Oracle数据库安全架构讲述.pptx

Oracle Database Maximum Security Architecture Protecting Critical Data Assets [CON8803] Scott Rotondo Consulting MTS Oracle Database Security October 27, 2015 Copyright ? 2015, Oracle and/or its affiliates. All rights reserved. | 3 Your Database – An Irresistible Target 4 Simplified Application Model Apps Users Storage Administrators Test/Dev Copy Exploit Application Bypass ApplicationExploit Database Abuse Privileged Accounts Bypass Database Access Exported Data 5 Attack #1: Exploit the Application Get the application to reveal information that wasn’t intended How can this happen? Bug in the application’s access control logic SQL injection Exploits the application’s privileges to read and write the database Defenses Data Redaction limits sensitive data handled by the application Database Firewall examines SQL from the application and blocks abnormal statements 6 Oracle Advanced Security Redaction Identify sensitive data, possibly using Enterprise Manager Best for data that is displayed but not interpreted by application Prevents compromise due to application bugs and protects all applications that use the same data Credit Card # 5105-1051-0510-5100 4012-8888-8888-1881 5454-5454-5454-5454 Policy Application Authorized Display Redacted Display 7 Oracle Database Firewall Differentiates normal SQL statements used by application vs abnormal SQL from attacker Uses SQL parser, not just regular expressions, to recognize statements Start by monitoring unexpected SQL Later move to blocking Whitelist of expected statements for maximum security Also supports blacklist policies 8 Apps Database Firewall Reports Alerts Policies Events Users Attack #2: Bypass the Application / Exploit the Database Connect to the database and access the data directly Bypasses any controls enforced by the application Defenses Harden and monitor the database configuration Implement access control in the database Virtual Private Database uses policy functions to filter data rows Real Application Se