Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
OpenWorld 2017ExadataSecurityBestPracticesStrategy,Tactics,andReal-WorldExperience
JeffreyT.Wright,OracleSr.PrincipalProductManagerDanNorris,OracleConsultingMemberTechnicalStaffDanielMunteanu,ITTechnicalArchitect
Oct4,2017
Presentedwith
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.
2
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. 3
HowDidThisHappen?
NearlyhalfoftheadultsintheUSwerelikelyaffected
[Cyber]warisuponus
Ourenemyisevolving
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ProgramAgenda
Securityterminology
Threadagentsandattacktechniques
Strategy
Tactics- ArchitectureandimplementationwithExadata
RealworldexperiencefromBRD
1
2
3
4
5
4
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
SecurityTerminology• Attacksurface- Codewithinacomputersystemthatcanberunbyunauthorizedusers
• Port- Networktermreferringtoavirtualendpoint• Service– Operatingsystemtermforbackgroundprocessordaemon• CriticalPatchUpdate(CPU)- QuarterlyreleasedsecuritypatchesforOracleproducts
• Authentication– Areyouwhoyousayyouare?• Authorization– Areyoualloweddotowhatyouhaveaskedtodo?
5
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ThreatAgents• Unstructuredhacker• Structuredhacker• Organizedcrime,industrialespionage• Insider• Unfundedterroristgrouporhacktivist• Fundedterroristgroup• Nationstate
6
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-parker.pdf
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
• Penetration– Infrastructure– Platform– Database– Application
• Insiderplacement• Insiderrecruitment• Diversion
• Denialofservice• Distributeddenialofservice• Interception/sniffing• Spoofing/masquerading• Substitution/modification• Directmaliciouscode• Indirectmaliciouscode
7
AttackTechniques
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-parker.pdf
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
Strategy• Fixvulnerabilitiesunderourcontrol
– Don’torientonthreatsthatareoutofourcontrol
• Minimizeattacksurface– Codeavailabletoexecute,portsandservices,visibledata
• Separaterolesandrequirecoordinationofdisinterestedparties– Disinterestedactionandauditingtokeeppartieshonest
• Authentication,authorization,andauditing–Makesurepeoplearewhotheysaytheyare–Makesurepersonisallowedtotakethespecificaction–Makesureweareawareofeverythingthatpersonisdoing
8
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
Encrypt
Redact
Mask
Subset
9
Compute
Compute
KeyVault
AuditVault
DatabaseVault
NetAdmTest
Prod
SysAdm
StgAdm
Dev
Protect
DBAdm
ZDLRA
AdminNetwork,VLAN,andFirewall ClientN
etwork,VLAN
,andFirewall
Tactics– SystemBlockDiagramPeopleandApps
Data
Infrastructure
Platform
Ecosystem
Exadata
ZFSSA
StandbyDB
ObjectStore
DBFirewallEncrypt
DB
Encrypt
Storage
Storage
Storage
IBNetwork
VM
VM
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ExadataInfrastructureSecurityFeatures• Signedfirmware
– Ensurepristinecoderunningonchips– Eliminatehardwareattacksurfaces
• Smartstorage– ExadataStorageCell– DesignedandbuiltbyOraclefordatabasesecurity– Integratedwithdatabasesecurity,includingTDE
• InfiniBandstoragenetwork– Physicalsecuritythroughdedicatednetwork– InfiniBandpartitioning
10
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ExadataCellLockdown
• Cellscanhaveremoteaccessdisabled– nodirectSSHaccesstoOS• Mustenabletemporarilyformaintenance(upgrades)• Newcellattributes:remoteAccessPerm,remoteAccessTemp• Cantemporarilyenableaccess,automaticlockupataspecifiedtime• CanstillaccessconsoleviaILOM• Useexacli/exadcli fromDBnodesforcellcommands
11
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
CentralizedCellSyslog
• Cellshavesyslogconf cellattributes(forquiteawhile)• DBnodeshave/etc/rsyslog.conf
–On12.1.2.1.0&later,alsohavesyslogconf dbserver attribute
12
cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');
cellcli> alter cell validate syslogconf 'authpriv.error';
dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');
dbmcli> alter dbserver validate syslogconf 'authpriv.error';
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ASM-ScopedSecurityMode
13
DEV
DEV
