Upload
vuhanh
View
233
Download
0
Embed Size (px)
Citation preview
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Securing The Extended Enterprise:
Enterprise User Security
Abdul Asfour | Sr. Security ConsultantNAS Security Specialized Sales Consulting
April 2016
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
DEFENSE
IN DEPTHLayered overlapping controls: Encryption, audit,
monitoring, access control, masking, redaction, …
Oracle Public 2
ORACLE DATABASE SECURITY STRATEGY
SECURITY
INSIDE OUTSecurity close to the data. Maximize performance
with application transparency.
SECURE
DEPLOYMENTSAcross multiple systems: operating systems,
heterogeneous databases, applications, …
CONTINUOUS
INNOVATIONSVirtual Private Databases, Transparent Data Encryption,
DBA Control, Data Redaction, Privilege Analysis,
Database Firewall, Real Application Security, ….
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Oracle Confidential – Internal/Restricted/Highly Restricted 3
S E C U R I T Y
ORACLE SECURITY INSIDE OUT LAYERS OF THE STACK
76%
NETWORK INTRUSIONS LOST, STOLEN & WEAK CREDENTIALS
Governance Risk & Compliance Access & Certification Review, Anomaly Detection,User Provisioning, Entitlements Management
Mobile Security, Privileged UsersDirectory Services, Identity Governance Entitlements Management, Access Management
Encryption, Masking, Redaction, Key ManagementPrivileged User Control, Big Data Security, Secure Config
Solaris Trusted Extensions,LDAP Host Access Control
Secure Live Migration
Cryptographic Acceleration Application Data Integrity
Secure backup, Disk EncryptionILM Security
EN
TE
RP
RISE
MA
NA
GE
R80%
IMPLICATE WEB OR APPLICATION SERVERS
94%
BREACHED RECORDS FROM SERVERS
50%
PROPOGATION ENABLED BY MISCONFIGURATION
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 4
SECURING ACCESS TO APPS & DATA
DATABASE PROTECTION
Key
Management
Encryption
Redaction
Privileged
User Control
Activity
Monitoring
Secure
Auditing
Database
Firewall
IDENTITY & ACCESS
Identity
Governance
Access
Management
Directory
Services
Mobile
Security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Each Database is basically an island. Users are managed separately in each database
Understanding the Problem
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Standard Database Users
Admins manage Database Users and Roles in each database
A user potentially has multiple database login names and passwords to remember
Oracle Confidential – Internal/Restricted/Highly Restricted 6
“LOCAL”
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7
Authentication Options in Oracle Database 12c
Authentication Type Description
Password Authentication Users are authenticated using standard passwords as defined by the Password Policy.
Operating System
Authentication
Some operating systems permit Oracle Database to use information they maintain to
authenticate users
Kerberos Authentication Kerberos is a trusted third-party authentication system that relies on shared secrets.
Radius Authentication Remote Authentication Dial-In User Service (RADIUS), a standard lightweight protocol
used for user authentication, authorization, and accounting.
Public Key Infrastructure Authentication systems based on public key infrastructure (PKI) issue digital certificates
to user clients
Enterprise User Security Using a central directory can make authentication and its administration efficient.
Secure External Password
Store
The secure external password store is a client-side wallet that is used for store password
credentials
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• EUS stores user credentials and
authorizations in a central
location.
• It eases administration through
centralization
• It enables single-point
authentication
• Each person has one
username/password for ALL
databases.
• Directory identities are mapped
to database schemas. Directory
groups are mapped to database
roles.
Enterprise User Security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
*Based on 200 Named Users for 200 Databases, 8 Normal/Forgotten Password Changes
Enterprise User SecurityImpact of Using EUS vs Named Accounts on each Database
DB Work Item Current EUS
Password Changes
200 Databases x 200 Users x 4
(quarterly)
160,000 0
Create New Users
200 Databases x 20 (10% yearly
turnover)
4,000 0
Delete Old Users
200 Databases x 20 (10% yearly
turnover)
4,000 0
Assign Privileges
200 Databases x 20 (10% yearly
turnover)
4,000 40
Total 176,000 400
DBA’s must perform these tasks on every database:
•Set password policies
•Create users and passwords
•Reset passwords
•Manage roles and privileges
•Assign roles and privileges to users
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Enterprise User SecurityCost Savings/Operational Efficiency and Risk
Cost Savings and Operational Efficiency
• Users benefit from SSO or single password authentication.
• Fewer Password Resets
• Less Accounts to Create
• Centrally Manage Access
• Easily manage roles and privileges through AD/LDAP Groups
Reduce Risk
• Fewer Passwords to Remember
• Users Access can be easily removed during employment transfer or termination.
• Leverage Secure Password Policy and storage of corporate directory
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Enterprise User SecurityManaging Database Information
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
History LessonThick client Connect strings
• sqlplus’user/pass@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=hostname.network)(Port=1521))(CONNECT_DATA=(SID=remote_SID)))’
or
• sqlplus username/password@connect_identifier
– With a tnsnames.ora file containing the connect_identifier
local_SID =
(DESCRIPTION =
(ADDRESS = (PROTOCOL= TCP)(Host= hostname.network)(Port= 1521))
(CONNECT_DATA = (SID = remote_SID))
)
– It becomes sqlplus user/password@local_SID
– With ORACLE_SID environment variable set it becomes sqlplus user/pass
Oracle Confidential – Internal/Restricted/Highly Restricted 12
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
What is Oracle Net ServicesClient interaction
• Every time a new database becomes available for use, your end users need to:
– Know the connect string
– Get an updated tnsnames.ora or
– Leverage Net Services
• i.e. IP Name Address Resolution Analogy– %SYSTEMROOT%\system32\drivers\etc\hosts ~= $ORACLE_HOME/network/admin/tnsnames.ora
– nslookup ~$ORACLE_HOME/network/admin/ldap.ora
Oracle Confidential – Internal/Restricted/Highly Restricted 13
Database
Information
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Example Net Services in OUDDBCA registered DB11g
Oracle Confidential – Internal/Restricted/Highly Restricted 14
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Database
Roles
System Privileges
Object Privileges
.
