Uploaded byxKinAnx
208 views

Presentation deploying oracle database 11g securely on oracle solaris

The document discusses the secure deployment of Oracle Database 11g on Oracle Solaris, focusing on the importance of operating systems in enhancing security. Key features include reduced attack surface, separation of duty, least privilege, strong isolation, and comprehensive monitoring. Various methods and examples are provided to illustrate how Oracle Solaris provides a robust framework for cybersecurity through architectural principles and practices.

Embed presentation

1Copyright © 2010 Oracle Corporation
<Insert Picture Here> Deploying Oracle Database 11g Securely on Oracle Solaris Glenn Brunette Senior Director, Enterprise Security Solutions
3Copyright © 2010 Oracle Corporation The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
4Copyright © 2010 Oracle Corporation Agenda • Introduction – Why Focus on Operating Systems? – How Can Oracle Solaris Help? • Deploying On A Strong Foundation – Reduced Attack Surface – Separation of Duty and Least Privilege – Strong Isolation and Resource Control – Comprehensive Monitoring • Embracing a Defense in Depth Architecture – Hardware, Operating System and Database Security
5Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods
6Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities
7Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities • Security Must Be Systemically Applied – A chain is only as strong as its weakest link
8Copyright © 2010 Oracle Corporation How Can Oracle Solaris Help? • Reduced Attack Surface – Package Minimization – (Network) Secure by Default • Separation of Duty and Least Privilege – User Rights Management – Process Rights Management • Strong Isolation and Resource Control – Logical Domains – Containers • Comprehensive Monitoring – Auditing
9Copyright © 2010 Oracle Corporation Reduced Attack Surface Oracle Solaris Package Minimization • Selectively install only what is needed – Reduce the operating system file foot print – 3.6 GB vs. 550M (disk consumed by Entire+OEM vs. Reduced Networking) • Uninstalled software… – can not be executed or exploited – does not need updates or patching – does not need configuration or maintenance • Foundation for specialized deployments and appliances
10Copyright © 2010 Oracle Corporation Reduced Attack Surface Oracle Solaris Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” – Secure Shell is the only exposed service by default • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Network Protections – Host-based packet filtering (Solaris IP Filter) – Secure authentication (Solaris Kerberos) – Secure network communications (Solaris IPsec / IKE)
11Copyright © 2010 Oracle Corporation Method for composing collections of administrative rights Rights are specified using hierarchical profiles and authorizations Rights can be assigned to individual users and roles Separation of Duty Oracle Solaris User Rights Management Auditing always tracks the 'real' user – no anonymous admin! Roles can only be assumed by authorized users
12 Separation of Duty Example Oracle Solaris User Rights Management Rights User Rights Management User Roles Internal Auditor System Admin. Oracle DBA System Maintenance, Troubleshooting System Security Review, Audit Trail Review Database Administration
13 Separation of Duty Example Oracle Solaris User Rights Management
14Copyright © 2010 Oracle Corporation Eliminates need for many services to start as ‘root’ Decomposes administrative capabilities into discrete privileges Reduces potential exposure to a variety of security attacks Least Privilege Oracle Solaris Process Rights Management Always enabled and enforced by the Solaris kernel Completely compatible with traditional super-user privilege model
15 Least Privilege Example Oracle Solaris Process Rights Management Privileges Process Rights Management Processes Privilege Collection #1 Privilege Collection #2 Privilege Collection #3
16 Least Privilege Example Oracle Solaris Process Rights Management $ pfexec ppriv -S `pgrep rpcbind` 933: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none $ pfexec ppriv -S `pgrep statd` 5139: /usr/lib/nfs/statd flags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none Every process has a unique set of privileges.
