les__Proxy数据库安全审计课件.ppt

《les__Proxy数据库安全审计课件.ppt》由会员分享，可在线阅读，更多相关《les__Proxy数据库安全审计课件.ppt（36页珍藏版）》请在三一办公上搜索。

1、Using Proxy Authentication,Using Proxy Authentication,Objectives,After completing this lesson, you should be able to do the following:Describe how proxy authentication worksManage users authenticated by proxy authenticationAudit users authenticated by proxy,ObjectivesAfter completing thi,User Authen

2、tication,Identify the user in the following ways:Basic authenticationDatabase user identified by a passwordDatabase user identified by the operating systemStrong authenticationEnterprise User SecurityProxy authentication,User Authentication Identify t,Security Challenges ofThree-Tier Computing,Ident

3、ify the real userAuthenticate the end user to the database Restrict the privileges of the middle tier,Security Challenges ofThree-T,Identifying the Real User,The database needs the end-user identity for the following security functions:AuthenticationData access controlAuditingApplication-level secur

4、ity requires that:Security must be coded in every applicationApplications must be the only method to access the data,Application server,Database,User,Abuser,Identifying the Real UserThe d,Identifying the Real User (continued),Identifying the Real User (con,Common Implementations of Authentication,Pa

5、ss through: The user is unknown to the application. One big-application user: The user is unknown to the database. Other methods: The user is reauthenticated to the database.The user is identified to the database.The user is proxied.,Application server,Database,User,Common Implementations of Aut,les

6、_Proxy数据库安全审计课件,User Reauthentication,Types of authentication in three-tier systems:Middle tier-to-database authenticationClient-to-middle tier authenticationClient reauthentication through the middle tier to the database:Does the end user need to log in multiple times?Can the end users database acc

7、ount information be stored in the application?Can the user be authenticated by using Lightweight Directory Access Protocol (LDAP)?Point-to-point protocols, such as secure sockets layer (SSL), can authenticate to only one node.Single authentication,User ReauthenticationTypes of,les_Proxy数据库安全审计课件,Res

8、tricting the Privileges of the Middle Tier,Middle tier with high privileges:Connects with one database user for all application usersHas all privileges for all application users for all connectionsDoes not identify the end user to the database.Middle tier with limited privileges:Adjusts privileges b

9、y user identityMay identify user to database,Restricting the Privileges of,Implementing Proxy Authentication Solutions,Proxy authentication solutions depend on the type of the end user:Known to the database:Database user and enterprise userPossible to reauthenticate to the databaseAuditing actions t

10、aken on behalf of the real userUnknown to the database:End user known only to the applicationSupport for application-user modelsLimiting the privilege of the middle tier,Implementing Proxy Authenticat,les_Proxy数据库安全审计课件,Authenticating Database andEnterprise Users,Use Oracle Call Interface (OCI) or J

11、ava Database Connectivity (JDBC).The authentication process includes the following steps:The client authenticates to the middle tier.The middle tier authenticates to the database.The middle tier creates the end users session.The database verifies that the middle tier can:Create the session for the u

12、serAssign the roles assigned to the userDatabase users can be:Authenticated to the application serverReauthenticated to the database,Authenticating Database andEn,les_Proxy数据库安全审计课件,Using Proxy Authenticationfor Database Users,Authenticate the user without a database password:Authenticate the user w

13、ith a database password:,ALTER USER phallGRANT CONNECTTHROUGH APPSVR;,ALTER USER phallGRANT CONNECTTHROUGH APPSVRAUTHENTICATION REQUIRED PASSWORD;,Using Proxy Authenticationfor,les_Proxy数据库安全审计课件,Using Proxy Authentication for Enterprise Users,Authenticate the user with a distinguished name:Authenti

14、cate the user with a certificate:,ALTER USER phall GRANT CONNECTTHROUGH APPSVR AUTHENTICATED USING DISTINGUISHED NAME;,ALTER USER phallGRANT CONNECTTHROUGH APPSVRAUTHENTICATED USING CERTIFICATETYPE X.509 VERSION 3;,Using Proxy Authentication fo,les_Proxy数据库安全审计课件,Proxy Access Through SQL*Plus,Proxy

15、access through SQL*Plus when:User is known to the database User is unknown to the database (Enterprise User Proxy),CONNECT rajeevAPPSVR/rajeev_pwd,CONNECT APPSVRPHALL/appsvr_pwd,Proxy Access Through SQL*PlusP,Enterprise User Proxy,Use enterprise users with current applications.Let the directory auth

