Uploaded byxKinAnx
834 views

Presentation database security enhancements with oracle

The document outlines the security enhancements introduced in Oracle Database 11g, focusing on secure configuration, enhanced password management, and improved access controls. Key features include mandatory password complexity, preconfigured audit settings, and enhanced security for external network service access. The document also emphasizes ongoing security assurance and the importance of adapting security settings to organizational needs.

Database Security Enhancements With Oracle Database 11g Daniel Wong Director of Engineering, Database Security Oracle Corporation
2 Agenda • About Oracle Software Security Assurance • Overview of Security Enhancements in 11g • Secure Configuration Enhancements • Other Key Security Enhancements • Q&A
3 Oracle Software Security Assurance All the processes, procedures, and technologies that have been implemented to ensure that Oracle’s products are meeting our customers’ security requirements, while providing for the most cost-effective ownership experience. Product Development Product Definition Ongoing Assurance Secure Coding Standards
4 Oracle Software Security Assurance Secure Configuration • Enhance “out of the box installation” settings to be more secure • Remove default passwords • Disable unneeded services • Reduce proliferation of powerful privileges • Identify and minimize potential effects of enhanced secure configuration settings: • Impacts resulting from version upgrade • Impacts on Oracle and third-party applications • Document and share current security best practices • http://www.oracle.com/security/resource-library.html
5 Oracle Software Security Assurance Secure Configuration • Goals: • Improve security of default configuration • Secure by Default while maintaining upgradability and usability • Inputs: • Internal: Various Oracle Software Security Assurance programs • External: CIS, SANS, DISA • Recent Enhancements: • Locked default accounts, expired passwords • Optional install of demo schemas • Best Practices document • Default password/account scanner
6 Secure Configuration Enhancements with 11g - Overview 1. Default Audit Settings • Preconfigured • Enhanced performance 2. Default Password Management • Enhanced protection against brute force attack • Complexity enforcement procedure • Built-in default password scanner 3. Enhanced Authentication • Case sensitive password authentication • Control authentication version 4. Enhanced Access Control • Improved security for several utl* packages
7 Audit Settings • Key requirement for compliance • 10gR2: OFF by default • 11g: • AUDIT_TRAIL=DB by default in DBCA • security-relevant actions audited • Performance: • Set audit_trail=XML or OS for best performance • In our informal lab environment, we found 1-2% performance degradation for the TPCC benchmark with AUDIT_TRAIL=DB and our default auditing statements
8 Updated Default Audit Settings • Statement Audit option • ROLE • Privilege Audit Options • CREATE USER • ALTER USER • DROP USER • CREATE SESSION • CREATE ANY TABLE • ALTER ANY TABLE • DROP ANY TABLE • CREATE ANY PROCEDURE • ALTER ANY PROCEDURE • DROP ANY PROCEDURE • ALTER PROFILE • DROP PROFILE • GRANT ANY PRIVILEGE • GRANT ANY OBJECT PRIV. • GRANT ANY ROLE • CREATE ANY JOB • CREATE EXTERNAL JOB • CREATE ANY LIBRARY • CREATE PUBLIC DB LINK • EXEMPT ACCESS POLICY • ALTER DATABASE • ALTER SYSTEM • AUDIT SYSTEM
9 Default Profile Password Settings • 10gR2 • FAILED_LOGIN_ATTEMPTS = 10 • all others: unlimited • 11g - more restrictive • FAILED_LOGIN_ATTEMPTS = 10 (no change) • PASSWORD_LOCK_TIME = 1 • PASSWORD_GRACE_TIME = 7 • PASSWORD_LIFE_TIME = 180 • Balanced protection against Denial of Service (DOS) and password attacks while keeping usability
