SlideShare a Scribd company logo

Presentation deploying oracle database 11g securely on oracle solaris

X
xKinAnx

The document discusses the secure deployment of Oracle Database 11g on Oracle Solaris, focusing on the importance of operating systems in enhancing security. Key features include reduced attack surface, separation of duty, least privilege, strong isolation, and comprehensive monitoring. Various methods and examples are provided to illustrate how Oracle Solaris provides a robust framework for cybersecurity through architectural principles and practices.

Technology
1 of 38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
1Copyright © 2010 Oracle Corporation
<Insert Picture Here> Deploying Oracle Database 11g Securely on Oracle Solaris Glenn Brunette Senior Director, Enterprise Security Solutions
3Copyright © 2010 Oracle Corporation The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
4Copyright © 2010 Oracle Corporation Agenda • Introduction – Why Focus on Operating Systems? – How Can Oracle Solaris Help? • Deploying On A Strong Foundation – Reduced Attack Surface – Separation of Duty and Least Privilege – Strong Isolation and Resource Control – Comprehensive Monitoring • Embracing a Defense in Depth Architecture – Hardware, Operating System and Database Security
5Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods
6Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities
7Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities • Security Must Be Systemically Applied – A chain is only as strong as its weakest link
8Copyright © 2010 Oracle Corporation How Can Oracle Solaris Help? • Reduced Attack Surface – Package Minimization – (Network) Secure by Default • Separation of Duty and Least Privilege – User Rights Management – Process Rights Management • Strong Isolation and Resource Control – Logical Domains – Containers • Comprehensive Monitoring – Auditing
9Copyright © 2010 Oracle Corporation Reduced Attack Surface Oracle Solaris Package Minimization • Selectively install only what is needed – Reduce the operating system file foot print – 3.6 GB vs. 550M (disk consumed by Entire+OEM vs. Reduced Networking) • Uninstalled software… – can not be executed or exploited – does not need updates or patching – does not need configuration or maintenance • Foundation for specialized deployments and appliances
10Copyright © 2010 Oracle Corporation Reduced Attack Surface Oracle Solaris Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” – Secure Shell is the only exposed service by default • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Network Protections – Host-based packet filtering (Solaris IP Filter) – Secure authentication (Solaris Kerberos) – Secure network communications (Solaris IPsec / IKE)
11Copyright © 2010 Oracle Corporation Method for composing collections of administrative rights Rights are specified using hierarchical profiles and authorizations Rights can be assigned to individual users and roles Separation of Duty Oracle Solaris User Rights Management Auditing always tracks the 'real' user – no anonymous admin! Roles can only be assumed by authorized users
12 Separation of Duty Example Oracle Solaris User Rights Management Rights User Rights Management User Roles Internal Auditor System Admin. Oracle DBA System Maintenance, Troubleshooting System Security Review, Audit Trail Review Database Administration
13 Separation of Duty Example Oracle Solaris User Rights Management
14Copyright © 2010 Oracle Corporation Eliminates need for many services to start as ‘root’ Decomposes administrative capabilities into discrete privileges Reduces potential exposure to a variety of security attacks Least Privilege Oracle Solaris Process Rights Management Always enabled and enforced by the Solaris kernel Completely compatible with traditional super-user privilege model
15 Least Privilege Example Oracle Solaris Process Rights Management Privileges Process Rights Management Processes Privilege Collection #1 Privilege Collection #2 Privilege Collection #3
16 Least Privilege Example Oracle Solaris Process Rights Management $ pfexec ppriv -S `pgrep rpcbind` 933: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none $ pfexec ppriv -S `pgrep statd` 5139: /usr/lib/nfs/statd flags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none Every process has a unique set of privileges.
