Database security and Oracle Database 11g
Database security and Oracle Database 11g
Oracle is with its new release of database 11g. We kept our eyes on this new version to find significant improvement in database security. We observed that in 10g release was lacking lot of capability in Enterprise User security specially on auditing user-roles in EUS environment and user migration. But there is no major change in EUS.
Oracle made following two changes in database security.
Transparent Data Encryption enhancement:
You can find lot of security incident thru Google where data lost from missing backup taps. Oracle is exactly trying to solve the same problem. Now they provided transparent encryption at tablespace level addition to column level. It means once you declare your tablespace for TDE, you don’t need to worry about disk level data encryption. Oracle will automatically take care.
Also Oracle started providing support for Hardware Security Module. HSM provide much more strong protection to encryption keys then Wallet store.
Directory Security Enhancement:
Administrators can now disallow anonymous access to database service information in a directory and require clients to authenticate when performing LDAP directory-based name look-ups. If you are using Microsoft Active Directory-based name lookups, then Oracle Database uses the native operating system-based authentication. If you are using Oracle Internet Directory (OID)-based name lookups, then Oracle Database performs authentication by using wallets.
I don't see any major reason to protect service name through ldap authentication. This makes Naming Service configuration more difficult than before. Certainly this is not a risk based approach of oracle.
In conclusion, Oracle is going in good direction in terms of security but we need to see more in future.
Reference:
http://www.oracle.com/technology/deploy/security/database-security/pdf/advanced-security-11g-datasheet.pdf
http://www.ncipher.com/hardware-security-module.html
Bug in Oracle Enterprse Security Manager 10.2.0.0
I am trying to configure Enterprise User Security in Oracle database using Enterprise Security Manager.
While Configuring Enterprise Database role under Enterprise Domain, I am always getting following exception in console.
============================
Exception occurred during event dispatching:java.lang.NoClassDefFoundError: oracle/jdbc/OracleDriver at oracle.sysman.vdb.VdbSessionFactory.construct(VdbSessionFactory.java:532) at oracle.sysman.vdb.VdbSessionFactory.(VdbSessionFactory.java:434) at oracle.sysman.vbo.VboDBServerFat.(VboDBServerFat.java:135) at oracle.sysman.vbo.VboDBServerFat.(VboDBServerFat.java:184) at ...........
==================================
While doing more research, I found that Oracle has configured esm.bat properly. They have defect in their classpath setting.
If you also face the same error, open esm.bat in notepad and replace following entry
SET JDBCCLASSES=C:\oracle\product\10.2.0\client_1\jdbc\lib\classes12.zip;C:\oracle\product\10.2.0\client_1\jdbc\lib\classes111.zip;C:\oracle\product\10.2.0\client_1/jdbc/lib/nls_charset11.zip
to
SET JDBCCLASSES=C:\oracle\product\10.2.0\client_1\jdbc\lib\ojdbc14.jar;C:\oracle\product\10.2.0\client_1\jdbc\lib\ojdbc14_g.jar;C:\oracle\product\10.2.0\client_1\jdbc\lib\ojdbc14dms.jar;C:\oracle\product\10.2.0\client_1\jdbc\lib\ojdbc14dms_g.jar;
"C:\oracle\product\10.2.0\client_1" is my Oracle_Home. You need to replace this with your oracle home.
This will fix the problem and you will able to configure global role.
I don't know how to report this defect to Oracle. Please do if you know the right channel.
Good Luck with Enterprise User Security
Congrtulation!... Ecommerce is growing
This year, Market research company, Forrester research has projected ecommerce growth to $259 billion which is 18% higher than 2006.
This is a good news for all of us. This ensures that more and more people now putting trust on internet transactions. The first steps towards infosec success on large scale.
Congrats to infosec practitionars.