10 Password Complexity • Supports case sensitive passwords • Supports special and multi-byte characters to increase security and usability • Takes effect immediately after password change • Enhanced default password complexity verification • Password Complexity Verification not enabled in default profile; can be enabled via Enterprise Manager or SQL • In utlpwdmg.sql in $ORACLE_HOME/admin directory • SQL to set the password complexity verification • ALTER PROFILE DEFAULT PASSWORD_VERIFY_FUNCTION verify_function_11G • This routine will verify that password • Has minimum length of 8 characters • Has at least one letter and one digit • Is not username, reverse thereof, or username(1-100) • Is not one of a few common passwords (e.g. welcome1) • Must differ from previous password by at least 3 characters
11 Password Complexity Recommendations • Default password profile parameters may not suit everyone • Adjust the password settings to your security needs • Change default password verification routine as per your needs • Define at least two password profiles - one for users and one for mid-tiers and administrators • Password recommendations vary with use cases: • See for example, recommendations for E-Business Suite - MetaLink 189367.1 • See also Visit OTN: otn.oracle.com -> products -> database -> security and compliance for detailed recommendations
12 Default Password View • View DBA_USERS_WITH_DEFPWD will show all accounts still using default passwords • Over 140 default username/passwords collected from the field, including application accounts for Peoplesoft and Ebizs • SQL> desc DBA_USERS_WITH_DEFPWD • Name Null? Type • ----------------------------------------- -------- ---------------------------- • USERNAME NOT NULL VARCHAR2(30) • SQL> select * from DBA_USERS_WITH_DEFPWD • 2 ; • USERNAME • ------------------------------ • JONES
13 Enhanced Authentication • Supports multi-bytes and special characters • Case sensitive passwords always enforced • Use SEC _ CASE _ SENSITIVE _ LOGON to turn it OFF if necessary • Set SQLNET . ALLOWED _ LOGON _ VERSION to highest OCI client version in use: • Use 8 if there are Oracle 8.x clients connecting to the DB • Use 9 if there are Oracle 9.x clients connecting to the DB • Use 11 if there are Oracle 10.x and/or 11.x clients connecting to the DB • Use 8 if there are pre-Oracle 11g JDBC pure Java client connecting to the DB • Use of SHA-1 hashing algorithm to protect password
14 Enhanced Access Control • Improved security for several utl* packages • UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, etc. • These packages will no longer allow connections to external network services to non-privileged users by default • SYS and XDB schemas will specifically remain excluded from this kind of restriction • DBAs will be able to specify what network services database users will be allowed to access when using these packages.
15 Enhanced Access Control Recommendations • Open access to external network services only minimally • Specify down to hosts and ports, avoid unnecessary “*” wildcards • Have small number of ACLs for manageability and performance • Share ACLs among network services open to the same users • Consider giving access indirectly through application schemas • Applications can further restrict user interaction with network services
16 Access Control Administration • Administration via DBMS_NETWORK_ACL_ADMIN • Grant access to a network service • create_acl – create an ACL for the first user • assign_acl – assign ACL to network service • Grant access to more users in ACL – add_privilege • Revoke access from users in ACL – delete_privilege • Stop access to network services • unassign_acl – take ACL away from network service • All ACL changes are transactional • Remember to “COMMIT” the transaction !!! • View ACL settings via dictionary views • DBA_NETWORK_ACLS – which network services have ACLs? • DBA_NETWORK_ACL_PRIVILEGES – who are in the ACLs?
