220 likes | 344 Views
Database Security – VPD, Audit Dr. Mario Guimaraes. Class Will Start Momentarily…. VPD - Definition. Ex.: SELECT * FROM Emp; -- becomes SELECT * FROM Emp where Emp.Name = User;. VPD – Update Example. UPDATE EmployeeView set ext = 777; 1 row updated.
E N D
Database Security – VPD, Audit Dr. Mario Guimaraes • Class • Will • Start • Momentarily…
VPD - Definition Ex.: SELECT * FROM Emp; -- becomes SELECT * FROM Emp where Emp.Name = User;
VPD – Update Example UPDATE EmployeeView set ext = 777; 1 row updated.
Virtual Private Databases • VPD security provides a new way to control access to Oracle data. • One Schema, several virtual schemas. • Dynamic nature of a VPD. At runtime, DBMS modifies SQL statement to add security. Burleson, Donald (2003), "Establish security policy with Oracle virtual private database", http://www.dba-oracle.com/art_builder_vpd.htm
Oracle Label Security: • simulates multilevel db. • Adds a field for each row to store the row’s sensitive label. • Access is granted (or denied) comparing user’s identity and security clearance label with row’s sensitive label. • Label contains LEVEL, GROUP and COMPARTMENT
LABEL has 3 Components • level : mandatory, simple hierarchy • compartment optional, non-hierarchical • group optional, tree level hierarchy • OLS compares the user security clearance with the sensitivity label assigned to the data. • IF a label contains all 3 components, THEN the security clearance of the user >= the data sensitivity level, contain all compartments and at least one group.
OLS Conclusion • Built on top of VPD • Higher Level, more refined than VPD • Built around Row Level Security, Not much for Column Level Security
Auditing • Audit all actions by users on all data is not an option due to performance. • Define an Access Policy as the center of your DB Auditing
Where is the threat • Most of computer security money is spent in prevention • Most loss is from insider activity (around 80%) • Intrusion Detection is the art of detecting and responding to computer misuse
Defense in Depth • Security Professional – 100%, Hacker once • DB security must be part of a defense in depth strategy, including firewalls, VPN, IDS/IPS, etc. • DB should not be accessed directly from the outside world. Should have DMZ. • DB Application Security • Cryptography - PKI
Track Logins • Through tracking tools, you must audit the network database connections. • Track IP address of where the connections are coming from. • Track tools and versions being used to connect. • Compare tools and versions w/ network locations.
Check unnecessary libraries • Today’s networks almost everyone uses TCP/IP. • Don’t make the other network protocols available if you don’t need it (PIX/SPX, NetBIOS, etc.)
Track passwords • Password to oracle account. Procedures that verify if user has a strong password. • Check for passwords in application configuration files • In Oracle, by default you don’t need a password to activate to run lsnrctl.exe. Verify that there is a password to activate listener, otherwise create one using Oracle Net manager. Otherwise, somebody can hijack listener and avoid future connections by 1) Installing oracle on their local machine 2) Update the listener.ora file on local machine to include access to remote server 3) From OS prompt: “lsnrctl stop”
DB Application • Hide application code • Check for possibities of SQL injection for each user input. • Granular access: Use VPD / Label Security • Use stored procedures. Disable external procedures, extended stored procedures. • Check for and monitor Database Links (DDB).
Intrusion Detection (ID) • Deterrence (we will find out what you did and catch you) • Detection • Misuse detection based on known patterns of attack (signatures) • Anomaly detection (profile of expected behavior) • patterns of acceptable behavior • patterns of known misbehavior
Auditing • Check logs to see if all access that has occurred corresponds to accessibility matrix • Check logs, Data Dictionary, Triggers, Stored Procedures for suspicious activities.
Exam available at http://science.kennesaw.edu/~mguimara/8630/t3Summer2007.doc Please turn it in by July 29th.
Literature Sam Afyouni, Database Security and Auditing: Protecting Data Integrity and Accessibility. Course Technology, 2005. ISBN: 0-619-21559-3. David C. Knox Effective Oracle Database 10g Security by Design, McGraw Hill, 2004. ISBN 0-07-223130-0
End of Lecture End Of Today’s Lecture.