17Copyright © 2010 Oracle Corporation Hard Partitions Hypervisor Mediation Kernel Separation Strong Isolation and Resource Control Single OSMultiple OSes SPARC T-Series SPARC M-Series x86/x64 SPARC T-Series x86/x64 SPARC M-Series Oracle Dynamic Domains Oracle VM Server for SPARC Oracle VM Server for x86 Oracle VM VirtualBox Oracle Solaris Containers (Zones + SRM) Oracle Solaris Trusted Extensions Oracle Solaris 8 and 9 Containers
18 Strong Isolation and Resource Control Oracle Solaris Containers (Virtual) Server Operating System ServiceDB Server DB Server DB Server • Multiple, independent services • File, network, user, process, and resource isolation • Security protections • Single operating system instance • Centralized management and monitoring
19 Strong Isolation and Resource Control Oracle Solaris Containers Example (Virtual) Server Operating System ServiceDB Server DB Server DB Server $ pfexec zonecfg –z ozone info zonename: ozone zonepath: /export/zones/ozone […] [max-lwps: 300] [cpu-shares: 100] fs: dir: /etc/security/audit_control type: lofs options: [ro, nosuid, nodevices] […] inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr […] Each Container can have its own defined set of resources, file systems, network interfaces, etc.
20Copyright © 2010 Oracle Corporation Integration with the Solaris kernel enables fine-grained introspection Configurable audit policy at both the system and user level Captured events include administrative actions, commands, syscalls Comprehensive Monitoring Oracle Solaris Auditing Audit logs can be exported as binary, text, or XML files Containers can be audited from within the global zone
21Copyright © 2010 Oracle Corporation Comprehensive Monitoring Oracle Solaris Auditing Example Event: profile command time: 2010-09-08 11:56:11.511 -04:00 vers: 2 mod: host: quasar SUBJECT audit-uid: gbrunett uid: root gid: joe ruid: joe pid: 5015 sid: 685 tid: 0 0 quasar PATH: /usr/sbin/reboot CMD PROCESS: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid: 685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone […] Event: reboot(1m) time: 2010-09-08 11:56:11.522 -04:00 vers: 2 mod: host: quasar SUBJECT: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid:685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone Activity is captured retaining the ID of the original actor
22Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE
23Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization
24Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening
25Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control
26Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing
27Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
28Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
29Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER Process Rights Management
30Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER User Rights Management Process Rights Management
31Copyright © 2010 Oracle Corporation Just the Tip of the Iceberg • ZFS Data Security and Integrity – Ensures end-to-end data integrity by design – Delivers delegated administration, fine-grained access control, and hierarchical enforcement • Unified Cryptographic Framework – Enables hardware acceleration of algorithms – Integrates with PKCS#11, JCE, OpenSSL, etc. • Service Management Facility – Provides unified way to describe, manage and execute services • Trusted Extensions – Enforces multi-level security access control policies
32 Oracle Database Security Defense-in-Depth Access Control • Oracle Database Vault • Oracle Label Security • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Encryption and Masking Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Database Firewall Blocking and Monitoring
33Copyright © 2010 Oracle Corporation Transparency, Governance, and Compliance Comprehensive Information Protection and Monitoring Security-Enhanced Service Delivery Platforms Secure Service Oriented Architectures End-to-End Identity and Access Management Flexible and Strong Workload Isolation Integrated High-Performance Cryptography Tamper Resistant Key Storage Transparency, Governance, and Compliance Complete Set of Secure and Proven Solutions
34Copyright © 2010 Oracle Corporation For More Information…
35 Oracle Database Security Hands-on-Labs • Thursday Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
36 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
37Copyright © 2010 Oracle Corporation
38Copyright © 2010 Oracle Corporation