17 Access Control Administration Example begin dbms_network_acl_admin.create_acl( acl => 'smtp-access.xml', description => 'ACL for SMTP service', principal => 'MAILAGENT', is_grant => TRUE, privilege => 'connect'); dbms_network_acl_admin.assign_acl( acl => 'smtp-access.xml', host => 'smtp-host.oracle.com', lower_port => 25); end; / commit;
18 Access Control Administration Example SQL> select * from dba_network_acls; HOST LOWER_PORT UPPER_PORT ACL -------------------- ---------- ---------- ------------------------- smtp-host.oracle.com 25 25 /sys/acls/smtp-access.xml SQL> select * from dba_network_acl_privileges; ACL PRINCIPAL PRIVILEGE ------------------------- -------------------- --------- /sys/acls/smtp-access.xml MAILAGENT connect
19 How Do These Changes Impact Installation? • Default new installations will include audit and password profiles • Option during install to retain 10gR2 settings • DBCA screens to: • Revert back to 10gR2 settings for audit and/or password • Apply new default settings • Upgrades will not change the audit and password profile settings
20 Recommendations for Upgrades I • Audit settings • Turn on auditing for security sensitive DDL operations listed • Set to DB or DB_extended for querability • Set to OS or XML for performance • Password Management • Institute password policies by classifying users into a different usage groups and assign dedicated profiles to each group • Check DBA_USERS_WITH_DEFPWD for default passwords
21 Recommendations for Upgrades II • Authentication • Identify sources of connection and set security level to highest possible supported by the client • Ask users to change password as soon as possible for case sensitive password to take effect • Look into EUS for centralized user management • Reminder: we support connect username/password as SYSDBA • Access Control • Identify applications using utl_* packages, and identify and grant appropriate new ACL privileges and confirm applications are running fine • Evaluate current privileges granted, follow least privileged model
22 Other Key Security Enhancements • Tablespace Encryption option in Transparent Data Encryption • Allows bulk encryption at tablespace level • No restriction on data types and indexes • Works with all High Availability offerings • Hardware Security Module and External Key Server support in Transparent Data Encryption • Provides additional option for security and key management services by third party products • Management of SYSDBA and SYSOPER in Enterprise User Security • Identity management of super users in databases • Enhanced Kerberos support • Cross realm and type 4 certificate support • Support Microsoft KDC default encryption modes
23 Oracle Software Security Assurance Conclusion • MAXIMUM SECURITY • Best of breed security features • Secure design from the ground up • Effective vulnerability remediation process • LOWER COST OF OWNERSHIP • Unwavering commitment to maintaining our customer’s security posture • Predictable security patch process • Priority given to quality
24 For More Information • Oracle Software Security Assurance Web Site at http://www.oracle.com/security/software-security-assurance.html • Technical white papers and security guides • Online security seminars and webcasts • Blogs and more • Critical Patch Update & Security Alerts at http://www.oracle.com/technology/deploy/security/alerts.htm • Critical Patch Updates and current security alerts • Patch download • CPU documentation & Risk Matrices http://search.oracle.com Oracle Software Security Assurance

