In Part 1, I described how data security is critical to the modern enterprise business world and the key role it plays, as well as some of Oracle 12c’s security features. In Part 2, I am going to touch how to apply security controls in network, storage and backup levels. Also, a few selective Oracle database 12c new security features will also be discussed. Towards the end of the article, we’ll look at how basic level database security controls can prevent 97% security breaches.
First line of defense – Oracle Database firewall
The Oracle database firewall option prevents database attacks from internal and external accesses by acting as the first line of database defense. It sits on the network layer, transporting data to the application and database layers without any application modification needed.
With its highly accurate SQL-based monitoring ability, all unauthorized and suspicious network traffic to the databases is blocked. When the SQL-based policies are configured and defined, the SQL statements will be analyzed before they’re sent to the database and appropriate action is taken. With the white, black and exception lists support, you can define a set of SQL statements that the firewall can see, this can include users, schemas and SQL statements that you need to prevent attacks from reaching the database.
The following image depicts the overall Audit Vault and Database firewall architecture and its functionality:
Image courtesy: Oracle documentation
Oracle Secure Backups (OSB)
Although several third-party vendor-supported Tape-Based backup solutions exist, Oracle Secure Backups (OSB) provides backup encryption, protection and centralized backup solutions. The OSB has built-in support to Recovery Manager (RMAN), protection to the file system on UNIX, WINDOWS and Linux hosts, centralized backup management and its cloud module supports backup on the cloud. The following are the key benefits of OSB:
- Centralized tape backup management
- Backups over the cloud
- Supports Exadata backups
- Encrypts backups and secure backup data
- Provides enterprise data protection
Network encryption and storage authentication
In my previous article, I explained how to mask sensitive data, data redaction, controlling super sys privileges, data encryption etc. This segment will cover how to apply security controls in network and storage layers.
As part of storage authentication, Oracle provides the following industry standard authentication methods:
- Kerberos: enables single sign-on and centralized authentication capabilities to the Oracle users.
- RAIDUS: provides remote authentication and access with a client/server protocol in a client/server network environment using the smart cards and token cards mechanism.
- Secure Socket Layer (SSL): an industry standard protocol which supports authentication, data integrity and data encryption. Oracle uses the SSL protocol for secure client/server communication, SSL can also be configured to provide server only, client only or both authentication.
To prevent unauthorized users from viewing the plain text data that’s been sent over the network, you will have to apply encryption to network data. This protects against Data modification and Replay attach attacks.
Oracle Net Manager offers network encryption configuration options on the client and server. You can choose one of the four (REJECTED, ACCEPTED, REQUESTED and REQUIRED) listed options from the Checksum Level list. Also, the sqlnet.ora file must contain following entries:
<b><span style="text-decoration: underline;">On the server and client:</span></b>
SQLNET.CRYPTO_CHECKSUM_SERVER = [accepted | rejected | requested | required]
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (valid_crypto_checksum_algorithm)
Oracle database 12c new security features
It’s time to review a few selective Oracle database 12c enhancements and additions. Here is the list of new features:
- With Oracle 12c, a new schema, AUDSYS, is solely used to store the unified audit trail records in the table. Typically, audit records are first kept in the SGA queue and are then periodically written to the AUDSYS schema audit table in the SYSAUX tablespace. This prevents writing the records immediately to the table and improves overall audit trail process. However, you have the ability to overwrite or define the rules on how the audit records should be written, immediately or queued in the SGA.
- RESOURCE role no longer grants UNLIMITED TABLESPACE privilege
- SELECT ANY DICTIONARY no longer provides access to the SYS and DICTIONARY tables
- Unified Audit trail for all individual components: SYS.ADU$, fine-grained auditing, Oracle Database vault, Oracle Label Security etc
- Separate duties of Audit administration
- Enhanced password verification functionality
Common database security practices
It is not a good idea to comprise on data security, at the very least businesses should apply the basic level of database security compliance. According to Verizon’s security survey, 97% security breaches are preventable with a very basic level of security controls. The following are a few security guidelines, in no particular order, which are common basic security practices you should consider adopting in your production environments:
- Apply regular PSU patches
- Enable basic level and common database auditing parameters: AUDIT_TRAIL, AUDIT_SYS_OPERATIONS, AUDIT_FILE_DEST
- Limit or grant only required privileges to the database users
- Contain super users and revoke all unnecessary privileges from the PUBLIC role
- Lock down and change the default passwords to the pre-defined, non-administrative database users
- Avoid using the default 1521 port
- Enforce password management profiles, such as password reuse max, life time, password life time etc
- Secure batch jobs
- Encrypt sensitive data
- Control data access
- Maintain SYS.AUD$ table
- Audit and track all important database changes
Security breaches can attack any vulnerability found in your environment. Make sure to protect your networks with firewalls, use secure backups, take advantage of the newest security features in 12c, and cover all your basics applying common security controls.