Security Overview

pdf
Số trang Security Overview 174 Cỡ tệp Security Overview 1 MB Lượt tải Security Overview 0 Lượt đọc Security Overview 0
Đánh giá Security Overview
4.6 ( 8 lượt)
Nhấn vào bên dưới để tải tài liệu
Đang xem trước 10 trên tổng 174 trang, để tải xuống xem đầy đủ hãy nhấn vào bên trên
Chủ đề liên quan
Công nghệ thông tin Cơ sở dữ liệu tin học oracle strore procedure

Nội dung

Oracle® Security Overview 10g Release 1 (10.1) Part No. B10777-01 December 2003 Oracle Security Overview 10g Release 1 (10.1) Part No. B10777-01 Copyright © 2000, 2003 Oracle Corporation. All rights reserved. Primary Author: Rita Moran and Jeff Levinger The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Oracle Corporation. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement. Otherwise, Programs delivered subject to the Federal Acquisition Regulations are "restricted computer software" and use, duplication, and disclosure of the Programs shall be subject to the restrictions in FAR 52.227-19, Commercial Computer Software - Restricted Rights (June, 1987). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and Oracle Corporation disclaims liability for any damages caused by such use of the Programs. Oracle is a registered trademark, and Oracle Store, Oracle7, Oracle8i, Oracle9i, PL/SQL, SQL*Plus, and Secure Network Services are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respective owners. Contents Send Us Your Comments ................................................................................................................. xiii Preface........................................................................................................................................................... xv Audience ................................................................................................................................................ Documentation Accessibility ............................................................................................................. Organization......................................................................................................................................... Related Documentation .................................................................................................................... Conventions.......................................................................................................................................... Part I 1 xv xvi xvi xviii xix Security Challenges Data Security Challenges Top Security Myths............................................................................................................................. Understanding the Many Dimensions of System Security........................................................ Fundamental Data Security Requirements.................................................................................... Confidentiality .............................................................................................................................. Privacy of Communications................................................................................................. Secure Storage of Sensitive Data ......................................................................................... Authenticated Users.............................................................................................................. Granular Access Control ...................................................................................................... Integrity.......................................................................................................................................... Availability .................................................................................................................................... Security Requirements in the Internet Environment .................................................................. Promises and Problems of the Internet ..................................................................................... 1-2 1-2 1-4 1-4 1-5 1-5 1-5 1-5 1-6 1-6 1-7 1-7 iii Increased Data Access .................................................................................................................. Much More Valuable Data .......................................................................................................... Larger User Communities ......................................................................................................... Scalability.............................................................................................................................. Manageability....................................................................................................................... Interoperability .................................................................................................................... Hosted Systems and Exchanges ............................................................................................... A World of Data Security Risks ..................................................................................................... Data Tampering .......................................................................................................................... Eavesdropping and Data Theft................................................................................................. Falsifying User Identities........................................................................................................... Password-Related Threats ......................................................................................................... Unauthorized Access to Tables and Columns........................................................................ Unauthorized Access to Data Rows......................................................................................... Lack of Accountability ............................................................................................................... Complex User Management Requirements............................................................................ Multitier Systems................................................................................................................. Scaling the Security Administration of Multiple Systems............................................. A Matrix of Security Risks and Solutions.................................................................................... The System Security Team .............................................................................................................. Part II 2 Technical Solutions to Security Risks Protecting Data Within the Database Introduction to Database Security Concepts ................................................................................. System and Object Privileges........................................................................................................... System Privileges .......................................................................................................................... Schema Object Privileges............................................................................................................. Managing System and Object Privileges ....................................................................................... Using Roles to Manage Privileges .............................................................................................. Database Roles ....................................................................................................................... Global Roles............................................................................................................................ Enterprise Roles ..................................................................................................................... Secure Application Roles...................................................................................................... Using Stored Procedures to Manage Privileges ....................................................................... iv 1-8 1-9 1-10 1-10 1-10 1-10 1-10 1-11 1-11 1-12 1-12 1-13 1-13 1-13 1-14 1-14 1-14 1-14 1-15 1-17 2-2 2-2 2-2 2-2 2-3 2-4 2-4 2-5 2-5 2-6 2-6 Using Network Facilities to Manage Privileges ....................................................................... Using Views to Manage Privileges ............................................................................................ Row Level Security............................................................................................................................. Complex and Dynamic Views .................................................................................................... Application Query Rewrite: Virtual Private Database............................................................ Label-Based Access Control ........................................................................................................ Encrypting Data on the Server ....................................................................................................... Selective Encryption of Stored Data ........................................................................................ Industry Standard Encryption Algorithms............................................................................. Database Integrity Mechanisms .................................................................................................... System Availability Factors ............................................................................................................ Secure Configuration Practices....................................................................................................... 3 Protecting Data in a Network Environment Introduction to Data Protection in a Network Environment ..................................................... Protecting Data During Transmission ............................................................................................ Controlling Access Within the Network ................................................................................... Middle-Tier Connection Management............................................................................... Native Network Capabilities (Valid Node Checking) ..................................................... Database Enforced Network Access................................................................................... Encrypting Data for Network Transmission ............................................................................ Encryption Algorithms......................................................................................................... Data Integrity Checking ....................................................................................................... Secure Sockets Layer (SSL) Protocol .......................................................................................... Firewalls......................................................................................................................................... Ensuring Security in Three-Tier Systems ...................................................................................... Proxy Authentication to Ensure Three-Tier Security .............................................................. Java Database Connectivity (JDBC) ........................................................................................... JDBC-Oracle Call Interface Driver ...................................................................................... JDBC Thin Driver .................................................................................................................. 4 2-7 2-7 2-8 2-9 2-9 2-9 2-10 2-10 2-10 2-11 2-12 2-13 3-1 3-2 3-2 3-2 3-2 3-3 3-3 3-4 3-4 3-5 3-5 3-6 3-6 3-7 3-7 3-7 Authenticating Users to the Database Introduction to User Authentication............................................................................................... 4-1 Passwords for Authentication .......................................................................................................... 4-2 Strong Authentication........................................................................................................................ 4-2 v Kerberos and CyberSafe .............................................................................................................. RADIUS.......................................................................................................................................... Token Cards................................................................................................................................... Smart Cards ................................................................................................................................... Distributed Computing Environment (DCE) ........................................................................... Biometrics....................................................................................................................................... PKI and Certificate-Based Authentication ................................................................................ Proxy Authentication and Authorization....................................................................................... Single sign-on ...................................................................................................................................... Server-Based Single sign-on ........................................................................................................ Middle Tier Single Sign-On......................................................................................................... 5 Using and Deploying a Secure Directory Introduction ......................................................................................................................................... Centralizing Shared Information with LDAP............................................................................... Securing the Directory ....................................................................................................................... Directory Authentication of Users ............................................................................................. Password Protection in a Directory ........................................................................................... Directory Access Controls and Authorization ......................................................................... Directory-Based Application Security ............................................................................................ Authorization of Users................................................................................................................. Authorization of Administrators................................................................................................ Administrative Roles in the Directory..................................................................................... 6 5-1 5-2 5-3 5-4 5-4 5-5 5-6 5-6 5-7 5-10 Administering Enterprise User Security Introduction ......................................................................................................................................... Enterprise Privilege Administration ............................................................................................... Shared Schemas................................................................................................................................... Password-Authenticated Enterprise Users..................................................................................... Enterprise Roles .................................................................................................................................. Multitier Authentication and Authorization................................................................................. Single Sign-On .................................................................................................................................... vi 4-3 4-4 4-4 4-5 4-6 4-6 4-7 4-7 4-9 4-9 4-9 6-1 6-2 6-2 6-3 6-4 6-4 6-4 7 Auditing to Monitor System Security Introduction ......................................................................................................................................... Fundamental Auditing Requirements............................................................................................ Robust, Comprehensive Auditing ...................................................................................... Efficient Auditing .................................................................................................................. Customizable Auditing ........................................................................................................ Fine Grained, Extensible Auditing ................................................................................................. Auditing in Multitier Application Environments........................................................................ 8 The Public Key Infrastructure Approach to Security Introduction ......................................................................................................................................... Security Features of PKI .............................................................................................................. Components of PKI ...................................................................................................................... Advantages of the PKI Approach .............................................................................................. Public Key Cryptography and the Public Key/Private Key Pair ............................................... Secure Credentials: Certificate-Based Authentication in PKI.................................................... Certificates and Certificate Authorities..................................................................................... Certificate Authorities .......................................................................................................... Certificates .............................................................................................................................. Authentication Methods Used with PKI................................................................................... Secure Sockets Layer Authentication and X.509v3 Digital Certificates ........................ Entrust/PKI Authentication ................................................................................................ Storing Secure Credentials with PKI.............................................................................................. Single Sign-On Using PKI ................................................................................................................ Network Security Using PKI ............................................................................................................ Part III 9 7-1 7-1 7-2 7-2 7-2 7-3 7-3 8-1 8-1 8-2 8-3 8-3 8-4 8-4 8-4 8-5 8-5 8-6 8-6 8-7 8-7 8-8 Oracle Security Products Oracle Security Products and Features Oracle Standard Edition .................................................................................................................... Oracle Identity Management ...................................................................................................... Integrity.......................................................................................................................................... Data Integrity ......................................................................................................................... Entity Integrity Enforcement ............................................................................................... 9-1 9-2 9-3 9-4 9-4 vii Referential Integrity .............................................................................................................. Authentication and Access Controls in Oracle......................................................................... Privileges........................................................................................................................................ Roles................................................................................................................................................ Auditing ......................................................................................................................................... Views, Stored Program Units, Triggers..................................................................................... Data Encryption ............................................................................................................................ High Availability .......................................................................................................................... User Profiles ........................................................................................................................... Online Backup and Recovery .............................................................................................. Advanced Replication........................................................................................................... Data Partitioning.................................................................................................................... Very High Availability with Real Application Clusters .................................................. Proxy Authentication in Oracle .................................................................................................. Introduction.......................................................................................................................... Support for Additional Protocols...................................................................................... Expanded Credential Proxy ............................................................................................... Application User Proxy Authentication........................................................................... Application Context in Oracle .................................................................................................. How Application Context Facilitates Secure Fine-Grained Access Control ............... Application Context Accessed Locally...................................................................... Application Context Initialized Externally............................................................... Application Context Initialized Globally.................................................................. Application Context Accessed Globally ................................................................... Oracle Enterprise Edition ................................................................................................................ Internet Scale Security Features................................................................................................ Deep Data Protection .......................................................................................................... Internet-Scale Security ........................................................................................................ Secure Hosting and Data Exchange .................................................................................. Application Security................................................................................................................... Virtual Private Database in Oracle........................................................................................... Virtual Private Database..................................................................................................... How Virtual Private Database Works .............................................................................. How Partitioned Fine-Grained Access Control Facilitates VPD .................................. User Models and Virtual Private Database ..................................................................... viii 9-4 9-4 9-5 9-5 9-6 9-6 9-6 9-7 9-7 9-8 9-8 9-8 9-9 9-9 9-10 9-10 9-11 9-11 9-12 9-12 9-13 9-13 9-13 9-13 9-14 9-15 9-15 9-15 9-16 9-16 9-16 9-17 9-18 9-19 9-20 Oracle Policy Manager........................................................................................................ Secure