More Related Content

PDF
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
byOrgad Kimchi
 
PDF
Dr3150012012202 1.getting started
byNamgu Jeong
 
PPTX
Best Practices with IPS on Oracle Solaris 11
byglynnfoster
 
PDF
Oracle Solaris 11.1 New Features
byOrgad Kimchi
 
PPTX
Oracle Solaris 11 - Best for Enterprise Applications
byglynnfoster
 
DOCX
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
byginniapps
 
PDF
Oracle Fusion Middleware Infrastructure Best Practices
byRevelation Technologies
 
PPTX
IOUG Collaborate 2014 Auditing/Security in EM12c
byKellyn Pot'Vin-Gorman
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
byOrgad Kimchi
 
Dr3150012012202 1.getting started
byNamgu Jeong
 
Best Practices with IPS on Oracle Solaris 11
byglynnfoster
 
Oracle Solaris 11.1 New Features
byOrgad Kimchi
 
Oracle Solaris 11 - Best for Enterprise Applications
byglynnfoster
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
byginniapps
 
Oracle Fusion Middleware Infrastructure Best Practices
byRevelation Technologies
 
IOUG Collaborate 2014 Auditing/Security in EM12c
byKellyn Pot'Vin-Gorman
 

What's hot

PPTX
Database as a Service, Collaborate 2016
byKellyn Pot'Vin-Gorman
 
PPTX
Em13c New Features- One of Two
byKellyn Pot'Vin-Gorman
 
PPTX
Fusion Applications Bare Metal Provisioning - Lessons Learned
byAndrejs Karpovs
 
PPT
EM12C High Availability without SLB and RAC
bySecure-24
 
PPTX
Oracle cloud storage and file system
byAndrejs Karpovs
 
PPTX
Em13c New Features- Two of Two
byKellyn Pot'Vin-Gorman
 
PPTX
Oracle EM12c Release 4 New Features!
byKellyn Pot'Vin-Gorman
 
PPTX
F5 Networks Application Ready Solution for Oracle Database Technologies
byF5 Networks
 
DOC
Configuring Oracle Enterprise Manager Cloud Control 12c for HA White Paper
byLeighton Nelson
 
PDF
Enterprise manager 13c
byMarketingArrowECS_CZ
 
PPTX
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
byLeighton Nelson
 
PPTX
System hardening - OS and Application
byedavid2685
 
DOC
Oracle Audit vault
byuzzal basak
 
PPTX
Upgrading Em13c Collaborate 2016
byKellyn Pot'Vin-Gorman
 
DOC
Oracle EBS R12.1.3_Installation_linux(64bit)_Pan_Tian
byPan Tian
 
PPTX
Before OTD EDU - Introduction
byBeom Lee
 
PPTX
Oracle Database Firewall - Pierre Leon
byOracleVolutionSeries
 
PDF
New Not Your Father's Enterprise Manager
byKellyn Pot'Vin-Gorman
 
PPSX
Ppt dbsec-oow2013-avdf
byMelody Liu
 
PDF
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
byjpiwowar
 
Database as a Service, Collaborate 2016
byKellyn Pot'Vin-Gorman
 
Em13c New Features- One of Two
byKellyn Pot'Vin-Gorman
 
Fusion Applications Bare Metal Provisioning - Lessons Learned
byAndrejs Karpovs
 
EM12C High Availability without SLB and RAC
bySecure-24
 
Oracle cloud storage and file system
byAndrejs Karpovs
 
Em13c New Features- Two of Two
byKellyn Pot'Vin-Gorman
 
Oracle EM12c Release 4 New Features!
byKellyn Pot'Vin-Gorman
 
F5 Networks Application Ready Solution for Oracle Database Technologies
byF5 Networks
 
Configuring Oracle Enterprise Manager Cloud Control 12c for HA White Paper
byLeighton Nelson
 
Enterprise manager 13c
byMarketingArrowECS_CZ
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
byLeighton Nelson
 
System hardening - OS and Application
byedavid2685
 
Oracle Audit vault
byuzzal basak
 
Upgrading Em13c Collaborate 2016
byKellyn Pot'Vin-Gorman
 
Oracle EBS R12.1.3_Installation_linux(64bit)_Pan_Tian
byPan Tian
 
Before OTD EDU - Introduction
byBeom Lee
 
Oracle Database Firewall - Pierre Leon
byOracleVolutionSeries
 
New Not Your Father's Enterprise Manager
byKellyn Pot'Vin-Gorman
 
Ppt dbsec-oow2013-avdf
byMelody Liu
 
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
byjpiwowar
 

Similar to Presentation deploying oracle database 11g securely on oracle solaris

PDF
Solaris 11.4 launch
byScott Lynn
 
PDF
Solaris 10 Security Essentials Press Sun Microsystemscreator
bypousselotlot
 
PDF
Oracle Solaris 11 lab agenda
byPavel Anni
 
PDF
oracle-analytics-server is to change password in OBIA application
byzakeer70071
 
