Escolar Documentos
Profissional Documentos
Cultura Documentos
Purpose
In
scope: application security of Oracle databases of scope: system security of Oracle databases
Out
Agenda
Oracle
architecture
Common
Oracle objects Schema/object security Java security Application integration techniques Current challenges at Cisco
SQL*Net (Net8)
1521 (ADDRESS=(PROTOCOL=TCP) (HOST=db.company.com) (PORT=1521))
Database server
TNS Listener
Database
Oracle architecture
cmrsdb
TNS Listener
cmrs
Oracle architecture
Allowed
Host #1 Host #2
Database
SQL*Net
Introduced
in Oracle V5 Renamed Net8 in Oracle8 Supports multiple protocols (TCP/IP, DECnet, SPX/IPX, etc.)
Oracle architecture
be
Stored
in Oracle
Oracle architecture
Transport encryption
DES encryption of db-selected random number w/users password hash OS-integrated authentication available too Password changes travel unencrypted
Aging & expiration History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + numbers) Account lockout
stored procedure
schema
function
table trigger table
index
orders customers
candidates employees
asoks schema
all_users
alices schema
Public objects
DBA
candidates employees
hrdata schema
Database links
Create database link EMPLINK connect to DOGBERT identified by CISCO123 using HR_DB;
ECOMMERCE_DB
HR_DB
orders
employees
EMPLINK
dogberts schema dogberts schema
com.cisco.ipc.*
com.cisco.myapp.calc
wally session
dilbert session
java.*
oracle.aurora.*
oracle.jdbc.*
Into their own schema/session Can grant execution rights to other users Stored in Oracle objects, not files Stored in PolicyTable table Granted by DBA or JAVA_ADMIN roles
call dbms_java.grant_permission(
mnystrom, java.util.SocketPermission, localhost:1024-, connect)
Permissions
2 privilege models
Invokers rights
com.cisco.myapp.calc com.cisco.ipc.*
salary
salary
dogberts schema
alices schema
Definers rights
com.cisco.myapp.calc com.cisco.ipc.*
salary
salary
dogberts schema
alices schema
Execute, read, write local files Make and receive network calls (HTTP, MMX, etc.) Access data in remote databases Send mail
Database server
Database /oracle/apps/
Auditing
Obviously
Currently
Grant direct access to each others schemas Grant only stored proc access
application
orders
customers
application schema
Shared schemas
Application #1 Application #2
select
customers
Shared objects
Application #1 Application #2
insert update delete select grant
customers
select
execute
Application-level integration
Application #1
Shared libraries MMX Web services IIOP
Application #2
management
Privileges