Application Role ............................................................................................................ Fine-Grained Auditing............................................................................................................... Oracle Auditing for Three-Tier Applications ......................................................................... Java Security Implementation in the Database ...................................................................... Class Execution .................................................................................................................... SecurityManager Class ....................................................................................................... Oracle Advanced Security............................................................................................................... Introduction to Oracle Advanced Security ............................................................................. Network Security Services of Oracle Advanced Security .................................................... Oracle Net Services Native Encryption............................................................................ Data Integrity Features of Oracle Advanced Security ................................................... Secure Sockets Layer (SSL) Encryption Capabilities...................................................... Oracle Advanced Security Support for SSL ............................................................. Checksumming in Oracle Advanced Security SSL ................................................. Oracle Application Server Support for SSL.............................................................. Java Encryption Features of Oracle Advanced Security................................................ JDBC-OCI Driver.......................................................................................................... Thin JDBC...................................................................................................................... Secure Connections for Virtually Any Client........................................................... Oracle Java SSL............................................................................................................. Strong Authentication Methods Supported by Oracle Advanced Security ............... Oracle Public Key Infrastructure-Based Authentication ........................................ Kerberos and CyberSafe with Oracle Advanced Security ..................................... RADIUS with Oracle Advanced Security................................................................. Token Cards with Oracle Advanced Security.......................................................... Smart Cards with Oracle Advanced Security .......................................................... Biometric Authentication with Oracle Advanced Security.................................... Distributed Computing Environment (DCE) with Oracle Advanced Security .. Single Sign-On Implementations in Oracle Advanced Security .................................. Single Sign-On Configuration with Third-Party Products .................................... PKI-Based Single Sign-On Configuration................................................................. Enterprise User Security Features of Oracle Advanced Security ........................................ Password-Authenticated Enterprise Users...................................................................... Tools for Enterprise User Security .................................................................................... 9-20 9-21 9-21 9-22 9-23 9-23 9-23 9-23 9-24 9-25 9-26 9-27 9-28 9-28 9-28 9-28 9-29 9-29 9-29 9-30 9-31 9-31 9-32 9-34 9-34 9-35 9-35 9-35 9-35 9-36 9-36 9-36 9-37 9-37 9-38 ix Shared Schemas in Oracle Advanced Security................................................................ Current User Database Links............................................................................................. Directory Integration........................................................................................................... PKI Implementation in Oracle Advanced Security ............................................................... Components of Oracle Public Key Infrastructure-Based Authentication ................... Secure Sockets Layer.................................................................................................... Oracle Call Interface..................................................................................................... Trusted Certificates ...................................................................................................... X.509 Version 3 Certificates ........................................................................................ Oracle Wallets ............................................................................................................... Oracle Wallet Manager ................................................................................................ Oracle Enterprise Login Assistant ............................................................................. Oracle Internet Directory ............................................................................................ Oracle Enterprise Security Manager.......................................................................... PKI Integration and Interoperability ................................................................................ PKCS #12 Support ........................................................................................................ Wallets Stored in Oracle Internet Directory ............................................................. Multiple Certificate Support ....................................................................................... Strong Wallet Encryption............................................................................................ Oracle PKI Implementation Summary ............................................................................. Oracle Label Security ....................................................................................................................... Oracle Internet Directory................................................................................................................. Introduction to Oracle Internet Directory ............................................................................... LDAP Compliance ...................................................................................................................... How Oracle Internet Directory is Implemented .................................................................... How Oracle Internet Directory Organizes Enterprise User Management ......................... Enterprise User Administration with Oracle Internet Directory.................................. Shared Schemas with Oracle Internet Directory............................................................. Oracle Net Services........................................................................................................................... Components of Oracle Net Services......................................................................................... Oracle Net on the Client ..................................................................................................... Oracle Net on the Database Server ................................................................................... Oracle Protocol Support ..................................................................................................... Oracle Connection Manager .............................................................................................. Protocol Conversion..................................................................................................... x 9-38 9-39 9-39 9-39 9-40 9-40 9-40 9-40 9-40 9-40 9-41 9-41 9-41 9-41 9-42 9-42 9-42 9-42 9-43 9-43 9-44 9-45 9-46 9-47 9-48 9-49 9-49 9-50 9-50 9-50 9-50 9-51 9-51 9-51 9-51
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.