| Date post: | 14-Dec-2015 |
| Category: |
Documents |
| Upload: | giselle-wiseman |
| View: | 221 times |
| Download: | 0 times |
An investigation into the An investigation into the security features of Oracle security features of Oracle 10g R2 Enterprise Edition 10g R2 Enterprise Edition
Supervisor: Mr J EbdenSupervisor: Mr J Ebden
Database securityDatabase security Aaron Newman views database security as Aaron Newman views database security as
composed of composed of multiple layers of protection to multiple layers of protection to reduce the risk of intrusion just like in a reduce the risk of intrusion just like in a medieval castle.medieval castle.
This poses a great challenge for the intruder thus This poses a great challenge for the intruder thus giving the DBA time to take appropriate actions giving the DBA time to take appropriate actions against these malicious users.against these malicious users.
Each layer is specially designed to give the Each layer is specially designed to give the highest defence against intrusionhighest defence against intrusion
Background of projectBackground of project The trigger to my project was the white paper The trigger to my project was the white paper
released by Litchfield D in which he describes released by Litchfield D in which he describes precisely cursor snarfing, a new security flaw he precisely cursor snarfing, a new security flaw he recently discovered on Oracle databases.recently discovered on Oracle databases.
He published another whitepaper called “He published another whitepaper called “Which Which database is more secure? Oracle vs. Microsoft database is more secure? Oracle vs. Microsoft SQL Server” in which he reveals the alarming SQL Server” in which he reveals the alarming security flaws in Oracle.security flaws in Oracle.
Meanwhile Oracle claims that this flaw is trivial Meanwhile Oracle claims that this flaw is trivial and rare, it requires some impractical special and rare, it requires some impractical special cases for it to be happen.cases for it to be happen.
Background cont…Background cont… Firewalls can no longer protect databases from Firewalls can no longer protect databases from
all intrusion because modern database threats all intrusion because modern database threats are higher than firewalls on the OSI modelare higher than firewalls on the OSI model
Attackers have found a way of by passing the Attackers have found a way of by passing the firewalls by using specific search strings in firewalls by using specific search strings in search engines that lead them straight to the search engines that lead them straight to the database. database.
The OSI modelThe OSI model
The approach by OracleThe approach by Oracle Oracle uses the four major methods for their Oracle uses the four major methods for their
database security. These are authentication, database security. These are authentication, roles and privileges, auditing and finally data roles and privileges, auditing and finally data integrity.integrity.
These form the desired layered security These form the desired layered security structure, first a user is authenticated, then he is structure, first a user is authenticated, then he is authorised to perform some actions which are authorised to perform some actions which are then monitored by auditing.then monitored by auditing.
Finally, data is protected and accessible to only Finally, data is protected and accessible to only the authorised by data integrity.the authorised by data integrity.
AuthenticationAuthentication Verifying that users are who they claim to be, these Verifying that users are who they claim to be, these
may be a person using a computer, a computer itself or may be a person using a computer, a computer itself or a program on a computer.a program on a computer.
Oracle allows 4 login trials before the database is Oracle allows 4 login trials before the database is blocked and also allows a password to be used only for blocked and also allows a password to be used only for three months to combat authentication breaches.three months to combat authentication breaches.
The database is locked for 30 days or only unlocked by The database is locked for 30 days or only unlocked by the DBA after a day if more than 4 attempts are the DBA after a day if more than 4 attempts are exceeded.exceeded.
Oracle claims to have a safe password management Oracle claims to have a safe password management and also enables users to make very strong passwords. and also enables users to make very strong passwords. In addition Oracle does not allow a user to use the In addition Oracle does not allow a user to use the same password consecutively.same password consecutively.
Critics of OracleCritics of Oracle Paul Wright published a whitepaper that describes Paul Wright published a whitepaper that describes
how a hacker can manage to perform a brute force how a hacker can manage to perform a brute force attack on the login of the Oracle database despite attack on the login of the Oracle database despite Oracle’s claim of a login blockOracle’s claim of a login block
Mark Burnett talks about the effects of login block Mark Burnett talks about the effects of login block as a way to avoid combating brute force attacks.as a way to avoid combating brute force attacks.
An intruder can cause DOS, harvest usernames An intruder can cause DOS, harvest usernames from site, cause a diversion by flooding the help from site, cause a diversion by flooding the help desk with support calls and disable an account by desk with support calls and disable an account by continually locking it.continually locking it.