17Copyright © 2010 Oracle Corporation Hard Partitions Hypervisor Mediation Kernel Separation Strong Isolation and Resource Control Single OSMultiple OSes SPARC T-Series SPARC M-Series x86/x64 SPARC T-Series x86/x64 SPARC M-Series Oracle Dynamic Domains Oracle VM Server for SPARC Oracle VM Server for x86 Oracle VM VirtualBox Oracle Solaris Containers (Zones + SRM) Oracle Solaris Trusted Extensions Oracle Solaris 8 and 9 Containers
18 Strong Isolation and Resource Control Oracle Solaris Containers (Virtual) Server Operating System ServiceDB Server DB Server DB Server • Multiple, independent services • File, network, user, process, and resource isolation • Security protections • Single operating system instance • Centralized management and monitoring
19 Strong Isolation and Resource Control Oracle Solaris Containers Example (Virtual) Server Operating System ServiceDB Server DB Server DB Server $ pfexec zonecfg –z ozone info zonename: ozone zonepath: /export/zones/ozone […] [max-lwps: 300] [cpu-shares: 100] fs: dir: /etc/security/audit_control type: lofs options: [ro, nosuid, nodevices] […] inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr […] Each Container can have its own defined set of resources, file systems, network interfaces, etc.
20Copyright © 2010 Oracle Corporation Integration with the Solaris kernel enables fine-grained introspection Configurable audit policy at both the system and user level Captured events include administrative actions, commands, syscalls Comprehensive Monitoring Oracle Solaris Auditing Audit logs can be exported as binary, text, or XML files Containers can be audited from within the global zone
21Copyright © 2010 Oracle Corporation Comprehensive Monitoring Oracle Solaris Auditing Example Event: profile command time: 2010-09-08 11:56:11.511 -04:00 vers: 2 mod: host: quasar SUBJECT audit-uid: gbrunett uid: root gid: joe ruid: joe pid: 5015 sid: 685 tid: 0 0 quasar PATH: /usr/sbin/reboot CMD PROCESS: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid: 685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone […] Event: reboot(1m) time: 2010-09-08 11:56:11.522 -04:00 vers: 2 mod: host: quasar SUBJECT: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid:685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone Activity is captured retaining the ID of the original actor
22Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE
23Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization
24Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening
25Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control
26Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing
27Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
28Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
29Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER Process Rights Management
30Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER User Rights Management Process Rights Management
31Copyright © 2010 Oracle Corporation Just the Tip of the Iceberg • ZFS Data Security and Integrity – Ensures end-to-end data integrity by design – Delivers delegated administration, fine-grained access control, and hierarchical enforcement • Unified Cryptographic Framework – Enables hardware acceleration of algorithms – Integrates with PKCS#11, JCE, OpenSSL, etc. • Service Management Facility – Provides unified way to describe, manage and execute services • Trusted Extensions – Enforces multi-level security access control policies
32 Oracle Database Security Defense-in-Depth Access Control • Oracle Database Vault • Oracle Label Security • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Encryption and Masking Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Database Firewall Blocking and Monitoring
33Copyright © 2010 Oracle Corporation Transparency, Governance, and Compliance Comprehensive Information Protection and Monitoring Security-Enhanced Service Delivery Platforms Secure Service Oriented Architectures End-to-End Identity and Access Management Flexible and Strong Workload Isolation Integrated High-Performance Cryptography Tamper Resistant Key Storage Transparency, Governance, and Compliance Complete Set of Secure and Proven Solutions
34Copyright © 2010 Oracle Corporation For More Information…
35 Oracle Database Security Hands-on-Labs • Thursday Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
36 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
37Copyright © 2010 Oracle Corporation
38Copyright © 2010 Oracle Corporation

