150 likes | 167 Views
Survivable Network Analysis. Oracle Financial Management Services Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian Song. Overview. Essential User Capabilities Summary of Essential Components Firewall Type Essential Components Diagram Essential Scenarios
E N D
Survivable Network Analysis Oracle Financial Management Services Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian Song SNA, Step 2, 10/31
Overview • Essential User Capabilities • Summary of Essential Components • Firewall Type • Essential Components Diagram • Essential Scenarios • Essential Component Details • Next Steps SNA, Step 2, 10/31
Essential User Capabilities • Essential Capabilities performed by 300 dedicated users • Dedicated users must have access to financial service applications • Core Financial Applications • Application Desktop Integrator Applications • Feeder systems must integrate with financial applications • Primary actions performed by users are: • Billing, reporting & reconciliation of budgets and expenses SNA, Step 2, 10/31
Summary of Essential Components • Kerberos Domain Controller (authentication) • Acis.as.cmu.edu (public access points) • Mistral (db server) • Tandem (print & e-mail) • Chinook (backup server) SNA, Step 2, 10/31
Logical Proxy (Application Gateway) Firewall • Restricts traffic based upon packet content • Application specific Acis.as. cmu.edu (Sun Sparc Cluster) SCP Oracle Connection Mgr. HTTPS SSH … CAMPUS NETWORK PRIVATE NETWORK Tandem LPR (print) SMTP (e-mail) SSH (External) (Internal) SNA, Step 2, 10/31
Essential Components Diagram Mistral (databse server) Kerberos Domain Contriller O. DB O. Listener O. Forms Kerberos … HTTP SQL Net CITRIX FTP LPR (print) SMTP (e-mail) SSH Acis.as. cmu.edu (Sun Sparc Cluster) SCP Oracle Connection Mgr. CAMPUS NETWORK Chinook (Backup) HTTPS SSH … O. DB O. Listener O. Forms … HTTP SQL Net CITRIX FIBER Tandem LPR (print) SMTP (e-mail) FTP LPR (print) SMTP (e-mail) SSH SSH Cyert Computer Center SNA, Step 2, 10/31 6555 Penn Ave
Essential Components [1] • Acis.as.cmu.edu: • Cluster of Sun Sparc Servers • Public Access Points • Support services • Oracle Connection Manager • HTTP, Telnet, FTP, HTTPS(some Kerberos authenticated) • SCP (Secure Copy Protocol – unix) • SSH • Web DB, Big Brother (Monitoring software), … SNA, Step 2, 10/31
Essential Components [2] • Mistral: Database Server • Hosts main Oracle Server: • HTTP • Oracle Listeners, Names, Database • CITRIX Application Server • NFS(data sharing), • SMTP (e-mail) • LPR (printer) & Fs (other printer) • SQL net, FTP, SSH(file upload)… SNA, Step 2, 10/31
Essential Components [3] • Tandem • Print & E-mail gateway • No user accounts on this machine • Services provided: • SSH (Administrator Connections) • LPD (Printing) • SMTP (email) SNA, Step 2, 10/31
Essential Components [4] • Chinook • Disaster Recovery Machine: standby database • Located offsite at 6555 Penn Ave. • Test & Development machine • Mirroring of Development database every 5-minutes • Existing passive fiber link between campus and this location. • Exact Same HW & SW as Mistral SNA, Step 2, 10/31
Essential Scenarios – Budget Spreadsheet Mistral (Databse Server) Kerberos Domain Contriller Kerberos HTTP CITRIX O. Listener (out) O. DB O. Forms Acis.as. cmu.edu (Sun Sparc Cluster) HTTPS Oracle Connection Mgr. CAMPUS NETWORK SCP Tandem LPR (print) SMTP (e-mail) SSH SNA, Step 2, 10/31
Essential Scenarios – Feeder System Mistral (Database Server) Kerberos Domain Contriller Kerberos Secure Directory HTTP O. Listener LPR (print) O. DB O. Forms Acis.as. cmu.edu (Sun Sparc Cluster) SMTP (e-mail) HTTPS Oracle Connection Mgr. CAMPUS NETWORK SCP Tandem LPR (print) SMTP (e-mail) SSH SNA, Step 2, 10/31
Essential Components – DB Mirroring Mistral (Database Server) Chinook (Backup) O. DB O. DB O. Mirroring Software O. Mirroring Software Automatic mirroring of development database changes every 5-minutes SNA, Step 2, 10/31
Ongoing Steps • Client & Users • 3rd client meeting to verify essential services and components • On-going interviews of Business Managers with and w/o feeder systems • Within Our Group • Development of potential intrusion detection scenarios & attacker profiles • Identify compromisable components • Physical visit to 6555 Penn Ave. Backup facility SNA, Step 2, 10/31
A potential security threat • Business Managers: • 30+ business managers • SCS, MCS, CIT, etc… • Determine exactly who is able to obtain various forms of access to areas of the oracle financial system • For example, MCS: • College Manager • 7 Business Managers • Provide access to 2-3 individuals (regular users) SNA, Step 2, 10/31