Title:
Oracle security handbook
Personal Author:
Publication Information:
New York : McGraw-Hill /Osborne, 2001
ISBN:
9780072133257
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010019322 | QA76.9.D314 T43 2001 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
This text teaches readers the why and how of implementing security plans in an Oracle environment. It proceeds logically through the necessary steps, which include: understanding Oracle's security architecture and implementing a plan; securing and interacting with OS's - Windows NT/2000, UNIX, and Linux; securing the database - with concrete examples; securing the network - with coverage of Web site and Oracle Portal security; and protecting against hackers, auditing and troubleshooting. Supplemental information including a glossary of terms, security risk assessment review, a hands-on tutorial to securing a server, and new security features for Oracle9i is also included.
Table of Contents
Acknowledgments | p. xv |
Preface | p. xix |
Part I Beginnings | |
1 Security Architecture | p. 3 |
The Evolution of Security | p. 4 |
Enter the Computer | p. 5 |
Know Your Threats | p. 8 |
Threats from Within | p. 9 |
External Threats | p. 12 |
Where Security Holes Come From | p. 15 |
Determining Who Can Do What | p. 18 |
Authentication | p. 18 |
Authorization | p. 26 |
System Integrity | p. 27 |
A Look at Different Authentication Models | p. 28 |
2 Oracle Security Implementation | p. 33 |
Oracle Security Background | p. 36 |
About Backups | p. 38 |
Moving Toward More Robust Security | p. 40 |
Version 6 and New Security Approaches | p. 45 |
Along Came Oracle7 | p. 48 |
Introduction of Oracle8 | p. 55 |
Oracle8i and the Internet | p. 60 |
A Look at Oracle8i Advanced Security Features | p. 62 |
3 Planning Your Security | p. 71 |
Defining Your Security Plan | p. 72 |
The Security Trade-Off | p. 74 |
The Role of a Security Plan | p. 75 |
Global vs. Local Policies | p. 77 |
Assigning Responsibility | p. 79 |
Procedures | p. 81 |
Measuring Risk | p. 92 |
How Vulnerable Are You? | p. 92 |
Valuing Assets | p. 95 |
Alternate Solutions | p. 96 |
Database Life Stages | p. 97 |
Legacy Systems | p. 97 |
New Systems | p. 99 |
Evaluating Database Software Packages | p. 100 |
Part II Securing the Operating System | |
4 Database Security on Unix Operating Systems | p. 105 |
Why We Need an Operating System | p. 106 |
Types of Operating Systems | p. 107 |
Securing Unix | p. 110 |
Basic Unix Security Features | p. 110 |
Locking Down the Operating System | p. 119 |
Securing Oracle on Unix | p. 123 |
How the Oracle Database Runs | p. 123 |
Installing Oracle on Unix | p. 124 |
Using a Secure Temporary Directory | p. 133 |
Security of Raw Devices | p. 134 |
Oracle Files with Suid Bit On | p. 135 |
Osdba, Osoper, and Internal | p. 138 |
A Warning About SQL *Plus Usage | p. 140 |
Writing the Audit Trail to the Operating System | p. 140 |
5 Oracle and Windows NT/2000 Security | p. 143 |
Windows NT/2000 Basics | p. 144 |
Examining Windows NT Security Issues | p. 145 |
Overview of Windows NT with Oracle | p. 163 |
How Windows NT Works | p. 163 |
Processes vs. Threads | p. 166 |
Viewing the Oracle Threads | p. 168 |
Oracle and the Windows Registry | p. 171 |
Protecting Oracle on Your Windows NT/2000 System | p. 175 |
Protecting Oracle Software | p. 175 |
6 Operating System Authentication | p. 179 |
Configuring Authentication | p. 181 |
Setting Parameters | p. 181 |
TNS Protocol | p. 183 |
Windows Authentication | p. 186 |
Sending Credentials Across the Network | p. 189 |
Creating a Windows Database User | p. 189 |
Creating a Windows User | p. 192 |
Windows Operating System Roles | p. 199 |
Unix Operating System Authentication | p. 204 |
Creating a Unix Database User | p. 205 |
Part III Securing the Oracle Database | |
7 Passwords and Users | p. 209 |
Oracle Password Management Features | p. 211 |
About Password Enhancements | p. 211 |
Default Oracle Users | p. 220 |
Examining the Default Users | p. 220 |
External and Remote User Identification | p. 232 |
About Orapwd | p. 233 |
8 Privileges, Grants, Roles, and Views | p. 239 |
About Objects and Privileges | p. 240 |
About Users | p. 243 |
Controlling User Access | p. 244 |
About Granting Privileges | p. 251 |
How to Use Roles | p. 254 |
Oracle-Supplied Roles | p. 258 |
About User Default Roles | p. 261 |
Using Views | p. 264 |
Creating Views | p. 265 |
About Triggers | p. 267 |
9 Oracle and Database Links | p. 269 |
Basic Database Link Architecture | p. 271 |
Creating a Database Link | p. 274 |
Security Problem with Database Links | p. 281 |
About Shared Database Links | p. 285 |
More About Global Database Links | p. 286 |
Auditing Database Links | p. 292 |
10 Security and Developer Tools | p. 295 |