PDF
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1
byOsama Mustafa
 
PDF
real-application-clusters-installation-guide-linux-and-unix.pdf
byMitJiu
 
PPT
Solaris11 Desayunos Tecnicos Oracle (Solaris)
byFran Navarro
 
PDF
Oracle solaris-11-ds-186774
byMuhammad Abdullah
 
DOCX
Sso & rman
byvishaalkumar11
 
PPTX
Oracle_DB_sobre_Oracle
byFran Navarro
 
PDF
Oracle-Security_Executive-Presentation
bystefanjung
 
PPT
Unix SVR4/OpenSolaris and allumos Access Control
bySalem Elbargathy
 
PDF
Oracle database 12c client installation guide 6
bybupbechanhgmail
 
PDF
Revisiting Silent: Installs Are they still useful?
byRevelation Technologies
 
PDF
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
byOracle BH
 
PPTX
ODW 2021 - Automated patching and compliance to improve database security.pptx
byPaul Breniuc
 
PPT
Auditing security of Oracle DB (Karel Miko)
byDCIT, a.s.
 
PDF
Netherlands Tech Tour - 04 Linux & OVM
byMark Swarbrick
 
PPTX
Oracle Security Overview from Cloud World 2022
byKen Stewart
 
PDF
OC|Webcast "Die neue Welt der Virtualisierung"
byOPITZ CONSULTING Deutschland
 
Solaris 11.4 launch
byScott Lynn
 
Solaris 10 Security Essentials Press Sun Microsystemscreator
bypousselotlot
 
Oracle Solaris 11 lab agenda
byPavel Anni
 
oracle-analytics-server is to change password in OBIA application
byzakeer70071
 
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1
byOsama Mustafa
 
real-application-clusters-installation-guide-linux-and-unix.pdf
byMitJiu
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
byFran Navarro
 
Oracle solaris-11-ds-186774
byMuhammad Abdullah
 
Sso & rman
byvishaalkumar11
 
Oracle_DB_sobre_Oracle
byFran Navarro
 
Oracle-Security_Executive-Presentation
bystefanjung
 
Unix SVR4/OpenSolaris and allumos Access Control
bySalem Elbargathy
 
Oracle database 12c client installation guide 6
bybupbechanhgmail
 
Revisiting Silent: Installs Are they still useful?
byRevelation Technologies
 
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
byOracle BH
 
ODW 2021 - Automated patching and compliance to improve database security.pptx
byPaul Breniuc
 
Auditing security of Oracle DB (Karel Miko)
byDCIT, a.s.
 
Netherlands Tech Tour - 04 Linux & OVM
byMark Swarbrick
 
Oracle Security Overview from Cloud World 2022
byKen Stewart
 
OC|Webcast "Die neue Welt der Virtualisierung"
byOPITZ CONSULTING Deutschland
 

More from xKinAnx

PPTX
Engage for success ibm spectrum accelerate 2
byxKinAnx
 
PPTX
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive
byxKinAnx
 
PDF
Software defined storage provisioning using ibm smart cloud
byxKinAnx
 
PDF
Ibm spectrum virtualize 101
byxKinAnx
 
PDF
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
byxKinAnx
 
PDF
04 empalis -ibm_spectrum_protect_-_strategy_and_directions
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 2 IBM Spectrum Sca...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 3 Information Life...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 5 spectrum scale_c...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 6 spectrumscale el...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 7 spectrumscale el...
byxKinAnx
 
PPT
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 5 ess gnr-usecases...
byxKinAnx
 
PDF
Presentation disaster recovery in virtualization and cloud
byxKinAnx
 
PDF
Presentation disaster recovery for oracle fusion middleware with the zfs st...
byxKinAnx
 
PDF
Presentation differentiated virtualization for enterprise clouds, large and...
byxKinAnx
 
PDF
Presentation desktops for the cloud the view rollout
byxKinAnx
 
Engage for success ibm spectrum accelerate 2
byxKinAnx
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive
byxKinAnx
 
Software defined storage provisioning using ibm smart cloud
byxKinAnx
 
Ibm spectrum virtualize 101
byxKinAnx
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
byxKinAnx
 