Global Roles Enterprise Roles LDAP Groups
Managing Enterprise User PrivilegesEnterprise User Security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Connect : username@database_service_name
Enter password:
Connect to Enterprise User SecurityAuthentication and Authorization Flow
User and Group Info
OUD
DSEE
Or
AD
LDAP Search
Assign Privileges and Roles
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Example Dedicated Schema Mapping in OUD
Oracle Confidential – Internal/Restricted/Highly Restricted 17
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Create New User Schema Mapping
18
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Create Enterprise Role Mapping
19
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Enterprise RolesDBA Perspective
• Global Roles within the database
create role ldapdbaidentified globally;
grant dba to ldapdba;
• Map to Enterprise Roles within the Directory
• Add users to LDAP Role
Oracle Confidential – Internal/Restricted/Highly Restricted 20
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
How to identify dedicated schema “globally”DBA Perspective
• Dedicated Schemacreate user ldapauser identified globally as 'CN=And y User,ou=ad,cn=users,dc=oracle,dc=vm';
-or-
alter user ldapauser identified globally as 'CN=And y User,ou=ad,cn=users,dc=oracle,dc=vm‘;
• Mappings maintained within the the databaseselect username, password, external_name from dba_us ers where password='GLOBAL';
USERNAME PASSWORD EXTERNAL_NAME
------------- ------------ -------------------------- ---------
LDAPAUSER GLOBAL CN=Andy User,ou=ad,cn =users,dc=oracle,dc=vm
Password = GLOBAL means password is external to DB
Oracle Confidential – Internal/Restricted/Highly Restricted 21
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
How to identify shared schema “globally”DBA Perspective
• Shared Schema
– Create Global Schemacreate user ldapuser identified globally as '’;
• Entry is dedicated with Subtree mappings maintained within directory for shared.
Oracle Confidential – Internal/Restricted/Highly Restricted 22
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EUS Supported Deployments
23
Oracle DB 9i Oracle DB 10g Oracle DB 11g Oracle DB 12c
Oracle Internet
Directory
11g
Oracle Virtual
Directory
Microsoft Active
Directory
Requires OID Requires OID,OVD or OUD Requires OID,OVD or OUD Requires OID,OVD or OUD
Novell eDirectory
Requires OID Requires OID,OVD or OUD Requires OID,OVD or OUD Requires OID,OVD or OUD
Oracle Directory Server
Enterprise Edition / Sun
DSEE Requires OID Requires OID,OVD or OUD Requires OID,OVD or OUD Requires OID,OVD or OUD
Oracle Unified Directory
11g
Requires Min. 11.2 DB
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EUS with Oracle Unified Directory
• OUD works seamlessly with EUS. Database user information, passwords and privileges information for a database or for a database domain can be stored in OUD
• Supported on 11.2+ Databases
24
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EUS with Oracle Unified Directory and Active Directory
25
• The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. User passwords are retrieved from the hashed password stored by the OUD Password Change Notification plug-in. EUS metadata are stored and retrieved from OUD.
• Active Directory Schema extension is required to store the hashed passwords.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EUS with Active Directory/Kerberos• The database establishes a
connection to OUD. OUD retrieves user data (users and groups) from Active Directory. EUS metadata are stored and retrieved from OUD.
• Access to the hashed user password is not required, so no schema extensions and no Password Change Notification dll have to be deployed on Active Directory
26
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EUS with ODSEE
27
• The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Oracle Directory Server Enterprise Edition (ODSEE). EUS metadata are stored and retrieved from OUD.
• This integration does not require any changes in the database nor for database clients that use password authentication.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Authentication Process Flow
User provides credentials to client application Database looks for username in local table Directory responds to searches from database
Client application sends credentials to database Database looks for username in directory
Database looks for username to schema explicit
mapping
Database looks for username to schema
implicit mapping (OU level)
Database retrieves hashed password from
directory and compares it with provided
password that has been hashed
Database checks local system and role
privileges assigned to schema
Database checks directory for roles assigned to
user
Session is established
28
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 29
Auditing
Column Name Value
USERNAME GLOBAL_USER
ACTION_NAME LOGON
COMMENT_TEXT Authenticated by: DIRECTORY PASSWORD;EXTERNAL NAME: cn=Ted
Turner,cn=Users,dc=example,dc=com; Client address:
(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.2)(PORT=59912))
PRIV_USED CREATE SESSION
Auditing Type: Standard /DB_EXTENDEDView: DB_AUDIT_TRAIL
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 30
Auditing
Column Name Value
DBUSERNAME GLOBAL_USER
EXTERNAL_USERID cn=Ted Turner,cn=Users,dc=example,dc=com
GLOBAL_USERID 11dfef187d1045ab8ed9f04991e539d1
AUTHENTICATION_TYPE (TYPE=(DIRECTORY PASSWORD))
Auditing Type: Unified Auditing (12c)View: UNIFIED_AUDIT_TRAIL
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Using EUS Attributes with Fine Grained Auditing
31
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Using EUS Attributes with Database Vault
32
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Using EUS Attributes with Database Redaction
33
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Using EUS Attributes with Virtual Private Database
34
select * from EMPLOYEESEARCH.demo_hr_employees
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Questions