More Related Content

PDF
Oracle Security Presentation
byFrancisco Alvarez
 
PPTX
Oracle Database Security
byTroy Kitch
 
PPT
SQL Server Security - Attack
bywebhostingguy
 
PPSX
Ppt dbsec-oow2013-avdf
byMelody Liu
 
PPTX
Security Inside Out: Latest Innovations in Oracle Database 12c
byTroy Kitch
 
PPT
Auditing security of Oracle DB (Karel Miko)
byDCIT, a.s.
 
PDF
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
byEdgar Alejandro Villegas
 
PPTX
Oracle Database Firewall - Pierre Leon
byOracleVolutionSeries
 
Oracle Security Presentation
byFrancisco Alvarez
 
Oracle Database Security
byTroy Kitch
 
SQL Server Security - Attack
bywebhostingguy
 
Ppt dbsec-oow2013-avdf
byMelody Liu
 
Security Inside Out: Latest Innovations in Oracle Database 12c
byTroy Kitch
 
Auditing security of Oracle DB (Karel Miko)
byDCIT, a.s.
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
byEdgar Alejandro Villegas
 
Oracle Database Firewall - Pierre Leon
byOracleVolutionSeries
 

What's hot

PDF
Ppt security-database-overview-11g r2
byOracle BH
 
PPTX
Introducing Oracle Audit Vault and Database Firewall
byTroy Kitch
 
PDF
AV/DF Advanced Security Option
byDLT Solutions
 
PPTX
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
byOracleTrainings
 
PPTX
Geek Sync | Understanding Oracle Database Security
byIDERA Software
 
PDF
Oracle database 12c security and compliance
byFITSFSd
 
PPTX
Oracle Key Vault Overview
byTroy Kitch
 
PPT
Oracle Database Vault
byMarco Alamanni
 
PPTX
Isaca sql server 2008 r2 security & auditing
byAntonios Chatzipavlis
 
PPTX
Database Options
byConnor McDonald
 
PDF
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
byInSync2011
 
DOC
Oracle Audit vault
byuzzal basak
 
PDF
Oracle security 08-oracle network security
byZhaoyang Wang
 
PDF
Oracle Key Vault Data Subsetting and Masking
byDLT Solutions
 
PDF
Database security issues
byn|u - The Open Security Community
 
PPTX
SQL Server 2012 Security Task
byYaakub Idris
 
PDF
Oracle database 12c data masking and subsetting guide
bybupbechanhgmail
 
PPT
Database Systems Security
byamiable_indian
 
PPT
Sql Server Security
byVinod Kumar
 
PPTX
DevTalks.ro 2019 What's New in MySQL 8.0 Security
byGeorgi Kodinov
 
Ppt security-database-overview-11g r2
byOracle BH
 
Introducing Oracle Audit Vault and Database Firewall
byTroy Kitch
 
AV/DF Advanced Security Option
byDLT Solutions
 
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
byOracleTrainings
 
Geek Sync | Understanding Oracle Database Security
byIDERA Software
 
Oracle database 12c security and compliance
byFITSFSd
 
Oracle Key Vault Overview
byTroy Kitch
 
Oracle Database Vault
byMarco Alamanni
 
Isaca sql server 2008 r2 security & auditing
byAntonios Chatzipavlis
 
Database Options
byConnor McDonald
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
byInSync2011
 
Oracle Audit vault
byuzzal basak
 
Oracle security 08-oracle network security
byZhaoyang Wang
 
Oracle Key Vault Data Subsetting and Masking
byDLT Solutions
 
Database security issues
byn|u - The Open Security Community
 
SQL Server 2012 Security Task
byYaakub Idris
 
Oracle database 12c data masking and subsetting guide
bybupbechanhgmail
 
Database Systems Security
byamiable_indian
 
Sql Server Security
byVinod Kumar
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
byGeorgi Kodinov
 

Similar to Presentation database security enhancements with oracle

PDF
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
byKangaroot
 
PDF
Presentation database security audit vault & database firewall
byxKinAnx
 
PPT
Less10 security mb3
byImran Ali
 
PDF
Oracle Enterprise Manager 12c: updates and upgrades.
byRolta
 
PPTX
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
byAndrejs Prokopjevs
 
PDF
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
byZohar Elkayam
 
PDF
SOUG Day Oracle 21c New Security Features
byStefan Oehrli
 
PPTX
Enterprise-class security with PostgreSQL - 1
byAshnikbiz
 
PPTX
Geek Sync | Handling HIPAA Compliance with Your Data Access
byIDERA Software
 
PDF
2008 Collaborate IOUG Presentation
byBiju Thomas
 
PPTX
Oracle Database 23c Security New Features.pptx
bySatishbabu Gunukula
 
PDF
Improve oracle 12c security
byLaurent Leturgez
 
PDF
A to z for sql azure databases
byAntonios Chatzipavlis
 
PPTX
Improving oracle12c security
byLaurent Leturgez
 
PPTX
unit 5 in the database for master of Engineering
bypoonkodiraja2806
 
PPT
ch03_2.pptfsfsfsfsfsfsfsfsfsfsfsffsssfsffff
byDiaaUliyan
 
PPTX
SQL Server 2016: Just a Few of Our DBA's Favorite Things
byHostway|HOSTING
 
PPTX
Centrify Access Manager Presentation.pptx
byjohncenafls
 
PDF
Best Practices in Security with PostgreSQL
byEDB
 
PDF
(ATS4-PLAT03) Balancing Security with access for Development
byBIOVIA
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
byKangaroot
 