04 empalis -ibm_spectrum_protect_-_strategy_and_directions
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 2 IBM Spectrum Sca...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 3 Information Life...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 5 spectrum scale_c...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 6 spectrumscale el...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 7 spectrumscale el...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 5 ess gnr-usecases...
byxKinAnx
 
Presentation disaster recovery in virtualization and cloud
byxKinAnx
 
Presentation disaster recovery for oracle fusion middleware with the zfs st...
byxKinAnx
 
Presentation differentiated virtualization for enterprise clouds, large and...
byxKinAnx
 
Presentation desktops for the cloud the view rollout
byxKinAnx
 

Recently uploaded

PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PPTX
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 

Presentation deploying oracle database 11g securely on oracle solaris

  • 1.
    1Copyright © 2010Oracle Corporation
  • 2.
    <Insert Picture Here> DeployingOracle Database 11g Securely on Oracle Solaris Glenn Brunette Senior Director, Enterprise Security Solutions
  • 3.
    3Copyright © 2010Oracle Corporation The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 4.
    4Copyright © 2010Oracle Corporation Agenda • Introduction – Why Focus on Operating Systems? – How Can Oracle Solaris Help? • Deploying On A Strong Foundation – Reduced Attack Surface – Separation of Duty and Least Privilege – Strong Isolation and Resource Control – Comprehensive Monitoring • Embracing a Defense in Depth Architecture – Hardware, Operating System and Database Security
  • 5.
    5Copyright © 2010Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods
  • 6.
    6Copyright © 2010Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities
  • 7.
    7Copyright © 2010Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities • Security Must Be Systemically Applied – A chain is only as strong as its weakest link
  • 8.
    8Copyright © 2010Oracle Corporation How Can Oracle Solaris Help? • Reduced Attack Surface – Package Minimization – (Network) Secure by Default • Separation of Duty and Least Privilege – User Rights Management – Process Rights Management • Strong Isolation and Resource Control – Logical Domains – Containers • Comprehensive Monitoring – Auditing
  • 9.
    9Copyright © 2010Oracle Corporation Reduced Attack Surface Oracle Solaris Package Minimization • Selectively install only what is needed – Reduce the operating system file foot print – 3.6 GB vs. 550M (disk consumed by Entire+OEM vs. Reduced Networking) • Uninstalled software… – can not be executed or exploited – does not need updates or patching – does not need configuration or maintenance • Foundation for specialized deployments and appliances
  • 10.
    10Copyright © 2010Oracle Corporation Reduced Attack Surface Oracle Solaris Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” – Secure Shell is the only exposed service by default • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Network Protections – Host-based packet filtering (Solaris IP Filter) – Secure authentication (Solaris Kerberos) – Secure network communications (Solaris IPsec / IKE)
  • 11.
    11Copyright © 2010Oracle Corporation Method for composing collections of administrative rights Rights are specified using hierarchical profiles and authorizations Rights can be assigned to individual users and roles Separation of Duty Oracle Solaris User Rights Management Auditing always tracks the 'real' user – no anonymous admin! Roles can only be assumed by authorized users
  • 12.
    12 Separation of DutyExample Oracle Solaris User Rights Management Rights User Rights Management User Roles Internal Auditor System Admin. Oracle DBA System Maintenance, Troubleshooting System Security Review, Audit Trail Review Database Administration
  • 13.
    13 Separation of DutyExample Oracle Solaris User Rights Management
  • 14.
    14Copyright © 2010Oracle Corporation Eliminates need for many services to start as ‘root’ Decomposes administrative capabilities into discrete privileges Reduces potential exposure to a variety of security attacks Least Privilege Oracle Solaris Process Rights Management Always enabled and enforced by the Solaris kernel Completely compatible with traditional super-user privilege model
  • 15.
    15 Least Privilege Example OracleSolaris Process Rights Management Privileges Process Rights Management Processes Privilege Collection #1 Privilege Collection #2 Privilege Collection #3
  • 16.
    16 Least Privilege Example OracleSolaris Process Rights Management $ pfexec ppriv -S `pgrep rpcbind` 933: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none $ pfexec ppriv -S `pgrep statd` 5139: /usr/lib/nfs/statd flags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none Every process has a unique set of privileges.
