Copyright ©2001 TUSC All Rights Reserved

Security Options in Oracle

The Matrix of What’s AvailableRich Niemiec, TUSC (rich@tusc.com)

www.tusc.com(Thanks to Kevin Loney, Kim Floss, Mary Ann Davidson)

Copyright ©2002 TUSC All Rights Reserved

Presentation

Goals/Non-Goals• Goals

– Target Key Areas Security– Target Key scripts– Target tips that are most useful

• Non-Goals– Learn ALL aspects of Security

• Will take weeks to months• Need experience as well• What you’ll need depends on your system

3

Overview

• What are you Guarding Against?• Getting into databases • Password Protection• Outside the Application• Effective Auditing• Laying the Groundwork for Success• Biometrics• Oracle9i Changes• Summary• Helpful Scripts (FYI)

4

What are you guarding against?

• External malice– Denial of service attacks– Theft of data

• Internal disclosure– Source of most attempts– Particular issue in poor economy

• transient workforce adds to threat level

• Who:• Disgruntled employees Competitors• Criminals Terrorists• Bored college students Curious individuals• Vendors

5

Security Breaches on the Rise!

• Company Security Breaches*:1999 62%2000 70%2001 85%2002 90%

*CSI/FBI Surveys over the past 4 years

0

10

20

30

40

50

60

70

80

90

1999 2000 2001 2002

SecurityBreaches

6

CERT Trends

• Automation and Speed of Attack are increasing.

• Attack tools are more sophisticated.• Attackers are discovering vulnerabilities

quicker.• Firewalls are more permeable.• Threats from infrastructure attacks are on the

rise (such as denial of service and worms).

*CSI/FBI Surveys over the past 4 years

Computer Emergency Response Team (CERT)

7

Oracle9i Security Checklist

1. Install only the products you’re using2. Lock and expire default user accounts3. Change default passwords & enforce password

management4. Enable dictionary protection5. Practice principle of least privilege6. Enforce access controls effectively7. Restrict network access a. Use a firewallb. Don’t poke any holes through the firewallc. Prevent listener access(set ADMIN_RESTRICTIONS_listenername=ON)

8

Oracle9i Security Checklist

d. Allow/Deny access based on network IP (tcp.validnode_checking=YES, tcp.excluded_nodes={list the IP’s}, tcp.invited_nodes={list the IP’s})

e. Encrypt network traffic (Oracle Advanced Security)f.   Make the O/S more restrictive8.Apply all Oracle Security Patches –

http://metalink.oracle.com and http://otn.oracle.com/deploy/security/alerts.htm

9. Report security issues or vulnerabilities to Oracle: secalert_us@oracle.com

http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf

9

Oracle Security Alerts

10

Oracle Security Alerts

http://otn.oracle.com/deploy/security/pdf/webdb_bugpost.pdf   “If customers grant public access to PL/SQL procedures, in particular … OWA, SYS & DBMS …it may be possible to invoke through a URL and cause SQL statements to be executed on back-end Oracle database."

Username/Password

11

Oracle Security Alerts

http://www.sans.org/top20/#index

12

Preventing attacks

• Protect every copy of the data!• Restrict access to backups

– Establish procedures and access logs

• Restrict copying sensitive data to Development and Test databases

• Restrict database links into Production• Restrict physical access to the hardware• Restrict physical access to the network• Protect/Dispose hardware appropriately

13

Common open doors

• SYS/change_on_install• SYSTEM/manager• WEBDB/webdb

– full DBA access, factory settings

• Demo developer accounts– SCOTT/tiger, ADAMS/wood, JONES/steel, BLAKE/paper,

CLARK/cloth

• CTXSYS/ctxsys - Used by interMedia Text servers• TRACESVR/trace - supports Oracle Trace• others: ORDSYS, OUTLN, MDSYS, MTSSYS• Third Party Application Providers!

14

Main Options

• Basic login/password protection with locking• Roles – A group of privileges for use with groups • Data Encryption for storage in the database• Auditing at the statement, user or record level • Encrypts data sent over wire client/server • Oracle utilizes SSL from browser to App. server• Oracle performs checksumming to ensure that the data

sent was not tampered with on the way.• Virtual Private Databases to give a customer or B2B

partner only access to their own data.• Oracle Label Security allows record level security with

label with privileges required to access it.

15

Advanced options

RADIUS (Remote Access Dial-In User Service) – Secures remote access to network.– Industry Standard– ORACLE RADIUS is an Oracle implementation

of RADIUS that allows the Oracle database to provide authentication and authorization (serving as the proxy to the RADIUS server).

