|
I work
for a company that provides DB support (WWW.DBCORP.COM) consulting services so I thought I
pass your question on to our DBA team to see if they had a answer for you.
This is what I got for a reply. Hope it helps.
Very briefly: ORACLE SECURITY SERVER Provides: Framework for security and single sign-on. Authentication and authorization of users, web servers, and servers. Management of users�� identifies and privileges. Authentication and authorization using cryptography. It can ensure: Data Privacy - data is not disclosed or stolen. Data Integrity - data is not modified or disrupted during transmission. Data Disruption - command can be sent several times. Authentication - Confidence that users'identities are known. Authorization - Permitting a user to access an object. ORACLE ADVANCED NETWORKING OPTION (ANO) Can be implemented to counter network security risks. It ensures data integrity through cryptographic checksums using MD5 algorithm. It ensures data privicy through encryption. Oracle 8.0.3 provides 40-bit, 56-bit and 128-bit RSA RC4 algorithm, as well as 40-bit and 56-bit DES algorithm. It provides authentication ability through Oracle authentication adapters that support third-party authentication services such as Keberos, CyberSAFE Challenger, SecureID, Identix TouchNet II. ANO enables: Data Encryption: Technique that scrambles data using a key. Data cannot be unscrambled without the key. Special hardware is used to encrypt data. Algirithms used: DES: Data Encryption Standard RSA RC4: developed by RSA Data Security, Inc. Key lengths used: DES 56 bits DES 40 bits RC4 128 bits RC4 56 bits RC4 40 bits Cryptographic Checksumming: Function of Sequencing: Labels each packet A, B, C before it transmits. When packet arrives, the server checks to see if packet is in order. Function of MD5 Algorithm: Makes a hash calculation on the contents of each packet. Records value at the end of packet. Authentication Mechanisms: Network Authentication services provide secure, centralized authentication of users and servers (ACE/Server, Kerberos, CyberSAFE) Single Sign-On = Users can access multiple accounts and applications with a single password. Eliminates the need for multiple passwords for users, simplifies management of user accounts. Authentication Adapters integrate below Net8 interface and allow existing applications to take advantage of new authentication systems without any changes to application. Kerberos - third-party authentication system that relies on shared secrets. Provides sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. Two adapters are provided by Oracle (Kerberos Authentication Adapter, CyberSAFE Challenger Authentication Adapter) Token cards Provide one-time passwords (SecureID) Ease of use for users (need to remember PIN instead of multiple passwords) ANO supports Security Dynamics�� SecureID card. SecureID Factor one is PIN (something that user knows) Factor two is SecureID card (something that user processes) Single-use access code change automatically every 60 seconds, and no 2 cards ever display same number at the same time. Step 1: User enters username, pincode, or a challenge response from the server Step 2: Oracle verifies token card details with the Authentication Server Step 3: Authentication Server authenticates users and Oracle server allows login
Biometric authentication Provide centralized management of biometrically identified users and of database servers that authenticate them. ANO provides support for Oracle Biometric Authentication Adapter Oracle supports Identix Touchsafe II Biometric device. Step 1: User��s fingerprint is scanned Step 2: Oracle verifies fingerprint with the authentication server Step 3: Authentication server authenticates users and Oracle allows login
AUDITING: is the monitoring and recording of selected user database actions. Some events are audited by default: startup, stutdown and connections with the dba privileges. There are 3 basic types: statement auditing The selective auditing of SQL statements with respect to only the type of statement, not the specific schema objects on which it operates. Broad. privilege auditing The selective auditing of the use of system privileges to perform corresponding actions, such as AUDIT CREATE TABLE. More focused. schema object auditing The selective auditing of specific statements on a particular schema object, such as AUDIT SELECT ON EMP. Focused on particular statement and object. The database audit trail is a single table named SYS.AUD$. Some of the predefined views are: AUDIT_ACTIONS DBA_STMT_AUDIT_OPTS DBA_PRIV_AUDIT_OPTS DBA_OBJ_AUDIT_OPTS, DBA_AUDIT_TRAIL, DBA_AUDIT_OBJECT, DBA_AUDIT_SESSION, DBA_AUDIT_STATEMENT, DBA_AUDIT_EXISTS Audit trail views are created automatically when you run the script CATALOG.SQL. The USER views are created by the CATAUDIT.SQL script. Auditing can be enabled by AUDIT/NOAUDIT statements (specifies auditing options: BY SESSION/BY ACCESS, WHENEVER SUCCESSFUL/WHENEVER NOT SUCCESSFUL ). Auditing is turned on and off by parameter AUDIT_TRAIL (DB, OS, NONE)and you can specify AUDIT_FILE_DEST (where audit file is stored) in the parameter file. Audit files must be purged.
|
- about Oracle Security [question] 선영근
- Rod Cappon