Application Security | p. 296 |
Database vs. Application Users | p. 297 |
Building Application Security into the Database | p. 298 |
Application Design Practices | p. 301 |
Oracle Call Interface | p. 305 |
Auditing to Monitor Database Activity | p. 312 |
Virtual Private Database | p. 314 |
Fine-Grained Access Control | p. 315 |
Application Context | p. 316 |
Invoker Rights vs. Definer Rights | p. 319 |
Definer Rights | p. 320 |
Invoker Rights | p. 321 |
PL/SQL Packages | p. 322 |
Dbms_Obfuscation_Toolkit | p. 323 |
Utl_File Package | p. 324 |
Part IV Secure Network Communications | |
11 Network Integrity, Authentication, and Encryption | p. 329 |
Introduction to Oracle Advanced Security Option | p. 330 |
Sniffing and Spoofing | p. 331 |
Hijacking a Connection | p. 334 |
Protecting Data on the Network | p. 334 |
Native Features of OAS | p. 340 |
Configuring Authentication | p. 342 |
Configuring Integrity | p. 344 |
Configuring Encryption | p. 345 |
Secure Sockets Layer Protocol | p. 346 |
Configuring SSL | p. 347 |
Debugging an SSL Connection | p. 355 |
Enterprise User Security | p. 356 |
Recommended Protocols | p. 357 |
12 Oracle Security Options | p. 359 |
Virtual Private Databases | p. 361 |
Creating a VPD | p. 363 |
A Look at Oracle Label Security | p. 373 |
Oracle Internet Directory | p. 376 |
About LDAP Architecture | p. 376 |
Oracle Internet Directory Implementation | p. 382 |
13 Firewalls and Oracle | p. 389 |
How Firewalls Work | p. 390 |
Firewall Approaches | p. 392 |
What a Firewall Does Not Prevent | p. 396 |
Types of Firewalls | p. 396 |
Using Oracle Through a Firewall | p. 397 |
The Problem | p. 399 |
Determining Whether a Connection Problem Is a Firewall | p. 400 |
Firewall Proxies | p. 402 |
Listener Service | p. 404 |
Connection Manager | p. 405 |
Preventing Port Redirection | p. 408 |
14 Apache HTTP Server Security | p. 411 |
About Web Servers | p. 412 |
Web Server Tasks | p. 412 |
Oracle's Apache Implementation | p. 418 |
Apache Installation and Configuration | p. 419 |
Oracle HTTP Configuration File | p. 431 |
Apache Security | p. 432 |
15 Oracle Portal Security Management | p. 435 |
Oracle Portal--From the Beginning | p. 436 |
Oracle Portal Initial Users | p. 437 |
Portal Authentication Management | p. 441 |
User Account Types | p. 442 |
User Management | p. 443 |
Adding Users | p. 443 |
Editing a User | p. 449 |
Self-Service User Maintenance | p. 458 |
Configuring the Login Server | p. 460 |
Password Policy Management | p. 461 |
Authenticating Users | p. 466 |
Object Access Management | p. 472 |
Creating Groups | p. 472 |
Granting Access to Users and Groups | p. 474 |
Granting Public Access to Pages and Applications | p. 483 |
Part V Hackers and Troubleshooting | |
16 Implementing Auditing | p. 487 |
About Auditing | p. 489 |
Auditing Questions to Ask | p. 489 |
Customizing Database Auditing | p. 501 |
A Table Auditing Approach | p. 504 |
Table Audit Scripts | p. 505 |
17 Hacker-Proofing Your Database | p. 517 |
Attackers | p. 519 |
Disgruntled Employees | p. 519 |
Professional Hackers | p. 527 |
Vandals | p. 530 |
Authorized User Gaining Elevated Privileges | p. 531 |
Types of Attacks | p. 532 |
Buffer Overflows | p. 532 |
SQL Injection Attack | p. 534 |
Reporting a Vulnerability | p. 537 |
Independent Security Evaluations | p. 538 |
Tools for Protecting Your Database | p. 539 |
Security Assessment | p. 540 |
Intrusion Detection | p. 540 |
Encryption | p. 541 |
Choosing a Product Strategy | p. 543 |
A Glossary | p. 545 |
B Security Risk Assessment Checklists | p. 555 |
Physical Security of Hardware | p. 556 |
Equipment, Tapes, and Disks | p. 558 |
Operating System and Network Security | p. 559 |
Password and Account Management | p. 561 |
Backup and Recovery | p. 563 |
Legal Issues | p. 565 |
Policies and Procedures | p. 566 |
Oracle-Specific Issues | p. 567 |
Other Security Issues | p. 569 |
C Steps to Secure Your System | p. 571 |
Change Default Passwords | p. 572 |
Enable Password Management Features | p. 573 |
Remove Unnecessary Privileges Granted to Public | p. 574 |
Set Parameters Securely | p. 575 |
Place Your Oracle Database(s) Behind a Firewall | p. 575 |
Set the Listener Password | p. 576 |
Enable SSL for Network Encryption | p. 577 |
Harden the Operating System | p. 578 |
Download and Apply Security Patches | p. 578 |
D System Privileges and Audit Options | p. 579 |
E Oracle9i Security Features | p. 585 |
Data Security | p. 586 |
Secure Application Roles | p. 587 |
Proxy Authentication | p. 587 |
Java Security | p. 588 |
PKI Support | p. 588 |
Oracle Advanced Security Option | p. 589 |
Oracle9i Data Guard | p. 589 |
Fine-grained Auditing | p. 590 |
Oracle Net | p. 591 |
Default Accounts and Passwords | p. 592 |
Index | p. 593 |