  • 17.
    17Copyright © 2010Oracle Corporation Hard Partitions Hypervisor Mediation Kernel Separation Strong Isolation and Resource Control Single OSMultiple OSes SPARC T-Series SPARC M-Series x86/x64 SPARC T-Series x86/x64 SPARC M-Series Oracle Dynamic Domains Oracle VM Server for SPARC Oracle VM Server for x86 Oracle VM VirtualBox Oracle Solaris Containers (Zones + SRM) Oracle Solaris Trusted Extensions Oracle Solaris 8 and 9 Containers
  • 18.
    18 Strong Isolation andResource Control Oracle Solaris Containers (Virtual) Server Operating System ServiceDB Server DB Server DB Server • Multiple, independent services • File, network, user, process, and resource isolation • Security protections • Single operating system instance • Centralized management and monitoring
  • 19.
    19 Strong Isolation andResource Control Oracle Solaris Containers Example (Virtual) Server Operating System ServiceDB Server DB Server DB Server $ pfexec zonecfg –z ozone info zonename: ozone zonepath: /export/zones/ozone […] [max-lwps: 300] [cpu-shares: 100] fs: dir: /etc/security/audit_control type: lofs options: [ro, nosuid, nodevices] […] inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr […] Each Container can have its own defined set of resources, file systems, network interfaces, etc.
  • 20.
    20Copyright © 2010Oracle Corporation Integration with the Solaris kernel enables fine-grained introspection Configurable audit policy at both the system and user level Captured events include administrative actions, commands, syscalls Comprehensive Monitoring Oracle Solaris Auditing Audit logs can be exported as binary, text, or XML files Containers can be audited from within the global zone
  • 21.
    21Copyright © 2010Oracle Corporation Comprehensive Monitoring Oracle Solaris Auditing Example Event: profile command time: 2010-09-08 11:56:11.511 -04:00 vers: 2 mod: host: quasar SUBJECT audit-uid: gbrunett uid: root gid: joe ruid: joe pid: 5015 sid: 685 tid: 0 0 quasar PATH: /usr/sbin/reboot CMD PROCESS: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid: 685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone […] Event: reboot(1m) time: 2010-09-08 11:56:11.522 -04:00 vers: 2 mod: host: quasar SUBJECT: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid:685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone Activity is captured retaining the ID of the original actor
  • 22.
    22Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE
  • 23.
    23Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization
  • 24.
    24Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening
  • 25.
    25Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control
  • 26.
    26Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing
  • 27.
    27Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
  • 28.
    28Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
  • 29.
    29Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER Process Rights Management
  • 30.
    30Copyright © 2010Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER User Rights Management Process Rights Management
  • 31.
    31Copyright © 2010Oracle Corporation Just the Tip of the Iceberg • ZFS Data Security and Integrity – Ensures end-to-end data integrity by design – Delivers delegated administration, fine-grained access control, and hierarchical enforcement • Unified Cryptographic Framework – Enables hardware acceleration of algorithms – Integrates with PKCS#11, JCE, OpenSSL, etc. • Service Management Facility – Provides unified way to describe, manage and execute services • Trusted Extensions – Enforces multi-level security access control policies
  • 32.
    32 Oracle Database Security Defense-in-Depth AccessControl • Oracle Database Vault • Oracle Label Security • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Encryption and Masking Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Database Firewall Blocking and Monitoring
  • 33.
    33Copyright © 2010Oracle Corporation Transparency, Governance, and Compliance Comprehensive Information Protection and Monitoring Security-Enhanced Service Delivery Platforms Secure Service Oriented Architectures End-to-End Identity and Access Management Flexible and Strong Workload Isolation Integrated High-Performance Cryptography Tamper Resistant Key Storage Transparency, Governance, and Compliance Complete Set of Secure and Proven Solutions
  • 34.
    34Copyright © 2010Oracle Corporation For More Information…
  • 35.
    35 Oracle Database SecurityHands-on-Labs • Thursday Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
  • 36.
    36 The preceding isintended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 37.
    37Copyright © 2010Oracle Corporation
  • 38.
    38Copyright © 2010Oracle Corporation