les__Proxy数据库安全审计课件.ppt

Using Proxy Authentication,Using Proxy Authentication,Objectives,After completing this lesson, you should be able to do the following:Describe how proxy authentication worksManage users authenticated by proxy authenticationAudit users authenticated by proxy,ObjectivesAfter completing thi,User Authentication,Identify the user in the following ways:Basic authenticationDatabase user identified by a passwordDatabase user identified by the operating systemStrong authenticationEnterprise User SecurityProxy authentication,User Authentication Identify t,Security Challenges ofThree-Tier Computing,Identify the real userAuthenticate the end user to the database Restrict the privileges of the middle tier,Security Challenges ofThree-T,Identifying the Real User,The database needs the end-user identity for the following security functions:AuthenticationData access controlAuditingApplication-level security requires that:Security must be coded in every applicationApplications must be the only method to access the data,Application server,Database,User,Abuser,Identifying the Real UserThe d,Identifying the Real User (continued),Identifying the Real User (con,Common Implementations of Authentication,Pass through: The user is unknown to the application. One big-application user: The user is unknown to the database. Other methods: The user is reauthenticated to the database.The user is identified to the database.The user is proxied.,Application server,Database,User,Common Implementations of Aut,les_Proxy数据库安全审计课件,User Reauthentication,Types of authentication in three-tier systems:Middle tier-to-database authenticationClient-to-middle tier authenticationClient reauthentication through the middle tier to the database:Does the end user need to log in multiple times?Can the end users database account information be stored in the application?Can the user be authenticated by using Lightweight Directory Access Protocol (LDAP)?Point-to-point protocols, such as secure sockets layer (SSL), can authenticate to only one node.Single authentication,User ReauthenticationTypes of,les_Proxy数据库安全审计课件,Restricting the Privileges of the Middle Tier,Middle tier with high privileges:Connects with one database user for all application usersHas all privileges for all application users for all connectionsDoes not identify the end user to the database.Middle tier with limited privileges:Adjusts privileges by user identityMay identify user to database,Restricting the Privileges of,Implementing Proxy Authentication Solutions,Proxy authentication solutions depend on the type of the end user:Known to the database:Database user and enterprise userPossible to reauthenticate to the databaseAuditing actions taken on behalf of the real userUnknown to the database:End user known only to the applicationSupport for application-user modelsLimiting the privilege of the middle tier,Implementing Proxy Authenticat,les_Proxy数据库安全审计课件,Authenticating Database andEnterprise Users,Use Oracle Call Interface (OCI) or Java Database Connectivity (JDBC).The authentication process includes the following steps:The client authenticates to the middle tier.The middle tier authenticates to the database.The middle tier creates the end users session.The database verifies that the middle tier can:Create the session for the userAssign the roles assigned to the userDatabase users can be:Authenticated to the application serverReauthenticated to the database,Authenticating Database andEn,les_Proxy数据库安全审计课件,Using Proxy Authenticationfor Database Users,Authenticate the user without a database password:Authenticate the user with a database password:,ALTER USER phallGRANT CONNECTTHROUGH APPSVR;,ALTER USER phallGRANT CONNECTTHROUGH APPSVRAUTHENTICATION REQUIRED PASSWORD;,Using Proxy Authenticationfor,les_Proxy数据库安全审计课件,Using Proxy Authentication for Enterprise Users,Authenticate the user with a distinguished name:Authenticate the user with a certificate:,ALTER USER phall GRANT CONNECTTHROUGH APPSVR AUTHENTICATED USING DISTINGUISHED NAME;,ALTER USER phallGRANT CONNECTTHROUGH APPSVRAUTHENTICATED USING CERTIFICATETYPE X.509 VERSION 3;,Using Proxy Authentication fo,les_Proxy数据库安全审计课件,Proxy Access Through SQL*Plus,Proxy access through SQL*Plus when:User is known to the database User is unknown to the database (Enterprise User Proxy),CONNECT rajeevAPPSVR/rajeev_pwd,CONNECT APPSVRPHALL/appsvr_pwd,Proxy Access Through SQL*PlusP,Enterprise User Proxy,Use enterprise users with current applications.Let the directory authenticate the users.Connect as a database user.,CONNECT georgeAPPSVR/george_pwd,george,georgeAPPSVR,APPSVR,Enterprise User ProxyUse enter,Enterprise User Proxy: Example,CONNECT RAJEEVPARTS_GUEST/pwd,CONNECT JIMPARTS_GUEST/pwd,Rajeev,Jim,PARTS_DB,Enterprise User Proxy: Example,les_Proxy数据库安全审计课件,Revoking Proxy Authentication,Revoke proxy authentication through a middle tier:Do not use the AUTHENTICATED USING or AUTHENTICATION REQUIRED clause with REVOKE.,ALTER USER phall REVOKE CONNECT THROUGH APPSVR;,Revoking Proxy AuthenticationR,Application-User Model,Use the OCI, thin JDBC, or thick JDBC.End-user identity is set by the middle tier.The authentication process is as follows: The middle tier authenticates to the database.The end user authenticates to the middle tier.The middle tier allocates a session to the user, identifying the user with client_identifier.Optionally, the middle tier can enable roles to restrict the privileges of the user.Examples:CertificateApplication username and password,Application-User ModelUse the,les_Proxy数据库安全审计课件,Data Dictionary Views forProxy Authentication,DBA_PROXIES: All proxy connectionsUSER_PROXIES: Connections that the current user is allowed to proxyPROXY_USERS: Users who can assume the identity of other usersV$SESSION_CONNECT_INFO: Network connections for all current sessionsV$SESSION: Session-connect details: The PROGRAM column shows “proxy-user”The MODULE column shows “proxy-user”,Data Dictionary Views forProx,Data Dictionary Views: DBA_PROXIES and USER_PROXIES,SQL SELECT proxy, client, authentication, 2 authorization_constraint 3 FROM dba_proxiesPROXY CLIENT AUTH AUTHORIZATION_CONSTRAINT- - - -HRUSER PHALL NO PROXY MAY ACTIVATE ROLEAPPSVR PHALL NO NO CLIENT ROLES MAY BE ACTIVATEDHRUSER PFAY YES PROXY MAY ACTIVATE ALL CLIENT ROLES,Data Dictionary Views: DBA_PR,Data Dictionary Views: V$SESSION_CONNECT_INFO,SQL select SID, AUTHENTICATION_TYPE, 2 OSUSER, NETWORK_SERVICE_BANNER 3 from v$session_connect_info where SID = 148; SID AUTHENTICA OSUSER NETWORK_SERVICE_BANNER- - - - 148 DATABASE oracle TCP/IP NT Protocol Adapter for Linux: Version 11.1.0.6.0 - Production 148 DATABASE oracle Oracle Advanced Security: encryption service for Linux: Version 11.1.0.6.0 - Production 148 DATABASE oracle Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.1.0.6.0 - Production,Data Dictionary Views: V$SESSI,Auditing Actions Taken on Behalfof the Real User,Audit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for PHALL as follows:Audit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for any user as follows:The statements in this slide audit only SELECTs initiated by HRAPPSERVER.You cannot audit CONNECT ON BEHALF OF DN.,AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF phall;,AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF ANY;,Auditing Actions Taken on Beha,les_Proxy数据库安全审计课件,Data Dictionary Views: DBA_STMT_AUDIT_OPTS,DBA_STMT_AUDIT_OPTS describes the current system auditing options.USER_NAME column:ANY CLIENT: Auditing access by a proxyNULL: Systemwide auditingPROXY_NAME column:The name of the proxy user performing an operation for the clientNULL if the client is performing the operation directly,Data Dictionary Views: DBA_STM,Data Dictionary Views: DBA_AUDIT_TRAIL,These views list audit-trail entries:DBA_AUDIT_TRAILUSER_AUDIT_TRAILThe COMMENT_TEXT column can indicate how the user has been authenticated:DATABASE: Authentication done by the passwordNETWORK: Authentication done by Oracle Net Services or Oracle Advanced SecurityPROXY: Authentication by another userEXTERNAL NAME: The distinguished name (DN) of the Enterprise User Security (EUS) user,Data Dictionary Views: DBA_AUD,Practice 9 Overview: Implementing Proxy Authentication,This practice covers the following topics:Implementing and testing database proxy authenticationImplementing EUS proxy,Practice 9 Overview: Implemen,Summary,In this lesson, you should have learned how to:Describe how proxy authentication worksManage users authenticated by proxy authenticationAudit users authenticated by proxy,SummaryIn this lesson, you sho,les_Proxy数据库安全审计课件,