UKOUG Tech14 Exadata Security slides - Dan · PDF fileKVM,*Infiniband*Switch*,*...
Transcript of UKOUG Tech14 Exadata Security slides - Dan · PDF fileKVM,*Infiniband*Switch*,*...
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Oracle Exadata Security Best PracDces
Dan Norris Maximum Availability Architecture (MAA) Team Oracle Server Technology Development December 9, 2014
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Program Agenda
PreparaDon for installaDon
InstallaDon, deployment
Post-‐deployment configuraDon
Database creaDon and configuraDon
OperaDonal security consideraDons
1
2
3
4
5
2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Security Terminology
• ARack surface – the code within a computer system that can be run by unauthorized users
• Port – network term referring to a virtual endpoint • Service – operaDng system term referring to a background process or daemon
• CPU – CriDcal Patch Update, quarterly released security patches for Oracle products
Ge)ng us on the same page
3
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Exadata Architecture X4
4
§ Standard Database Servers – 8x 2-socket servers è 192 cores, 2TB DRAM
or – 2x 8-socket servers è 160 cores, 4TB DRAM
§ Unified Ultra-Fast Network – 40 Gb InfiniBand internal connectivity è all ports active – 10 Gb or 1 Gb Ethernet data center connecDvity
§ Scale-out Intelligent Storage Servers – 14x 2-socket servers è 168 cores in storage – 168 SAS disk drives è 672 TB HC or 200 TB HP – 56 Flash PCI cards è 44 TB Flash + compression
Fully Redundant
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
PreparaDon for InstallaDon
• Get educated • Collect security-‐related requirements from all stakeholders • Determine whether role-‐separated installaDon is required • Plan network layout • Subscribe to security alerts -‐ hRp://is.gd/orasec • Review MOS note 1068804.1: Guidelines for enhancing the security for an Oracle Database Machine deployment
Security starts early
5
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Plan Network Layout
• Client Access is entry point for most accesses
• Management should be restricted • InfiniBand is private to machine, physical security protects it
Perimeter security for networks
6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
InstallaDon and Deployment
• Good news: Exadata includes many security features by default
• Implement the recommended security step during deployment – AKA “Resecure Machine” step
• Start secure, only open what is necessary – “Doing security” later almost never happens (or works)
• Configure ASM audits to use syslog (audit_syslog_level) • Configure ASM & DB init.ora: audit_sys_operaDons=true
Implement the available features and security plan
7
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Default Security Features
• short package install list • only necessary services enabled • hRps management interface • sshd secure default sekngs • password aging • maximum failed login aRempts
Implement the available features and security plan
8
• auditd monitoring enabled • cellwall: iptables firewall • CPUs included in patch bundles, releases synchronized
• system hardening • boot loader password protecDon
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Resecure Machine Step
• In this step, several security changes are made: – password complexity requirements are added (dis,dis,16,12,8)
– passwords are expired (forcing reset on next login)
– password aging implemented – permissions Dghtened
Implement the available features and security plan
9
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Resecure Machine Step $ ./install.sh –cf maa.xml -l
1. Validate Configuration File
2. Setup Required Files
<skipped some steps>
17. Install Exachk
18. Create Installation Summary
19. Resecure Machine
10
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Resecure Machine Step $ ./install.sh –cf maa.xml -l
1. Validate Configuration File
2. Create Virtual Machine
3. Create Users
<skip many steps>
17. Create Installation Summary
18. Resecure Machine
11
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Post-‐Deployment ConfiguraDon
• Change all passwords for all default accounts (MOS 1291766.1)
• Perform validaDon for local policies or rules – See MOS 1405320.1 for commonly idenDfied audit findings
• Exadata Security – especially for consolidaDon environments
Address site-‐specific requirements
12
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Exadata Security (ASM, Griddisks) ConsolidaIon: sharing without peeking
13
• Privileges on griddisk level • Restrict griddisks to certain clusters and/or certain database(s) • Especially effecDve to manage mulDple administrators • See whitepapers
– Oracle Exadata Database Machine ConsolidaDon: SegregaDng Databases and Roles -‐ hRp://is.gd/exaconsolidaDon
– Best PracDces for Database ConsolidaDon On Exadata Database Machine -‐ hRp://is.gd/orclconswp
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Database CreaDon and ConfiguraDon Implement database-‐specific features and best pracIces
14
• Stay current with Exadata bundle patches (888828.1) – Bundle patches include latest CPU patches
• Consider TDE, network encrypDon, Data Vault, Audit Vault • Review whitepaper: “Cost EffecDve Security and Compliance with Oracle Database 11g Release 2” -‐ hRp://is.gd/seccompliance11gr2
• Take the Enterprise Data Security Assessment at hRp://is.gd/entsecassessment
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security Defense in Depth
Masking & Subsetting
DBA Controls & Cyber Security
Encryption & Redaction
PREVENTIVE
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE ADMINISTRATIVE
Privilege & Data Discovery
Configuration Management
Key & Wallet Management
New
New
15
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
OperaDonal Security ConsideraDons Remain security-‐minded when patching, upgrading, backing up
16
• Changes permiRed on DB nodes, not cells
• Backups can be encrypted • Patching or upgrading may “undo” some changes; verify aoer
• DB node updates use yum commands with excludes (see doc for excludes)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
OperaDonal Security ConsideraDons Remain security-‐minded when patching, upgrading, backing up
17
• Periodic reviews to ensure sekngs remain and vulnerabiliDes don’t
• Secure erase for storage cells is available • Disk drive retenDon is available • Oracle Enterprise Manager Governance, Risk & Compliance Manager conDnuously reviews the system
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
OperaDonal Security ConsideraDons
Component Access Required
Database – Patch set Database server root, sooware home owner, passwordless SSH to all sooware home owners (on other nodes)
Database – Patch set Database server root, sooware home owner
Grid Infrastructure Same as Database
Exadata Database Server (OS) Database server root
Exadata Storage Server Database server root, Passwordless SSH from database server root to storage server root
InfiniBand Switch Database server root, InfiniBand switch root
18
Patching consideraIons
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Late Breaking Security Issues
MOS Note or URL DescripIon
1938719.1 Exadata informaDon on Bash shellshock vulnerability
1935817.1 Exadata informaDon on SSLv3 POODLE vulnerability
hRp://is.gd/orclpoodle Generic info about POODLE for all Oracle products
hRp://is.gd/orclshellshock Generic info about Bash Shellshock for all Oracle products
19
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Summary
PreparaDon for installaDon
InstallaDon, deployment
Post-‐deployment configuraDon
Database creaDon and configuraDon
OperaDonal security consideraDons
1
2
3
4
5
20
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
References Note or URL DescripIon
hRp://is.gd/orasec Oracle Security Alerts subscripDon
1068804.1 Guidelines for enhancing the security for an Oracle Database Machine deployment
1291766.1 How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata
888828.1 Database Machine and Exadata Storage Server 11g Release 2 (11.2) Supported Versions
1405320.1 Responses to common Exadata security scan findings
hRp://is.gd/exaconsolidaDon Oracle Exadata Database Machine ConsolidaDon: SegregaDng Databases and Roles
hRp://is.gd/entsecassessment Enterprise Data Security Assessment
21
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement The preceding is intended to outline our general product direcDon. It is intended for informaDon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcDonality, and should not be relied upon in making purchasing decisions. The development, release, and Dming of any features or funcDonality described for Oracle’s products remains at the sole discreDon of Oracle.
22
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 23