Presentation database security audit vault & database firewall
byxKinAnx
 
Less10 security mb3
byImran Ali
 
Oracle Enterprise Manager 12c: updates and upgrades.
byRolta
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
byAndrejs Prokopjevs
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
byZohar Elkayam
 
SOUG Day Oracle 21c New Security Features
byStefan Oehrli
 
Enterprise-class security with PostgreSQL - 1
byAshnikbiz
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
byIDERA Software
 
2008 Collaborate IOUG Presentation
byBiju Thomas
 
Oracle Database 23c Security New Features.pptx
bySatishbabu Gunukula
 
Improve oracle 12c security
byLaurent Leturgez
 
A to z for sql azure databases
byAntonios Chatzipavlis
 
Improving oracle12c security
byLaurent Leturgez
 
unit 5 in the database for master of Engineering
bypoonkodiraja2806
 
ch03_2.pptfsfsfsfsfsfsfsfsfsfsfsffsssfsffff
byDiaaUliyan
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
byHostway|HOSTING
 
Centrify Access Manager Presentation.pptx
byjohncenafls
 
Best Practices in Security with PostgreSQL
byEDB
 
(ATS4-PLAT03) Balancing Security with access for Development
byBIOVIA
 

More from xKinAnx

PPTX
Engage for success ibm spectrum accelerate 2
byxKinAnx
 
PPTX
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive
byxKinAnx
 
PDF
Software defined storage provisioning using ibm smart cloud
byxKinAnx
 
PDF
Ibm spectrum virtualize 101
byxKinAnx
 
PDF
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
byxKinAnx
 
PDF
04 empalis -ibm_spectrum_protect_-_strategy_and_directions
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 2 IBM Spectrum Sca...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 3 Information Life...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 5 spectrum scale_c...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 6 spectrumscale el...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 7 spectrumscale el...
byxKinAnx
 
PPT
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
byxKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 5 ess gnr-usecases...
byxKinAnx
 
PDF
Presentation disaster recovery in virtualization and cloud
byxKinAnx
 
PDF
Presentation disaster recovery for oracle fusion middleware with the zfs st...
byxKinAnx
 
PDF
Presentation differentiated virtualization for enterprise clouds, large and...
byxKinAnx
 
PDF
Presentation desktops for the cloud the view rollout
byxKinAnx
 
Engage for success ibm spectrum accelerate 2
byxKinAnx
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive
byxKinAnx
 
Software defined storage provisioning using ibm smart cloud
byxKinAnx
 
Ibm spectrum virtualize 101
byxKinAnx
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
byxKinAnx
 
04 empalis -ibm_spectrum_protect_-_strategy_and_directions
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 2 IBM Spectrum Sca...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 3 Information Life...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 5 spectrum scale_c...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 6 spectrumscale el...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 7 spectrumscale el...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
byxKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 5 ess gnr-usecases...
byxKinAnx
 
Presentation disaster recovery in virtualization and cloud
byxKinAnx
 
Presentation disaster recovery for oracle fusion middleware with the zfs st...
byxKinAnx
 
Presentation differentiated virtualization for enterprise clouds, large and...
byxKinAnx
 
Presentation desktops for the cloud the view rollout
byxKinAnx
 

Recently uploaded

PPTX
Behind the Scenes at Netflix: Distributed Systems & NoSQL Architecture.
byayesha butalia
 
PDF
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
PDF
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
PDF
Dream Companion Reviews, Pricing, & Alternatives
byDream Companion
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
PDF
A SEA of Energy Efficiency Opportunities!
byMemoori
 
PDF
Optimizing a Global Training Strategy: An LKQ Corporation Case Study
byRustici Software
 
PDF
NeuroXR: Current Research and Opportunities
byMark Billinghurst
 
PPTX
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
PDF
What Is Agentic AI and How Is It Transforming ERP Systems?
byScalaCode
 