More Related Content

What's hot (20)

PPTX
Database as a Service, Collaborate 2016
Kellyn Pot'Vin-Gorman
 
PPTX
Em13c New Features- One of Two
Kellyn Pot'Vin-Gorman
 
PPTX
Fusion Applications Bare Metal Provisioning - Lessons Learned
Andrejs Karpovs
 
PPT
EM12C High Availability without SLB and RAC
Secure-24
 
PPTX
Oracle cloud storage and file system
Andrejs Karpovs
 
PPTX
Em13c New Features- Two of Two
Kellyn Pot'Vin-Gorman
 
PPTX
Oracle EM12c Release 4 New Features!
Kellyn Pot'Vin-Gorman
 
PPTX
F5 Networks Application Ready Solution for Oracle Database Technologies
F5 Networks
 
DOC
Configuring Oracle Enterprise Manager Cloud Control 12c for HA White Paper
Leighton Nelson
 
PDF
Enterprise manager 13c
MarketingArrowECS_CZ
 
PPTX
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Leighton Nelson
 
PPTX
System hardening - OS and Application
edavid2685
 
DOC
Oracle Audit vault
uzzal basak
 
PPTX
Upgrading Em13c Collaborate 2016
Kellyn Pot'Vin-Gorman
 
DOC
Oracle EBS R12.1.3_Installation_linux(64bit)_Pan_Tian
Pan Tian
 
PPTX
Before OTD EDU - Introduction
Beom Lee
 
PPTX
Oracle Database Firewall - Pierre Leon
OracleVolutionSeries
 
PDF
New Not Your Father's Enterprise Manager
Kellyn Pot'Vin-Gorman
 
PPSX
Ppt dbsec-oow2013-avdf
Melody Liu
 
PDF
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
jpiwowar
 
Database as a Service, Collaborate 2016
Kellyn Pot'Vin-Gorman
 
Em13c New Features- One of Two
Kellyn Pot'Vin-Gorman
 
Fusion Applications Bare Metal Provisioning - Lessons Learned
Andrejs Karpovs
 
EM12C High Availability without SLB and RAC
Secure-24
 
Oracle cloud storage and file system
Andrejs Karpovs
 
Em13c New Features- Two of Two
Kellyn Pot'Vin-Gorman
 
Oracle EM12c Release 4 New Features!
Kellyn Pot'Vin-Gorman
 
F5 Networks Application Ready Solution for Oracle Database Technologies
F5 Networks
 
Configuring Oracle Enterprise Manager Cloud Control 12c for HA White Paper
Leighton Nelson
 
Enterprise manager 13c
MarketingArrowECS_CZ
 
Managing Oracle Enterprise Manager Cloud Control 12c with Oracle Clusterware
Leighton Nelson
 
System hardening - OS and Application
edavid2685
 
Oracle Audit vault
uzzal basak
 
Upgrading Em13c Collaborate 2016
Kellyn Pot'Vin-Gorman
 
Oracle EBS R12.1.3_Installation_linux(64bit)_Pan_Tian
Pan Tian
 
Before OTD EDU - Introduction
Beom Lee
 
Oracle Database Firewall - Pierre Leon
OracleVolutionSeries
 
New Not Your Father's Enterprise Manager
Kellyn Pot'Vin-Gorman
 
Ppt dbsec-oow2013-avdf
Melody Liu
 
EBS in an hour: Build a Vision instance - FAST - in Oracle Virtualbox
jpiwowar
 

Similar to Presentation deploying oracle database 11g securely on oracle solaris (20)

PDF
Solaris 11.4 launch
Scott Lynn
 
PDF
Solaris 10 Security Essentials Press Sun Microsystemscreator
pousselotlot
 
PDF
Oracle Solaris 11 lab agenda
Pavel Anni
 
PDF
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1
Osama Mustafa
 
PDF
real-application-clusters-installation-guide-linux-and-unix.pdf
MitJiu
 
PPT
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Fran Navarro
 
PDF
Oracle solaris-11-ds-186774
Muhammad Abdullah
 
DOCX
Sso & rman
vishaalkumar11
 
PPTX
Oracle_DB_sobre_Oracle
Fran Navarro
 
PDF
Oracle-Security_Executive-Presentation
stefanjung
 
PPT
Unix SVR4/OpenSolaris and allumos Access Control
Salem Elbargathy
 
PDF
Oracle database 12c client installation guide 6
bupbechanhgmail
 
PDF
Revisiting Silent: Installs Are they still useful?
Revelation Technologies
 
PDF
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
Oracle BH
 
PPTX
ODW 2021 - Automated patching and compliance to improve database security.pptx
Paul Breniuc
 
PPT
Auditing security of Oracle DB (Karel Miko)
DCIT, a.s.
 