16、enticate the users.Connect as a database user.,CONNECT georgeAPPSVR/george_pwd,george,georgeAPPSVR,APPSVR,Enterprise User ProxyUse enter,Enterprise User Proxy: Example,CONNECT RAJEEVPARTS_GUEST/pwd,CONNECT JIMPARTS_GUEST/pwd,Rajeev,Jim,PARTS_DB,Enterprise User Proxy: Example,les_Proxy数据库安全审计课件,Revok

17、ing Proxy Authentication,Revoke proxy authentication through a middle tier:Do not use the AUTHENTICATED USING or AUTHENTICATION REQUIRED clause with REVOKE.,ALTER USER phall REVOKE CONNECT THROUGH APPSVR;,Revoking Proxy AuthenticationR,Application-User Model,Use the OCI, thin JDBC, or thick JDBC.End

18、-user identity is set by the middle tier.The authentication process is as follows: The middle tier authenticates to the database.The end user authenticates to the middle tier.The middle tier allocates a session to the user, identifying the user with client_identifier.Optionally, the middle tier can

19、enable roles to restrict the privileges of the user.Examples:CertificateApplication username and password,Application-User ModelUse the,les_Proxy数据库安全审计课件,Data Dictionary Views forProxy Authentication,DBA_PROXIES: All proxy connectionsUSER_PROXIES: Connections that the current user is allowed to pro

20、xyPROXY_USERS: Users who can assume the identity of other usersV$SESSION_CONNECT_INFO: Network connections for all current sessionsV$SESSION: Session-connect details: The PROGRAM column shows “proxy-user”The MODULE column shows “proxy-user”,Data Dictionary Views forProx,Data Dictionary Views: DBA_PR

21、OXIES and USER_PROXIES,SQL SELECT proxy, client, authentication, 2 authorization_constraint 3 FROM dba_proxiesPROXY CLIENT AUTH AUTHORIZATION_CONSTRAINT- - - -HRUSER PHALL NO PROXY MAY ACTIVATE ROLEAPPSVR PHALL NO NO CLIENT ROLES MAY BE ACTIVATEDHRUSER PFAY YES PROXY MAY ACTIVATE ALL CLIENT ROLES,Da

22、ta Dictionary Views: DBA_PR,Data Dictionary Views: V$SESSION_CONNECT_INFO,SQL select SID, AUTHENTICATION_TYPE, 2 OSUSER, NETWORK_SERVICE_BANNER 3 from v$session_connect_info where SID = 148; SID AUTHENTICA OSUSER NETWORK_SERVICE_BANNER- - - - 148 DATABASE oracle TCP/IP NT Protocol Adapter for Linux:

23、 Version 11.1.0.6.0 - Production 148 DATABASE oracle Oracle Advanced Security: encryption service for Linux: Version 11.1.0.6.0 - Production 148 DATABASE oracle Oracle Advanced Security: crypto-checksumming service for Linux: Version 11.1.0.6.0 - Production,Data Dictionary Views: V$SESSI,Auditing Ac

24、tions Taken on Behalfof the Real User,Audit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for PHALL as follows:Audit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for any user as follows:The statements in this slide audit only SELECTs initiated by HRAPPSERVER.You cannot audit

25、 CONNECT ON BEHALF OF DN.,AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF phall;,AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF ANY;,Auditing Actions Taken on Beha,les_Proxy数据库安全审计课件,Data Dictionary Views: DBA_STMT_AUDIT_OPTS,DBA_STMT_AUDIT_OPTS describes the current system

26、auditing options.USER_NAME column:ANY CLIENT: Auditing access by a proxyNULL: Systemwide auditingPROXY_NAME column:The name of the proxy user performing an operation for the clientNULL if the client is performing the operation directly,Data Dictionary Views: DBA_STM,Data Dictionary Views: DBA_AUDIT_

27、TRAIL,These views list audit-trail entries:DBA_AUDIT_TRAILUSER_AUDIT_TRAILThe COMMENT_TEXT column can indicate how the user has been authenticated:DATABASE: Authentication done by the passwordNETWORK: Authentication done by Oracle Net Services or Oracle Advanced SecurityPROXY: Authentication by anot

28、her userEXTERNAL NAME: The distinguished name (DN) of the Enterprise User Security (EUS) user,Data Dictionary Views: DBA_AUD,Practice 9 Overview: Implementing Proxy Authentication,This practice covers the following topics:Implementing and testing database proxy authenticationImplementing EUS proxy,Practice 9 Overview: Implemen,Summary,In this lesson, you should have learned how to:Describe how proxy authentication worksManage users authenticated by proxy authenticationAudit users authenticated by proxy,SummaryIn this lesson, you sho,les_Proxy数据库安全审计课件,