PDF
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
PDF
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
PDF
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
PDF
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
PDF
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
PDF
Comprehensive Analysis of OpenAI's Strategic Transformation at DevDay 2025.pdf
byAlex Doan
 
PPTX
UiPath Platform: Architecture & Context [1/3]
bysuhanisingh58689
 
PPTX
Cloud Metrics: The Cost-Value Equation (All Things Open 2025)
byEric D. Schabell
 
PDF
Master Deck: GraphSummit Bengaluru (Oct 7)
byNeo4j
 
Behind the Scenes at Netflix: Distributed Systems & NoSQL Architecture.
byayesha butalia
 
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
Starting a Customer Education Program: Taking Your Training to Them
byRustici Software
 
Dream Companion Reviews, Pricing, & Alternatives
byDream Companion
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
A SEA of Energy Efficiency Opportunities!
byMemoori
 
Optimizing a Global Training Strategy: An LKQ Corporation Case Study
byRustici Software
 
NeuroXR: Current Research and Opportunities
byMark Billinghurst
 
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
What Is Agentic AI and How Is It Transforming ERP Systems?
byScalaCode
 
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
Comprehensive Analysis of OpenAI's Strategic Transformation at DevDay 2025.pdf
byAlex Doan
 
UiPath Platform: Architecture & Context [1/3]
bysuhanisingh58689
 
Cloud Metrics: The Cost-Value Equation (All Things Open 2025)
byEric D. Schabell
 
Master Deck: GraphSummit Bengaluru (Oct 7)
byNeo4j
 

Presentation database security enhancements with oracle

  • 1.
    Database Security EnhancementsWith Oracle Database 11g Daniel Wong Director of Engineering, Database Security Oracle Corporation
  • 2.
    2 Agenda • About OracleSoftware Security Assurance • Overview of Security Enhancements in 11g • Secure Configuration Enhancements • Other Key Security Enhancements • Q&A
  • 3.
    3 Oracle Software SecurityAssurance All the processes, procedures, and technologies that have been implemented to ensure that Oracle’s products are meeting our customers’ security requirements, while providing for the most cost-effective ownership experience. Product Development Product Definition Ongoing Assurance Secure Coding Standards
  • 4.
    4 Oracle Software SecurityAssurance Secure Configuration • Enhance “out of the box installation” settings to be more secure • Remove default passwords • Disable unneeded services • Reduce proliferation of powerful privileges • Identify and minimize potential effects of enhanced secure configuration settings: • Impacts resulting from version upgrade • Impacts on Oracle and third-party applications • Document and share current security best practices • http://www.oracle.com/security/resource-library.html
  • 5.
    5 Oracle Software SecurityAssurance Secure Configuration • Goals: • Improve security of default configuration • Secure by Default while maintaining upgradability and usability • Inputs: • Internal: Various Oracle Software Security Assurance programs • External: CIS, SANS, DISA • Recent Enhancements: • Locked default accounts, expired passwords • Optional install of demo schemas • Best Practices document • Default password/account scanner
  • 6.
    6 Secure Configuration Enhancements with11g - Overview 1. Default Audit Settings • Preconfigured • Enhanced performance 2. Default Password Management • Enhanced protection against brute force attack • Complexity enforcement procedure • Built-in default password scanner 3. Enhanced Authentication • Case sensitive password authentication • Control authentication version 4. Enhanced Access Control • Improved security for several utl* packages
  • 7.
    7 Audit Settings • Keyrequirement for compliance • 10gR2: OFF by default • 11g: • AUDIT_TRAIL=DB by default in DBCA • security-relevant actions audited • Performance: • Set audit_trail=XML or OS for best performance • In our informal lab environment, we found 1-2% performance degradation for the TPCC benchmark with AUDIT_TRAIL=DB and our default auditing statements
  • 8.
