Title:
Oracle security handbook
Personal Author:
Publication Information:
New York : McGraw-Hill /Osborne, 2001
ISBN:
9780072133257
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010019322 | QA76.9.D314 T43 2001 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
This text teaches readers the why and how of implementing security plans in an Oracle environment. It proceeds logically through the necessary steps, which include: understanding Oracle's security architecture and implementing a plan; securing and interacting with OS's - Windows NT/2000, UNIX, and Linux; securing the database - with concrete examples; securing the network - with coverage of Web site and Oracle Portal security; and protecting against hackers, auditing and troubleshooting. Supplemental information including a glossary of terms, security risk assessment review, a hands-on tutorial to securing a server, and new security features for Oracle9i is also included.
Table of Contents
| Acknowledgments | p. xv |
| Preface | p. xix |
| Part I Beginnings | |
| 1 Security Architecture | p. 3 |
| The Evolution of Security | p. 4 |
| Enter the Computer | p. 5 |
| Know Your Threats | p. 8 |
| Threats from Within | p. 9 |
| External Threats | p. 12 |
| Where Security Holes Come From | p. 15 |
| Determining Who Can Do What | p. 18 |
| Authentication | p. 18 |
| Authorization | p. 26 |
| System Integrity | p. 27 |
| A Look at Different Authentication Models | p. 28 |
| 2 Oracle Security Implementation | p. 33 |
| Oracle Security Background | p. 36 |
| About Backups | p. 38 |
| Moving Toward More Robust Security | p. 40 |
| Version 6 and New Security Approaches | p. 45 |
| Along Came Oracle7 | p. 48 |
| Introduction of Oracle8 | p. 55 |
| Oracle8i and the Internet | p. 60 |
| A Look at Oracle8i Advanced Security Features | p. 62 |
| 3 Planning Your Security | p. 71 |
| Defining Your Security Plan | p. 72 |
| The Security Trade-Off | p. 74 |
| The Role of a Security Plan | p. 75 |
| Global vs. Local Policies | p. 77 |
| Assigning Responsibility | p. 79 |
| Procedures | p. 81 |
| Measuring Risk | p. 92 |
| How Vulnerable Are You? | p. 92 |
| Valuing Assets | p. 95 |
| Alternate Solutions | p. 96 |
| Database Life Stages | p. 97 |
| Legacy Systems | p. 97 |
| New Systems | p. 99 |
| Evaluating Database Software Packages | p. 100 |
| Part II Securing the Operating System | |
| 4 Database Security on Unix Operating Systems | p. 105 |
| Why We Need an Operating System | p. 106 |
| Types of Operating Systems | p. 107 |
| Securing Unix | p. 110 |
| Basic Unix Security Features | p. 110 |
| Locking Down the Operating System | p. 119 |
| Securing Oracle on Unix | p. 123 |
| How the Oracle Database Runs | p. 123 |
| Installing Oracle on Unix | p. 124 |
| Using a Secure Temporary Directory | p. 133 |
| Security of Raw Devices | p. 134 |
| Oracle Files with Suid Bit On | p. 135 |
| Osdba, Osoper, and Internal | p. 138 |
| A Warning About SQL *Plus Usage | p. 140 |
| Writing the Audit Trail to the Operating System | p. 140 |
| 5 Oracle and Windows NT/2000 Security | p. 143 |
| Windows NT/2000 Basics | p. 144 |
| Examining Windows NT Security Issues | p. 145 |
| Overview of Windows NT with Oracle | p. 163 |
| How Windows NT Works | p. 163 |
| Processes vs. Threads | p. 166 |
| Viewing the Oracle Threads | p. 168 |
| Oracle and the Windows Registry | p. 171 |
| Protecting Oracle on Your Windows NT/2000 System | p. 175 |
| Protecting Oracle Software | p. 175 |
| 6 Operating System Authentication | p. 179 |
| Configuring Authentication | p. 181 |
| Setting Parameters | p. 181 |
| TNS Protocol | p. 183 |
| Windows Authentication | p. 186 |
| Sending Credentials Across the Network | p. 189 |
| Creating a Windows Database User | p. 189 |
| Creating a Windows User | p. 192 |
| Windows Operating System Roles | p. 199 |
| Unix Operating System Authentication | p. 204 |
| Creating a Unix Database User | p. 205 |
| Part III Securing the Oracle Database | |
| 7 Passwords and Users | p. 209 |
| Oracle Password Management Features | p. 211 |
| About Password Enhancements | p. 211 |
| Default Oracle Users | p. 220 |
| Examining the Default Users | p. 220 |
| External and Remote User Identification | p. 232 |
| About Orapwd | p. 233 |
| 8 Privileges, Grants, Roles, and Views | p. 239 |
| About Objects and Privileges | p. 240 |
| About Users | p. 243 |
| Controlling User Access | p. 244 |
| About Granting Privileges | p. 251 |
| How to Use Roles | p. 254 |
| Oracle-Supplied Roles | p. 258 |
| About User Default Roles | p. 261 |
| Using Views | p. 264 |
| Creating Views | p. 265 |
| About Triggers | p. 267 |
| 9 Oracle and Database Links | p. 269 |
| Basic Database Link Architecture | p. 271 |
| Creating a Database Link | p. 274 |
| Security Problem with Database Links | p. 281 |
| About Shared Database Links | p. 285 |
| More About Global Database Links | p. 286 |
| Auditing Database Links | p. 292 |
| 10 Security and Developer Tools | p. 295 |
| Application Security | p. 296 |