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ExadataCloudServiceNetworkSecurityFeatures• Firewallisbuiltintothenetwork
– SoftwareandhardwarefirewallsinOracleCloudInfrastructure– UserselfserviceandOracleSRprocess– Defaulttodenyalltraffic,werequireexplicitopeningofanycommunication
• Port22openbydefaultforSSH,customersmayrestrictport22accessasappropriate
• VPNtoconnecttoon-premisesnetworks• VCNandprivatenetworkimplementationsavailable• Comprehensivesecurityrules,lists,andpolicies
– Ensureonlyappropriateportsandaddresseshaveaccesstoyourservices
14
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ExadataPlatformSecurityFeatures• HardenedOracleEnterpriseLinux• Minimalsoftwaredeployment• Useraccountsaresecurebydefault• Linuxfirewall• ExadataCloud
– DefaultconfigurationperOraclesecuritybestpractices
• ExadataDatabaseMachine– Resecure Machineinstallstepimplementssecuritybestpractices
15
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ExadataPlatformDefaultSecurityImplementation
• Shortpackageinstalllist• Onlynecessaryservicesenabled• httpsmanagementinterface• sshd securedefaultsettings• Passwordaging• Maximumfailedloginattempts
16
• auditd monitoringenabled• cellwall:iptables firewall• CPUsincludedinpatchbundles,releasessynchronized
• Systemhardening• Bootloaderpasswordprotection
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
BasicExadataPlatformSecurityBestPractices• Restrictroot’sloginonDBnodes
– Protecttheconsoleattheinfrastructurelevel
• DisabledirectloginofprivilegedusersonDBnodes– Atleastdisableroot,considerdisablingoracleandgrid– Currently,mustenablerootloginduringpatching/upgradeevents
• Usesudo toperformtasksasprivilegedusersonDBnodes– Auditsuchactions,watchforunauthorizedorunexpectedaccess
• Usepasswordless ssh forauthentication– Passwordshavetoomanyattacksurfaces,keymanagementiseasier
17
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
Post-DeploymentConfiguration
• Changeallpasswordsforall defaultaccounts(MOS1291766.1)– Run:exachk –profile security
• Exachk:MOS1070954.1• Performvalidationforlocalpoliciesorrules– SeeMOS1405320.1forcommonlyidentifiedauditfindings
Addresssite-specificrequirements
18
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
OracleDatabaseSecurityDefenseinDepth
Masking & Subsetting
DBA Controls & Cyber Security
Encryption & Redaction
PREVENTIVE
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE ADMINISTRATIVE
Privilege & Data Discovery
Configuration Management
Key & Wallet Management
19
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ProtecttheDatafromUnauthorizedAccess• UseTDE
– Hardwareoffloadforhighperformance– IncludedinExadataCloudsubscription,enabledbydefaultfordatabaseyoucreate– YoushouldenablewhenyoumigratetoExadata Cloud
• Usedataredaction,masking,andsubsetting fornon-prod– Removenon-prodattacksurfaceforsensitivedata–Mitigateriskswhenothersecurityisminimizedtomakenon-prodeasiertouse– Preventunauthorizeddevelopersandtestersfromseeingsensitiveinformation
20
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
OperationalSecurityConsiderationsRemainsecurity-mindedwhenpatching,upgrading,backingup
21
• ChangespermittedonDBnodes,notcells
• Backupscanbeencrypted• Patchingorupgradingmay“undo”somechanges;verifyafter
• DBnodeupdatesuseyumcommandswithexcludes(seedocforexcludes)
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
OperationalSecurityConsiderationsRemainsecurity-mindedwhenpatching,upgrading,backingup
22
• Periodicreviewstoensuresettingsremainandvulnerabilitiesdon’t
• Secureeraseforstoragecellsisavailable• Diskdriveretentionisavailable• OracleEnterpriseManagerGovernance,Risk&ComplianceManagercontinuouslyreviewsthesystem
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
OperationalSecurityConsiderations
Component AccessRequired
Database– Patchset Databaseserverroot,softwarehomeowner,passwordless SSHtoallsoftwarehomeowners(onothernodes)
Database– BundlePatch Databaseserverroot,softwarehomeowner
GridInfrastructure SameasDatabase
ExadataDatabaseServer(OS) Databaseserverroot,passwordless SSHtodatabaseserverroot
ExadataStorageServer Databaseserverroot,passwordless SSHfromdatabaseserverroottostorageserverroot(temporarilydisablelockdown)