    8 Updated Default AuditSettings • Statement Audit option • ROLE • Privilege Audit Options • CREATE USER • ALTER USER • DROP USER • CREATE SESSION • CREATE ANY TABLE • ALTER ANY TABLE • DROP ANY TABLE • CREATE ANY PROCEDURE • ALTER ANY PROCEDURE • DROP ANY PROCEDURE • ALTER PROFILE • DROP PROFILE • GRANT ANY PRIVILEGE • GRANT ANY OBJECT PRIV. • GRANT ANY ROLE • CREATE ANY JOB • CREATE EXTERNAL JOB • CREATE ANY LIBRARY • CREATE PUBLIC DB LINK • EXEMPT ACCESS POLICY • ALTER DATABASE • ALTER SYSTEM • AUDIT SYSTEM
  • 9.
    9 Default Profile PasswordSettings • 10gR2 • FAILED_LOGIN_ATTEMPTS = 10 • all others: unlimited • 11g - more restrictive • FAILED_LOGIN_ATTEMPTS = 10 (no change) • PASSWORD_LOCK_TIME = 1 • PASSWORD_GRACE_TIME = 7 • PASSWORD_LIFE_TIME = 180 • Balanced protection against Denial of Service (DOS) and password attacks while keeping usability
  • 10.
    10 Password Complexity • Supportscase sensitive passwords • Supports special and multi-byte characters to increase security and usability • Takes effect immediately after password change • Enhanced default password complexity verification • Password Complexity Verification not enabled in default profile; can be enabled via Enterprise Manager or SQL • In utlpwdmg.sql in $ORACLE_HOME/admin directory • SQL to set the password complexity verification • ALTER PROFILE DEFAULT PASSWORD_VERIFY_FUNCTION verify_function_11G • This routine will verify that password • Has minimum length of 8 characters • Has at least one letter and one digit • Is not username, reverse thereof, or username(1-100) • Is not one of a few common passwords (e.g. welcome1) • Must differ from previous password by at least 3 characters
  • 11.
    11 Password Complexity Recommendations • Defaultpassword profile parameters may not suit everyone • Adjust the password settings to your security needs • Change default password verification routine as per your needs • Define at least two password profiles - one for users and one for mid-tiers and administrators • Password recommendations vary with use cases: • See for example, recommendations for E-Business Suite - MetaLink 189367.1 • See also Visit OTN: otn.oracle.com -> products -> database -> security and compliance for detailed recommendations
  • 12.
    12 Default Password View •View DBA_USERS_WITH_DEFPWD will show all accounts still using default passwords • Over 140 default username/passwords collected from the field, including application accounts for Peoplesoft and Ebizs • SQL> desc DBA_USERS_WITH_DEFPWD • Name Null? Type • ----------------------------------------- -------- ---------------------------- • USERNAME NOT NULL VARCHAR2(30) • SQL> select * from DBA_USERS_WITH_DEFPWD • 2 ; • USERNAME • ------------------------------ • JONES
  • 13.
    13 Enhanced Authentication • Supportsmulti-bytes and special characters • Case sensitive passwords always enforced • Use SEC _ CASE _ SENSITIVE _ LOGON to turn it OFF if necessary • Set SQLNET . ALLOWED _ LOGON _ VERSION to highest OCI client version in use: • Use 8 if there are Oracle 8.x clients connecting to the DB • Use 9 if there are Oracle 9.x clients connecting to the DB • Use 11 if there are Oracle 10.x and/or 11.x clients connecting to the DB • Use 8 if there are pre-Oracle 11g JDBC pure Java client connecting to the DB • Use of SHA-1 hashing algorithm to protect password
  • 14.
    14 Enhanced Access Control •Improved security for several utl* packages • UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, etc. • These packages will no longer allow connections to external network services to non-privileged users by default • SYS and XDB schemas will specifically remain excluded from this kind of restriction • DBAs will be able to specify what network services database users will be allowed to access when using these packages.
  • 15.
    15 Enhanced Access Control Recommendations •Open access to external network services only minimally • Specify down to hosts and ports, avoid unnecessary “*” wildcards • Have small number of ACLs for manageability and performance • Share ACLs among network services open to the same users • Consider giving access indirectly through application schemas • Applications can further restrict user interaction with network services
  • 16.