| Database vs. Application Users | p. 297 |
| Building Application Security into the Database | p. 298 |
| Application Design Practices | p. 301 |
| Oracle Call Interface | p. 305 |
| Auditing to Monitor Database Activity | p. 312 |
| Virtual Private Database | p. 314 |
| Fine-Grained Access Control | p. 315 |
| Application Context | p. 316 |
| Invoker Rights vs. Definer Rights | p. 319 |
| Definer Rights | p. 320 |
| Invoker Rights | p. 321 |
| PL/SQL Packages | p. 322 |
| Dbms_Obfuscation_Toolkit | p. 323 |
| Utl_File Package | p. 324 |
| Part IV Secure Network Communications | |
| 11 Network Integrity, Authentication, and Encryption | p. 329 |
| Introduction to Oracle Advanced Security Option | p. 330 |
| Sniffing and Spoofing | p. 331 |
| Hijacking a Connection | p. 334 |
| Protecting Data on the Network | p. 334 |
| Native Features of OAS | p. 340 |
| Configuring Authentication | p. 342 |
| Configuring Integrity | p. 344 |
| Configuring Encryption | p. 345 |
| Secure Sockets Layer Protocol | p. 346 |
| Configuring SSL | p. 347 |
| Debugging an SSL Connection | p. 355 |
| Enterprise User Security | p. 356 |
| Recommended Protocols | p. 357 |
| 12 Oracle Security Options | p. 359 |
| Virtual Private Databases | p. 361 |
| Creating a VPD | p. 363 |
| A Look at Oracle Label Security | p. 373 |
| Oracle Internet Directory | p. 376 |
| About LDAP Architecture | p. 376 |
| Oracle Internet Directory Implementation | p. 382 |
| 13 Firewalls and Oracle | p. 389 |
| How Firewalls Work | p. 390 |
| Firewall Approaches | p. 392 |
| What a Firewall Does Not Prevent | p. 396 |
| Types of Firewalls | p. 396 |
| Using Oracle Through a Firewall | p. 397 |
| The Problem | p. 399 |
| Determining Whether a Connection Problem Is a Firewall | p. 400 |
| Firewall Proxies | p. 402 |
| Listener Service | p. 404 |
| Connection Manager | p. 405 |
| Preventing Port Redirection | p. 408 |
| 14 Apache HTTP Server Security | p. 411 |
| About Web Servers | p. 412 |
| Web Server Tasks | p. 412 |
| Oracle's Apache Implementation | p. 418 |
| Apache Installation and Configuration | p. 419 |
| Oracle HTTP Configuration File | p. 431 |
| Apache Security | p. 432 |
| 15 Oracle Portal Security Management | p. 435 |
| Oracle Portal--From the Beginning | p. 436 |
| Oracle Portal Initial Users | p. 437 |
| Portal Authentication Management | p. 441 |
| User Account Types | p. 442 |
| User Management | p. 443 |
| Adding Users | p. 443 |
| Editing a User | p. 449 |
| Self-Service User Maintenance | p. 458 |
| Configuring the Login Server | p. 460 |
| Password Policy Management | p. 461 |
| Authenticating Users | p. 466 |
| Object Access Management | p. 472 |
| Creating Groups | p. 472 |
| Granting Access to Users and Groups | p. 474 |
| Granting Public Access to Pages and Applications | p. 483 |
| Part V Hackers and Troubleshooting | |
| 16 Implementing Auditing | p. 487 |
| About Auditing | p. 489 |
| Auditing Questions to Ask | p. 489 |
| Customizing Database Auditing | p. 501 |
| A Table Auditing Approach | p. 504 |
| Table Audit Scripts | p. 505 |
| 17 Hacker-Proofing Your Database | p. 517 |
| Attackers | p. 519 |
| Disgruntled Employees | p. 519 |
| Professional Hackers | p. 527 |
| Vandals | p. 530 |
| Authorized User Gaining Elevated Privileges | p. 531 |
| Types of Attacks | p. 532 |
| Buffer Overflows | p. 532 |
| SQL Injection Attack | p. 534 |
| Reporting a Vulnerability | p. 537 |
| Independent Security Evaluations | p. 538 |
| Tools for Protecting Your Database | p. 539 |
| Security Assessment | p. 540 |
| Intrusion Detection | p. 540 |
| Encryption | p. 541 |
| Choosing a Product Strategy | p. 543 |
| A Glossary | p. 545 |
| B Security Risk Assessment Checklists | p. 555 |
| Physical Security of Hardware | p. 556 |
| Equipment, Tapes, and Disks | p. 558 |
| Operating System and Network Security | p. 559 |
| Password and Account Management | p. 561 |
| Backup and Recovery | p. 563 |
| Legal Issues | p. 565 |
| Policies and Procedures | p. 566 |
| Oracle-Specific Issues | p. 567 |
| Other Security Issues | p. 569 |
| C Steps to Secure Your System | p. 571 |
| Change Default Passwords | p. 572 |
| Enable Password Management Features | p. 573 |
| Remove Unnecessary Privileges Granted to Public | p. 574 |
| Set Parameters Securely | p. 575 |
| Place Your Oracle Database(s) Behind a Firewall | p. 575 |
| Set the Listener Password | p. 576 |
| Enable SSL for Network Encryption | p. 577 |
| Harden the Operating System | p. 578 |
| Download and Apply Security Patches | p. 578 |
| D System Privileges and Audit Options | p. 579 |
| E Oracle9i Security Features | p. 585 |
| Data Security | p. 586 |
| Secure Application Roles | p. 587 |
| Proxy Authentication | p. 587 |
| Java Security | p. 588 |
| PKI Support | p. 588 |
| Oracle Advanced Security Option | p. 589 |
| Oracle9i Data Guard | p. 589 |
| Fine-grained Auditing | p. 590 |
| Oracle Net | p. 591 |
| Default Accounts and Passwords | p. 592 |
| Index | p. 593 |
