ORACLEDatabase及Application安全防范-聚硕.ppt

confidential 從帳號整合談 ORACLE 環境的安全防護 林立棕, 聚碩科技 Feb 2006 Agenda Enabling Trust for e-Business Oracle Security Solutions Oracle Advanced Security Option Oracle Application Server Security 強化 Oracle DB 以AP 環境的安全性 RSA SecurID RSA ClearTrust RSA Keon 加強 e-Business 的安全性 “It’s what we do” Oracle Security Solutions Oracle Database Security Advanced Security Option (ASO) 網路資料加密 Strong Authentication(強認證) 使用者安全性控制 Row Level Access Control Virtual Private Database Oracle Label Security 資料庫使用稽核 Regular Auditing SYS User Auditing Fine Grained Auditing 資料加密 Obfuscation toolkit Oracle Database Security Advanced Security Option (ASO) Network Encryption Strong Authentication Enterprise User Security and Directory Integration Network Encryption Solutions 在 2-tier 和 3-tier 架構中, 提供資料傳輸加密 Oracle Advanced Security 提供了多種不同的加密演算法 RSA RC4 (40-, 56-, 128-, and 256-bit keys) DES, 3DES Provides integrity algorithms (MD5, SHA-1) AES (Advanced Encryption Standard) No modification of existing program/apps needed. Negligible performance hit 0.6 sec for cleartext 0.7 sec for RC4-encrypted text 0.8 sec for DES-encrypted text Authentication Models 資料庫層級的認證 CREATE USER scott IDENTIFIED BY tiger 和作業系統整合的認證 REMOTE_OS_AUTHENT=TRUE 和第三方認證系統整合的認證 CREATE USER scott IDENTIFIED EXTERNALLY SQLNET.AUTHENTICATION_SERVICES= (RADIUS) 目錄服務系統整合 CREATE USER scott IDENTIFIED GLOBALLY AS ‘external name’ 認證的方式 透過第三方認證系統的整合, 提供加強型的認證(Strong authentication) Kerberos RADIUS (Remote Dial-In User Service) Smart cards, biometrics RSA SecurID One Time Password DCE (Distributed Computing Environment) 和 PKI 整合的認證方案 X.509v3 certificates 使用者帳號管理的挑戰 如何簡化帳號管理? 問題: 太多密碼 解決方案 : 單一登入(single sign-on) Kerberos X.509 certificates 降低使用者登入的複雜度 簡化帳號管理的工作 Oracle Application Server Internet Directory Scalability Millions of users 1000’s of simultaneous clients High availability Multi-master replication Hot backup/recovery, RAC, etc. Security Comprehensive password policy Role / policy based access control Audit Extensib