Encrypted ZFS Data Set (Mounted In Zone As Zone Read-Only /apps) Encrypted Per-Zone ZFS Data Sets (Mounted In Zone As Zone Read-Write /data) ZFS Keys (Stored In PKCS#11 Token) Encrypted Per-Zone ZFS Data Sets (Mounted In Zone as Zone Root) net1:1 net0:1 net1:2 net1 net0 net0:2 Limited Full Limited SPARC T5-8 Server Client Access Network Application Domain Application Domain Zone Cluster Oracle Traffic Director Oracle Traffic Director Encrypted Per-Zone ZFS Data Sets Encrypted Per-Zone ZFS Data Sets VLAN A HTTPS HTTPS
  19. 19. Cryptographic Isolation: Multi-Tier Scenario InfiniBand Network Partition #1 SPARC T5 Hardware Assisted Cryptography Client Access Network Database Domain Oracle Solaris Cryptographic Framework Zone C Oracle Database (SSL and TDE) Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken) SSL Certificate TDE Master Key Intel AES-NI Hardware Assisted Cryptography ASM Disk Groups Oracle Exadata Storage ServersENCRYPTED Tablespaces ZFS Volumes/Data Sets ENCRYPTED Sun ZFS Storage Appliance Binaries Configurations BackupsApplication Domain Zone B Oracle WebLogic Oracle Solaris Cryptographic Framework Zone A Oracle Traffic Director TLS InfiniBand Network Partition #2 RDSv3 InfiniBand Network Partition #3 iSCSI, NFS TLS TLS
  20. 20. Security Performance on SuperCluster T5-8 Multi-Tier Application Security – SSL/TLS, TDE and Encrypted ZFS •  RSA-­‐2048    (Key  Alg)   •  AES-­‐256    (Bulk  Alg)   •  SHA256withRSA    (Signature  Alg)   •  TLS_RSA_WITH_AES_256_CBC_SHA  (SSL  Cipher  Suite)   •  Immutable  Zones  on  Encrypted  ZFS  Data  sets  –  (AES  128)   •  Oracle  Fusion  Middleware     •  Weblogic  12cR1   •  300  Users   •  Two-­‐way  SSL   •  JDK  7u17   •  Oracle  11gR2  TDE   •  Solaris  11.1  (SuperCluster  T5-­‐8)   9195 4296 8478 8404 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 No SSL 3rd Party JCE (Software SSL) and TDE Oracle Ucrypto SSL and TDE (SPARC T5) SPARC T5 - SSL, TDE, Encrypted ZFS on Solaris Zone Operations/sec SPARC T5-8
  21. 21. SuperCluster Security Summary Complete •  Layered, Defense in Depth From Applications to Disk •  Lifecycle Data Protection - In Use, In Transit and At Rest Integrated •  Hardware-Assisted Security for Encryption and Isolation •  Comprehensive Activity Monitoring and Key Management Flexible •  Enables Single and Multiple Tier and Tenant Architectures •  Satisfies Various Quality of Service and Security Levels Trusted •  Protecting Mission Critical Environments Around the Globe •  Designed, Pre-Integrated, and Tested to Work Best Together
  22. 22. Additional Resources ■  Oracle SuperCluster T5-8 Platform Security Principles and Capabilities ▪  http://www.oracle.com/technetwork/server-storage/ sun-sparc-enterprise/documentation/ o13-052-osc-t5-8-security-1989641.pdf ■  Secure Database Consolidation using the Oracle SuperCluster T5-8 Platform ▪  http://www.oracle.com/technetwork/server-storage/ sun-sparc-enterprise/documentation/ o13-053-securedb-osc-t5-8-1990064.pdf ■  High Performance Security for Oracle WebLogic and Fusion Middleware Applications ▪  http://www.oracle.com/technetwork/articles/systems-hardware- architecture/security-weblogic-t-series-168447.pdf
  23. 23. Questions?

×