Account lockouts is ineffective against slow Account lockouts is ineffective against slow attacks, attacks that try one password against a attacks, attacks that try one password against a large list, first time correct guesses, DBA accounts.large list, first time correct guesses, DBA accounts.
Roles and Privileges.Roles and Privileges. Oracle offers different privileges to different usersOracle offers different privileges to different users These are rights to execute particular SQL statements e.g. These are rights to execute particular SQL statements e.g.
creating tables, executing stored procedures.creating tables, executing stored procedures. To provide easy privilege management and control, To provide easy privilege management and control,
privileges can be bundled together into a role ( a group of privileges can be bundled together into a role ( a group of privileges assigned to a group of users or a single user.privileges assigned to a group of users or a single user.
Roles make it easy to monitor and make alterations to Roles make it easy to monitor and make alterations to privileges granted to a group of users for security reasons.privileges granted to a group of users for security reasons.
Roles also allow some privileges to be password protected Roles also allow some privileges to be password protected which narrows down the search criteria in case of a breach.which narrows down the search criteria in case of a breach.
Roles can be assigned to other roles and then finally to Roles can be assigned to other roles and then finally to users.users.
AuditingAuditing This is the monitoring and recording of database This is the monitoring and recording of database
user actions.user actions. Audits can be triggered when specified elements Audits can be triggered when specified elements
in an Oracle database are accessed or altered.in an Oracle database are accessed or altered. Auditing keeps record of both failed and Auditing keeps record of both failed and
successful attempts on the server.successful attempts on the server. One disadvantage in auditing is that there is no One disadvantage in auditing is that there is no
mechanism to prevent the DBA from tempering mechanism to prevent the DBA from tempering with the audit output in the case of an attacker with the audit output in the case of an attacker
gaining SYS privilegesgaining SYS privileges..
Data IntegrityData Integrity This is an act of ensuring that data is complete and This is an act of ensuring that data is complete and
identically maintained during an operation such as identically maintained during an operation such as transfer, storage or retrieval.transfer, storage or retrieval.
Oracle encrypts data by a process called Transparent Oracle encrypts data by a process called Transparent Data Encryption which restricts data retrieval by Data Encryption which restricts data retrieval by unauthorised users.unauthorised users.
The encryption and decryption of data is handled by The encryption and decryption of data is handled by the database instead of users and applications, even the database instead of users and applications, even the DBA has no access to data.the DBA has no access to data.
This is the peak of Oracle’s layered security after This is the peak of Oracle’s layered security after firewalls, authentication and authorisation.firewalls, authentication and authorisation.
It can be implemented using simple and easy SQL It can be implemented using simple and easy SQL commands.commands.
Oracle’s Software Security Oracle’s Software Security AssuranceAssurance
A strong guide against security flaws must be taken A strong guide against security flaws must be taken since this has the ability of letting intruders by pass since this has the ability of letting intruders by pass even the toughest security measure.even the toughest security measure.
A secure system does not only offer security A secure system does not only offer security features but also prevents security flaws.features but also prevents security flaws.
Oracle claims to have security assurance to Oracle claims to have security assurance to prevents security flaws prevents security flaws
Contrary to Oracle’s claims, David Litchfield in his Contrary to Oracle’s claims, David Litchfield in his whitepaper claims that Oracle does not keep record whitepaper claims that Oracle does not keep record of problems encountered and they do not of problems encountered and they do not understand them.understand them.
The claim made by Litchfield is strengthened by the The claim made by Litchfield is strengthened by the amount of patches that Oracle has advised DBA to amount of patches that Oracle has advised DBA to install, this has an effect of adding complexity to the install, this has an effect of adding complexity to the system.system.
Cont…Cont…
Number of flaws
Years
SummarySummary Database security is crucial to the safety of a Database security is crucial to the safety of a
user’s personal data which includes card user’s personal data which includes card numbers, bank details and medical details.numbers, bank details and medical details.
Firewalls on their own can not combat all the Firewalls on their own can not combat all the database security concerns.database security concerns.
Databases are safe if they are to remain isolated Databases are safe if they are to remain isolated from any network.from any network.
Oracle offers a layered security structure like that Oracle offers a layered security structure like that of a medieval castle. There is the outermost which of a medieval castle. There is the outermost which uses the network firewalls, then followed by uses the network firewalls, then followed by authentication and authorisation( roles and authentication and authorisation( roles and privileges), auditing and finally data encryption.privileges), auditing and finally data encryption.
Questions and AnswersQuestions and Answers