PDF
Netherlands Tech Tour - 04 Linux & OVM
Mark Swarbrick
 
PPTX
Oracle Security Overview from Cloud World 2022
Ken Stewart
 
PDF
OC|Webcast "Die neue Welt der Virtualisierung"
OPITZ CONSULTING Deutschland
 
PPTX
Oracle Solaris 11 as a BIG Data Platform Apache Hadoop Use Case
Orgad Kimchi
 
Solaris 11.4 launch
Scott Lynn
 
Solaris 10 Security Essentials Press Sun Microsystemscreator
pousselotlot
 
Oracle Solaris 11 lab agenda
Pavel Anni
 
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1
Osama Mustafa
 
real-application-clusters-installation-guide-linux-and-unix.pdf
MitJiu
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Fran Navarro
 
Oracle solaris-11-ds-186774
Muhammad Abdullah
 
Sso & rman
vishaalkumar11
 
Oracle_DB_sobre_Oracle
Fran Navarro
 
Oracle-Security_Executive-Presentation
stefanjung
 
Unix SVR4/OpenSolaris and allumos Access Control
Salem Elbargathy
 
Oracle database 12c client installation guide 6
bupbechanhgmail
 
Revisiting Silent: Installs Are they still useful?
Revelation Technologies
 
Oracle tech fmw-04-sun-virtualization.and.solaris-neum-16.04.2010
Oracle BH
 
ODW 2021 - Automated patching and compliance to improve database security.pptx
Paul Breniuc
 
Auditing security of Oracle DB (Karel Miko)
DCIT, a.s.
 
Netherlands Tech Tour - 04 Linux & OVM
Mark Swarbrick
 
Oracle Security Overview from Cloud World 2022
Ken Stewart
 
OC|Webcast "Die neue Welt der Virtualisierung"
OPITZ CONSULTING Deutschland
 
Oracle Solaris 11 as a BIG Data Platform Apache Hadoop Use Case
Orgad Kimchi
 
Ad

More from xKinAnx (20)

PPTX
Engage for success ibm spectrum accelerate 2
xKinAnx
 
PPTX
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive
xKinAnx
 
PDF
Software defined storage provisioning using ibm smart cloud
xKinAnx
 
PDF
Ibm spectrum virtualize 101
xKinAnx
 
PDF
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
xKinAnx
 
PDF
04 empalis -ibm_spectrum_protect_-_strategy_and_directions
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 2 IBM Spectrum Sca...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 3 Information Life...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 5 spectrum scale_c...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 6 spectrumscale el...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 7 spectrumscale el...
xKinAnx
 
PPT
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
xKinAnx
 
PPTX
Ibm spectrum scale fundamentals workshop for americas part 5 ess gnr-usecases...
xKinAnx
 
PDF
Presentation disaster recovery in virtualization and cloud
xKinAnx
 
PDF
Presentation disaster recovery for oracle fusion middleware with the zfs st...
xKinAnx
 
PDF
Presentation differentiated virtualization for enterprise clouds, large and...
xKinAnx
 
PDF
Presentation desktops for the cloud the view rollout
xKinAnx
 
Engage for success ibm spectrum accelerate 2
xKinAnx
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive
xKinAnx
 
Software defined storage provisioning using ibm smart cloud
xKinAnx
 
Ibm spectrum virtualize 101
xKinAnx
 
Accelerate with ibm storage ibm spectrum virtualize hyper swap deep dive dee...
xKinAnx
 
04 empalis -ibm_spectrum_protect_-_strategy_and_directions
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 1 components archi...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 2 IBM Spectrum Sca...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 3 Information Life...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 4 Replication, Str...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 4 spectrum scale_r...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 5 spectrum scale_c...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 6 spectrumscale el...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 7 spectrumscale el...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 8 spectrumscale ba...
xKinAnx
 
Ibm spectrum scale fundamentals workshop for americas part 5 ess gnr-usecases...
xKinAnx
 
Presentation disaster recovery in virtualization and cloud
xKinAnx
 
Presentation disaster recovery for oracle fusion middleware with the zfs st...
xKinAnx
 
Presentation differentiated virtualization for enterprise clouds, large and...
xKinAnx
 
Presentation desktops for the cloud the view rollout
xKinAnx
 
Ad

Recently uploaded (20)

PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit
 
PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
“Squinting Vision Pipelines: Detecting and Correcting Errors in Vision Models...
Edge AI and Vision Alliance
 
PDF
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
PDF
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
“Squinting Vision Pipelines: Detecting and Correcting Errors in Vision Models...
Edge AI and Vision Alliance
 
