Securing Your Enterprise with Enterprise Manager 10g
Amir NajmiPrincipal Member of Technical Staff
System Management Products
Oracle Corporation
Session id: 40034
“Through 2005, 90 percent of cyber-attacks will continue to exploit known security flaws for which a
patch is available or a preventive measure is known.”
“Through 2005, 90 percent of cyber-attacks will continue to exploit known security flaws for which a
patch is available or a preventive measure is known.”
-Gartner report, May 2002
Common security best practices are not quite so common
Gartner report Slammer virus exploited known security flaw
– Patch was available 6 months before attack– Many of Microsoft’s own servers were affected
Conclusion: Administrators often do not take common security measures
Why is security difficult for administrators?
Lack of knowledge No knowledge of the vulnerability No understanding of impact, justification for fix
Lack of logistical support No easy way to identify vulnerable installations No convenient way to administer the fix No easy way to ensure the fix remains in place
Grid security requires infrastructure support
Grid has greater security requirements due to– Sheer scale– Heterogeneity– Connectivity (weakest link in the chain)– Dynamic configuration
Security must be reduced to routine procedure Management tools must facilitate this practice
at low overhead
Aspects of enterprise security
Develop secure applications
Deploy secure installations, patches
Employ secure configurations
Provision users with appropriate access
Detect and contain intruders
Design and development time
Install time
Operations and Management
Real time
Timescale
Post-install update
Aspects of enterprise security
Develop secure applications
Deploy secure installations, patches
Employ secure configurations
Provision users with appropriate access
Detect and contain intruders
Design and development time
Install time
Operations and Management
Real time
Timescale
Post-install update
EM helps enforce common security best practices
within the Oracle ecosystem
EM helps enforce common security best practices
within the Oracle ecosystem
EM Security is built on the Policy Framework
Policy Framework
Database Configuration
Policy
Security Policy
Storage Configuration
Policy
Policy Framework: concepts
Rule– Specific to target type– Severity: Critical, Warning, Informational
Violation– Can be overridden by administrator
Policy– Collected rules of a single category
Provides common paradigm, user interface Policy is essential to the Grid
35
06
34
EM security management
Software security– Addressing vulnerabilities in Oracle software
Instance hardening– Configuring Oracle for security
Database security– Guarding against excessive privilege
EM security management
Software security– Addressing vulnerabilities in Oracle software
Instance hardening– Configuring Oracle for security
Database security– Guarding against excessive privilege
Patch management with EM
HostsHosts
Grid ControlGrid Control
Oracle Oracle MetalinkMetalinkPatch CachePatch Cache
Software security with EM
Fetch latest security alert metadata (Metalink) Automatically add to software security rule If targets found vulnerable, list patches which
address the problem Help stage (and in some cases, apply) patch Going forward, test for vulnerability as part of
software security rule
31
34
32
33
23
21
22
24
25
EM security management
Software security– Addressing vulnerabilities in Oracle software
Instance hardening– Configuring Oracle for security
Database security– Guarding against excessive privilege
Instance hardening with EM
Identify products deployed in common insecure configurations
Check for weak authentication practices Examples
– Identify insecure services– Track down demo features enabled in production
Database security with EM
Check for excessive user privilege Identify weak privilege model
– Roles should be granular
Examples– Find default passwords– Identify excessive privileges to PUBLIC role
05
06
07
08
09
10
Aspects of enterprise security
Develop secure applications
Deploy secure installations, patches
Employ secure configurations
Provision users with appropriate access
Detect and contain intruders
Design and development time
Install time
Operations and Management
Real time
Timescale
Post-install update
EM helps enforce security best practices
Deploy secure installations, patches– Provide rapid notification of security patches on Oracle
products– Facilitate application of security patches
Employ secure configurations– Alert customer if an Oracle product is deployed in a common
insecure configurations
Provision users with appropriate access– Check systems for accounts with excessive privileges– Provide in-context links to EM user management
Security administrator usage Predefined test library (by target type)
– Software– Instance hardening– Privileges
Tests are conducted automatically, periodically Administrator views results
– Roll-up reporting – Which tests revealed security flaws– Impact of the security flaw– Known workarounds and remedies
Overrides inappropriate violations Takes corrective action
The future of EM Security
More elaborate security roles Security compliance history Extensions to EM Policy Framework
– E.g. policy groups, exemptions, timed exemptions
Greater automation for addressing problems Editable remedies Downloadable test definitions User-defined tests
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Reminder – please complete the OracleWorld online session survey
Thank you.
Top Related