InfiniBandSwitch Databaseserverroot,InfiniBandswitchpasswordless SSHtoswitchroot
23
Patchingconsiderations
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
SecureTechnicalImplementationGuide- STIGEspeciallyimportanttopublicsector
24
• ExadataSTIGFix script:HowtoconfigureandexecutetheExadataStigFixscriptforExadata STIGenvironments(DocID2181944.1)– ScripttoimplementadditionalsecurityhardeningforSTIGcustomers
• SCAP:OracleExadataDatabaseMachineDoDSTIGandSCAPGuidelines(DocID1526868.1)– SpecificguidanceonrunningSCAPreports,toincludefalse-positiveandmitigation
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
Compliance• ExadataDatabaseMachinecanbeusedforPCIcompliantsystems
• ExadataCloudatCustomerPCIcertificationtargetedJan-2018
• RoadmapforExadataCloudatCustomer– SOC1TypeII,HIPAA,ISO27001
25
http://www.oracle.com/technetwork/database/exadata/exadata-pci-dss-3101847.pdf
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
BRD Next GEN IT InfrastructureExadataCloud atCustomer project
DanielMunteanuITTechnicalArchitectBRD- InformationTechnologyDepartment
October04,2017
Presentedwith
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.|
BRD, member of Groupe Societe Generale is one of the market leaders in Romania for individual customers.It counts 2.3 million customers, who are contacting the bank through classic branches, the Internet, the mobile phone and also through a high performance contact centre.
BRD is among the top banks active on the market of loans for individuals and on cards. The bank’s sales force operates in a network of approx. 800 branches.The bank is one of the major financers for the SMEs, as well as one of the most important players on the Romanian corporate banking
Societe Generale is one of the largest European financial services groups. With more than 145,000 employees, based in 66 countries, accompany 31 million clients throughout the world on a daily basis. Societe Generale’s teams offer advice and services to individual, corporate and institutional customers in three core businesses:Ø Retail banking in FranceØ International retail banking, financial services and insuranceØ Corporate and investment banking, private banking, asset management and investor
services
BRDNextGENITInfrastructure- ExaCC project
01
About BRD
P.27
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.|
We already shifted to full virtualized infrastructure
We promote the migration to private cloud. We are ready
We setup “Go to Cloud” services
to support application transformation
We contribute to reduce traditional, heavy applications footprint and
simplification of the BRD’s IS architecture
By 2021
Migration of 50% of our virtualized infrastructures to private cloud through self-provisioning, metering and charge-backing.
50%
BRD – IT Department strategy
What we propose as actor
What we propose as catalyst & contributor
We adopt Cloud native architectures
02
Cloud transformation builds the essential foundations to digital transformation
BRDNextGENITInfrastructure– ExaCC project P.28
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.|
Cloud services consumption is dynamic and scalable, including workload peaks
Scalability
Improved production qualitySimplified business continuity management
Resilience & Security
Consistent savings,mainly from standardisation
Savings
Time-to-marketOn-demand, on-spot
resources @ effective cost
Pay-per-use
03
Cloud and Automation bring significant benefits
Autonomy to continuously deliver business applications
BRDNextGENITInfrastructure- ExaCC project P.29
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.|
04
Exadata Cloud at Customer implementation in BRD
Project scope
• A solution for BRD’s Oracle databases that provide high performance, high availability and scalability for any type of workload: OLTP, DW, mixed
• Flexible growth in a Pay as you Grow model• Build a platform for IaaS (on OCM) for BRD Test&Dev
teams
Perimeter
• 180 DBs Oracle on PROD/Test/DRC environment.• All databases encrypted with AES 256. The encryption
performance overhead was <2% due to AES HW acceleration on Intel chips.