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 

Presentation deploying oracle database 11g securely on oracle solaris

  • 1. 1Copyright © 2010 Oracle Corporation
  • 2. <Insert Picture Here> Deploying Oracle Database 11g Securely on Oracle Solaris Glenn Brunette Senior Director, Enterprise Security Solutions
  • 3. 3Copyright © 2010 Oracle Corporation The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 4. 4Copyright © 2010 Oracle Corporation Agenda • Introduction – Why Focus on Operating Systems? – How Can Oracle Solaris Help? • Deploying On A Strong Foundation – Reduced Attack Surface – Separation of Duty and Least Privilege – Strong Isolation and Resource Control – Comprehensive Monitoring • Embracing a Defense in Depth Architecture – Hardware, Operating System and Database Security
  • 5. 5Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods
  • 6. 6Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities
  • 7. 7Copyright © 2010 Oracle Corporation Why Focus on the Operating System? • Burglars Don’t Always Use the Front Door – Similar goals can be achieved using different methods • Attacks Don’t Always Originate in the Database – Operating system access provides unique opportunities • Security Must Be Systemically Applied – A chain is only as strong as its weakest link
  • 8. 8Copyright © 2010 Oracle Corporation How Can Oracle Solaris Help? • Reduced Attack Surface – Package Minimization – (Network) Secure by Default • Separation of Duty and Least Privilege – User Rights Management – Process Rights Management • Strong Isolation and Resource Control – Logical Domains – Containers • Comprehensive Monitoring – Auditing
  • 9. 9Copyright © 2010 Oracle Corporation Reduced Attack Surface Oracle Solaris Package Minimization • Selectively install only what is needed – Reduce the operating system file foot print – 3.6 GB vs. 550M (disk consumed by Entire+OEM vs. Reduced Networking) • Uninstalled software… – can not be executed or exploited – does not need updates or patching – does not need configuration or maintenance • Foundation for specialized deployments and appliances
  • 10. 10Copyright © 2010 Oracle Corporation Reduced Attack Surface Oracle Solaris Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” – Secure Shell is the only exposed service by default • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Network Protections – Host-based packet filtering (Solaris IP Filter) – Secure authentication (Solaris Kerberos) – Secure network communications (Solaris IPsec / IKE)
  • 11. 11Copyright © 2010 Oracle Corporation Method for composing collections of administrative rights Rights are specified using hierarchical profiles and authorizations Rights can be assigned to individual users and roles Separation of Duty Oracle Solaris User Rights Management Auditing always tracks the 'real' user – no anonymous admin! Roles can only be assumed by authorized users
  • 12. 12 Separation of Duty Example Oracle Solaris User Rights Management Rights User Rights Management User Roles Internal Auditor System Admin. Oracle DBA System Maintenance, Troubleshooting System Security Review, Audit Trail Review Database Administration
  • 13. 13 Separation of Duty Example Oracle Solaris User Rights Management
  • 14. 14Copyright © 2010 Oracle Corporation Eliminates need for many services to start as ‘root’ Decomposes administrative capabilities into discrete privileges Reduces potential exposure to a variety of security attacks Least Privilege Oracle Solaris Process Rights Management Always enabled and enforced by the Solaris kernel Completely compatible with traditional super-user privilege model
  • 15. 15 Least Privilege Example Oracle Solaris Process Rights Management Privileges Process Rights Management Processes Privilege Collection #1 Privilege Collection #2 Privilege Collection #3
  • 16. 16 Least Privilege Example Oracle Solaris Process Rights Management $ pfexec ppriv -S `pgrep rpcbind` 933: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_bindmlp,net_privaddr,proc_fork,sys_nfs I: none P: net_bindmlp,net_privaddr,proc_fork,sys_nfs L: none $ pfexec ppriv -S `pgrep statd` 5139: /usr/lib/nfs/statd flags = PRIV_AWARE E: net_bindmlp,proc_fork I: none P: net_bindmlp,proc_fork L: none Every process has a unique set of privileges.
  • 17. 17Copyright © 2010 Oracle Corporation Hard Partitions Hypervisor Mediation Kernel Separation Strong Isolation and Resource Control Single OSMultiple OSes SPARC T-Series SPARC M-Series x86/x64 SPARC T-Series x86/x64 SPARC M-Series Oracle Dynamic Domains Oracle VM Server for SPARC Oracle VM Server for x86 Oracle VM VirtualBox Oracle Solaris Containers (Zones + SRM) Oracle Solaris Trusted Extensions Oracle Solaris 8 and 9 Containers