– This is often used with smartcards and biometrics.

16

Advanced options

1. A user logs in by entering a connect string, passcode, or other value. The client system passes this data to the Oracle database server.

2. The Oracle database server, acting as the RADIUS client, passes the data from the Oracle client to the RADIUS server.

3. The RADIUS server passes the data to the appropriate authentication server, such as Smart Card or SecurID ACE for validation.

4. The authentication server sends either an Access Accept or an Access Reject message back to the RADIUS server.

5. The RADIUS server passes this response to the Oracle database server / RADIUS client.

6. The Oracle database server / RADIUS client passes the response back to the Oracle client.

17

Advanced options

Copyright ©2002 TUSC All Rights Reserved

Security Requirements

• Privacy & Integrity of communications

• Strong user authentication

• Access control

• User Account Management

• Flexibility & Cost Avoidance

• Accountability

Encryption (RC4, DES, MD5, etc.)

X.509v3 Certificates, smart cards, biometric

Fine-grained Access Control Policies

LDAP Directory Integration

Security Standards (FIPS 140, Common Criteria)

Comprehensive, granular auditing

19

Biometricswww.biometrics.org

20

Fingerprint Scanning

www.identix.com

21

Fingerprint Scanning

• One of the fastest scanning available.• Currently in use a method to log into the

system without remembering a password.• Disallows multiple logins• Saves money on forgotten password help

desk time.• Best to have a two-part authorization which

includes both the password and finger scan.

• www.finger-scan.com

22

Hand Scanning

• www.peninsulatime.com

23

Hand Scanning

• An excellent use for this is time clocks.

• Ensures that the employee is physically present.

• Many time clocks allow for the easy integration with the database.

• www.hand-scan.com

24

Face Scanning

• www.identix.com

25

Face Scanning

• This was used at the Super Bowl (Viisage).• Much more complex than finger/hand scans.• Based on MIT “eigenfaces” technology.• It’s non-intrusive, but faces can have multiple

expressions due to coughing, breathing, blinking, talking and other gestures. Yet, currently, this can be accomplished in seconds.

• www.facial-scan.com• The main providers are:

– Visionics (www.visionics.com) - Merged with Identix– Viisage (www.viisage.com)

26

Retinal Scanning

• This was the type of (fictitious) scan in the movie Minority Report.

• This type of scan is available currently.

• The blood vessels in the back of the eye are scanned.

• www.retina-scan.com

27

Iris Scanning

• This is less intrusive than retinal scans.

• It Scans the iris (colored part) of the eye.

• www.iris-scan.com• www.accessexcellence.org

28

Other Types of Biometrics

• Voice Scanning• Signature Scanning• Smart Card• Gesture Recognition

29

Put a Basic Plan Together

1. Vulnerability Analysis – Identify systems that might be a target of an infrastructure attack: Create a vulnerability analysis (with periodic updates). Determine minimal infrastructure.

2. Remedial Plan – Based on the vulnerability, create a remedial plan with timelines for implementing as well as responsibilities and funding.

3. Warning – Immediately establish a department to warn of significant attacks and enhance the system for detecting and analyzing attacks.

4. Response – Have a team identified to respond by isolating the problem, minimizing the damage and ensuring survivability.

(CERT has detailed plans)

30

From Security to Survivability

31

From Security to Survivability

• Resistance to Repel Attacks • Recognition of Attacks and extent of

damage.• Recovery of essential services during

attacks and full services after an attack.

• Survivability should involve solutions that can transcend the system itself.

Computer Emergency Response Team (CERT)

32

Summary

• What are you Guarding Against?• Getting into databases • Password Protection• Outside the Application• Effective Auditing• Laying the Groundwork for Success• Helpful Scripts• Oracle9i Changes• Summary

Copyright ©2002 TUSC All Rights Reserved

www.tusc.com www.oracle.comwww.cert.org www.biometrics.orgwww.finger-scan.org www.hand-scan.orgwww.retina-scan.org www.iris-scan.orgwww.face-scan.org www.sans.org

Practical ways to secure your corporate information, Donald Shepard, Oracle Corp., www.poug.org

Secure configuration guide for Oracle9iR2; Oracle, June 2002Oracle gurus: Mary Ann Davidson, Kristy Browder and Sudhayer Neither TUSC, Oracle, IOUG nor the author guarantee this document to be error-

free. Please provide comments and/or questions to rich@tusc.com.

References

Copyright ©2001 TUSC All Rights Reserved

Contact InformationRich Niemiec: rich@tusc.com

This presentation will be available on the TUSC Web Site

www.tusc.com(800) 755-TUSC