Application details:• Online banking• Insurance• Reporting (financial, risk, etc.)
BRD Exadata Cloud at Customer Configuration:• OCM Model 288• Exadata Cloud at Customer Prod Quarter Rack• Exadata Cloud at Customer DRC/Test Quarter Rack
BRDNextGENITInfrastructure- ExaCC project P.30
ExadataCloudatCustomer– HardwareDetails
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.|
05
Exadata Cloud at Customer architecture and security considerations
• FirewallssecureinternalBRDnetworkusing
10Gbthroughput/port.
• OracleTransparentDataEncryptionusedto
encryptalldatatablespaces.Datais
encryptedusingAES256bitkeys.
• MasterkeysstoredoutsideofExaCC in
specializedHardwareSecurityModule.
• DisasterRecoverySitesynchronizedwith
DataGuardonasimilarenvironment,
securedwithfirewalls,AES256encryption,
externalHardwareSecurityModule.
BRDNextGENITInfrastructure– ExaCC project P.31
ExaCC 1Production
OracleCloudMachine1- CloudControlPlan
for2ExsaCCs
ExaCC 2Standby
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.|
Before
• Multiple DB servers with different versions, placed on different server platforms (IBM Power, Intel x86)
• Provisioning new database servers was a time consuming operation
• Hard to manage licensing
• Hard to implement a standard policy for backups
• DB disaster recovery based on storage replication
Benefit
• Improved performance, reliability and scalability. Pay per Use model with instant boosting.
• Reduced time to market, reduced human errors
• Simple licensing model – pay per use
• Standardization and reduced backup/restore windows for applications
• Reduced bandwidth for database replications, database consistency and simplified DRC procedures
06
Exadata Cloud at Customer – solution benefit
After
• All Oracle DBs are stored on ExaCC, engineered platform for Oracle Databases
• Provisioning new databases is done automatically using cloud interface
• All databases are stored on ExaCC
• All databases on ExaCC are backed up automatically to VTL using 10Gbps Eth
• Disaster recovery will be based on Oracle DataGuard (DB replication)
BRDNextGENITInfrastructure- ExaCC project P.32
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
“PowerfulDatabaseCloudPlatform,fullylicensed,scalableinjustoneclick,inourdatacenter.”
DanLunguHeadofDatabaseandMiddlewarePlatformsBRD- InformationTechnologyDepartment
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
NextSteps– GetEducated
34
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
ReferencesNoteorURL Description
http://is.gd/orasec OracleSecurityAlertssubscription
1068804.1 GuidelinesforenhancingthesecurityforanOracleDatabaseMachinedeployment
1291766.1 HowtochangeOSuserpasswordforCellNode,DatabaseNode,ILOM,KVM,InfinibandSwitch,GigaBit EthernetSwitchandPDUonExadata
888828.1 ExadataDatabaseMachineandExadataStorageServerSupportedVersions
1405320.1 ResponsestocommonExadatasecurityscanfindings
http://is.gd/exaconsolidation OracleExadataDatabaseMachineConsolidation:SegregatingDatabasesandRoles
http://is.gd/entsecassessment EnterpriseDataSecurityAssessment
35
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved.
References
MOSNote Description
2069987.1 HOWTO:UpdateJDKonExadataDatabaseNodes
2075464.1 HOWTO:UpdateJDKonExadata StorageCellNodes
1070954.1 OracleExadata DatabaseMachineexachk orHealthCheck
2207063.1 HOWTO:Installksplice kernelupdatesforExadata DatabaseNodes
1526868.1 OracleExadata DatabaseMachineDoD STIGandSCAPGuidelines
1274318.1 OracleSunDatabaseMachineSetup/ConfigurationBestPractices
1068804.1 GuidelinesforenhancingthesecurityforanOracleDatabaseMachinedeployment
36
Copyright©2017, Oracleand/oritsaffiliates.Allrightsreserved. 37