    16 Access Control Administration •Administration via DBMS_NETWORK_ACL_ADMIN • Grant access to a network service • create_acl – create an ACL for the first user • assign_acl – assign ACL to network service • Grant access to more users in ACL – add_privilege • Revoke access from users in ACL – delete_privilege • Stop access to network services • unassign_acl – take ACL away from network service • All ACL changes are transactional • Remember to “COMMIT” the transaction !!! • View ACL settings via dictionary views • DBA_NETWORK_ACLS – which network services have ACLs? • DBA_NETWORK_ACL_PRIVILEGES – who are in the ACLs?
  • 17.
    17 Access Control Administration Example begin dbms_network_acl_admin.create_acl( acl=> 'smtp-access.xml', description => 'ACL for SMTP service', principal => 'MAILAGENT', is_grant => TRUE, privilege => 'connect'); dbms_network_acl_admin.assign_acl( acl => 'smtp-access.xml', host => 'smtp-host.oracle.com', lower_port => 25); end; / commit;
  • 18.
    18 Access Control Administration Example SQL>select * from dba_network_acls; HOST LOWER_PORT UPPER_PORT ACL -------------------- ---------- ---------- ------------------------- smtp-host.oracle.com 25 25 /sys/acls/smtp-access.xml SQL> select * from dba_network_acl_privileges; ACL PRINCIPAL PRIVILEGE ------------------------- -------------------- --------- /sys/acls/smtp-access.xml MAILAGENT connect
  • 19.
    19 How Do TheseChanges Impact Installation? • Default new installations will include audit and password profiles • Option during install to retain 10gR2 settings • DBCA screens to: • Revert back to 10gR2 settings for audit and/or password • Apply new default settings • Upgrades will not change the audit and password profile settings
  • 20.
    20 Recommendations for UpgradesI • Audit settings • Turn on auditing for security sensitive DDL operations listed • Set to DB or DB_extended for querability • Set to OS or XML for performance • Password Management • Institute password policies by classifying users into a different usage groups and assign dedicated profiles to each group • Check DBA_USERS_WITH_DEFPWD for default passwords
  • 21.
    21 Recommendations for UpgradesII • Authentication • Identify sources of connection and set security level to highest possible supported by the client • Ask users to change password as soon as possible for case sensitive password to take effect • Look into EUS for centralized user management • Reminder: we support connect username/password as SYSDBA • Access Control • Identify applications using utl_* packages, and identify and grant appropriate new ACL privileges and confirm applications are running fine • Evaluate current privileges granted, follow least privileged model
  • 22.
    22 Other Key SecurityEnhancements • Tablespace Encryption option in Transparent Data Encryption • Allows bulk encryption at tablespace level • No restriction on data types and indexes • Works with all High Availability offerings • Hardware Security Module and External Key Server support in Transparent Data Encryption • Provides additional option for security and key management services by third party products • Management of SYSDBA and SYSOPER in Enterprise User Security • Identity management of super users in databases • Enhanced Kerberos support • Cross realm and type 4 certificate support • Support Microsoft KDC default encryption modes
  • 23.
    23 Oracle Software SecurityAssurance Conclusion • MAXIMUM SECURITY • Best of breed security features • Secure design from the ground up • Effective vulnerability remediation process • LOWER COST OF OWNERSHIP • Unwavering commitment to maintaining our customer’s security posture • Predictable security patch process • Priority given to quality
  • 24.
    24 For More Information •Oracle Software Security Assurance Web Site at http://www.oracle.com/security/software-security-assurance.html • Technical white papers and security guides • Online security seminars and webcasts • Blogs and more • Critical Patch Update & Security Alerts at http://www.oracle.com/technology/deploy/security/alerts.htm • Critical Patch Updates and current security alerts • Patch download • CPU documentation & Risk Matrices http://search.oracle.com Oracle Software Security Assurance