  • 18. 18 Strong Isolation and Resource Control Oracle Solaris Containers (Virtual) Server Operating System ServiceDB Server DB Server DB Server • Multiple, independent services • File, network, user, process, and resource isolation • Security protections • Single operating system instance • Centralized management and monitoring
  • 19. 19 Strong Isolation and Resource Control Oracle Solaris Containers Example (Virtual) Server Operating System ServiceDB Server DB Server DB Server $ pfexec zonecfg –z ozone info zonename: ozone zonepath: /export/zones/ozone […] [max-lwps: 300] [cpu-shares: 100] fs: dir: /etc/security/audit_control type: lofs options: [ro, nosuid, nodevices] […] inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr […] Each Container can have its own defined set of resources, file systems, network interfaces, etc.
  • 20. 20Copyright © 2010 Oracle Corporation Integration with the Solaris kernel enables fine-grained introspection Configurable audit policy at both the system and user level Captured events include administrative actions, commands, syscalls Comprehensive Monitoring Oracle Solaris Auditing Audit logs can be exported as binary, text, or XML files Containers can be audited from within the global zone
  • 21. 21Copyright © 2010 Oracle Corporation Comprehensive Monitoring Oracle Solaris Auditing Example Event: profile command time: 2010-09-08 11:56:11.511 -04:00 vers: 2 mod: host: quasar SUBJECT audit-uid: gbrunett uid: root gid: joe ruid: joe pid: 5015 sid: 685 tid: 0 0 quasar PATH: /usr/sbin/reboot CMD PROCESS: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid: 685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone […] Event: reboot(1m) time: 2010-09-08 11:56:11.522 -04:00 vers: 2 mod: host: quasar SUBJECT: audit-uid: gbrunett uid: root gid: joe ruid: root rgid: joe pid: 5015 sid:685 tid: 0 0 quasar RETURN errval: success retval: 0 ZONE name: ozone Activity is captured retaining the ID of the original actor
  • 22. 22Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE
  • 23. 23Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization
  • 24. 24Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening
  • 25. 25Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control
  • 26. 26Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing
  • 27. 27Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
  • 28. 28Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER
  • 29. 29Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER Process Rights Management
  • 30. 30Copyright © 2010 Oracle Corporation Assembling the Pieces OracleVMforSPARC HYPERVISOR CONTROL DOMAIN GUEST DOMAIN / GLOBAL ZONE Package Minimization Secure by Default / Network Hardening Resource Control Auditing CONTAINER User Rights Management Process Rights Management
  • 31. 31Copyright © 2010 Oracle Corporation Just the Tip of the Iceberg • ZFS Data Security and Integrity – Ensures end-to-end data integrity by design – Delivers delegated administration, fine-grained access control, and hierarchical enforcement • Unified Cryptographic Framework – Enables hardware acceleration of algorithms – Integrates with PKCS#11, JCE, OpenSSL, etc. • Service Management Facility – Provides unified way to describe, manage and execute services • Trusted Extensions – Enforces multi-level security access control policies
  • 32. 32 Oracle Database Security Defense-in-Depth Access Control • Oracle Database Vault • Oracle Label Security • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Encryption and Masking Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall • Oracle Database Firewall Blocking and Monitoring
  • 33. 33Copyright © 2010 Oracle Corporation Transparency, Governance, and Compliance Comprehensive Information Protection and Monitoring Security-Enhanced Service Delivery Platforms Secure Service Oriented Architectures End-to-End Identity and Access Management Flexible and Strong Workload Isolation Integrated High-Performance Cryptography Tamper Resistant Key Storage Transparency, Governance, and Compliance Complete Set of Secure and Proven Solutions
  • 34. 34Copyright © 2010 Oracle Corporation For More Information…
  • 35. 35 Oracle Database Security Hands-on-Labs • Thursday Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
  • 36. 36 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 37. 37Copyright © 2010 Oracle Corporation
  • 38. 38Copyright © 2010 Oracle Corporation