PPT
【文档说明】les__Proxy数据库安全审计课件.ppt,共(25)页,237.501 KB,由小橙橙上传
转载请保留链接:https://www.ichengzhen.cn/view-92278.html
以下为本文档部分文字说明:
Copyright©2009,Oracle.Allrightsreserved.UsingProxyAuthenticationCopyright©2009,Oracle.Allrightsreserved.9-2ObjectivesA
ftercompletingthislesson,youshouldbeabletodothefollowing:•Describehowproxyauthenticationworks•Manageusersauthenticatedbyproxyauthentication
•AuditusersauthenticatedbyproxyCopyright©2009,Oracle.Allrightsreserved.9-3UserAuthenticationIdentifytheuserinthefollowingways:•Basicauthenticatio
n–Databaseuseridentifiedbyapassword–Databaseuseridentifiedbytheoperatingsystem•Strongauthentication•EnterpriseUserSecurity•P
roxyauthenticationCopyright©2009,Oracle.Allrightsreserved.9-4SecurityChallengesofThree-TierComputing•Identifytherealuser•Authenti
catetheendusertothedatabase•RestricttheprivilegesofthemiddletierApplicationserverDatabaseUserCopyright©2009,Oracle
.Allrightsreserved.9-5IdentifyingtheRealUser•Thedatabaseneedstheend-useridentityforthefollowingsecurityfunctions:–Authentication–Dataaccesscon
trol–Auditing•Application-levelsecurityrequiresthat:–Securitymustbecodedineveryapplication–Applicatio
nsmustbetheonlymethodtoaccessthedataApplicationserverDatabaseUserAbuserCopyright©2009,Oracle.Allrightsreserved.9
-7CommonImplementationsofAuthentication•Passthrough:Theuserisunknowntotheapplication.•Onebig-applicationuser:T
heuserisunknowntothedatabase.•Othermethods:–Theuserisreauthenticatedtothedatabase.–Theuserisidentifiedtothedatabase.–Theuserisproxied.Applicati
onserverDatabaseUserCopyright©2009,Oracle.Allrightsreserved.9-9UserReauthenticationTypesofauthenticat
ioninthree-tiersystems:•Middletier-to-databaseauthentication•Client-to-middletierauthentication•Clientreauthen
ticationthroughthemiddletiertothedatabase:–Doestheenduserneedtologinmultipletimes?–Cantheenduser’sdatabaseaccountinformationbestor
edintheapplication?–CantheuserbeauthenticatedbyusingLightweightDirectoryAccessProtocol(LDAP)?–Point-to-pointprotocols,such
assecuresocketslayer(SSL),canauthenticatetoonlyonenode.•SingleauthenticationCopyright©2009,Oracle.Allrightsreserved.9-11R
estrictingthePrivilegesoftheMiddleTier•Middletierwithhighprivileges:–Connectswithonedatabaseuserforallap
plicationusers–Hasallprivilegesforallapplicationusersforallconnections–Doesnotidentifytheendusertothedatabase
.•Middletierwithlimitedprivileges:–Adjustsprivilegesbyuseridentity–MayidentifyusertodatabaseCopyright©20
09,Oracle.Allrightsreserved.9-12ImplementingProxyAuthenticationSolutionsProxyauthenticationsolutionsdependonthetypeo
ftheenduser:•Knowntothedatabase:–Databaseuserandenterpriseuser–Possibletoreauthenticatetothedatabase–Auditingactionstakenon
behalfoftherealuser•Unknowntothedatabase:–Enduserknownonlytotheapplication–Supportforapplication-usermodel
s–LimitingtheprivilegeofthemiddletierCopyright©2009,Oracle.Allrightsreserved.9-14AuthenticatingDatabaseandEnterpriseUsers•UseOracleCallInterf
ace(OCI)orJavaDatabaseConnectivity(JDBC).•Theauthenticationprocessincludesthefollowingsteps:1.Theclientauthentic
atestothemiddletier.2.Themiddletierauthenticatestothedatabase.3.Themiddletiercreatestheenduser’ssession.4.Thedatabaseverifiesthatth
emiddletiercan:—Createthesessionfortheuser—Assigntherolesassignedtotheuser•Databaseuserscanbe:–Authen
ticatedtotheapplicationserver–ReauthenticatedtothedatabaseCopyright©2009,Oracle.Allrightsreserved.9-16UsingPro
xyAuthenticationforDatabaseUsers•Authenticatetheuserwithoutadatabasepassword:•Authenticatetheuserwithadatabasepassword:ALTERUSERphallGRANTCONN
ECTTHROUGHAPPSVR;ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATIONREQUIREDPASSWORD;Copyright©2009,Oracle
.Allrightsreserved.9-18UsingProxyAuthenticationforEnterpriseUsers•Authenticatetheuserwithadistinguishedname:•Authent
icatetheuserwithacertificate:ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATEDUSINGDISTINGUISHEDNAME;ALTERUSERphallGRANTCONNECTTHROUG
HAPPSVRAUTHENTICATEDUSINGCERTIFICATETYPE'X.509'VERSION'3';Copyright©2009,Oracle.Allrightsreserved.9-20ProxyAccessThrou
ghSQL*PlusProxyaccessthroughSQL*Pluswhen:•Userisknowntothedatabase•Userisunknowntothedatabase(EnterpriseUserProxy)CONNECTrajeev[A
PPSVR]/rajeev_pwdCONNECTAPPSVR[PHALL]/appsvr_pwdCopyright©2009,Oracle.Allrightsreserved.9-21EnterpriseUserProxyUseenterpriseuserswithc
urrentapplications.•Letthedirectoryauthenticatetheusers.•Connectasadatabaseuser.CONNECTgeorge[APPSVR]/george_pwdgeorgegeorge[APPSVR]APPSVRCopyrigh
t©2009,Oracle.Allrightsreserved.9-22EnterpriseUserProxy:ExampleCONNECTRAJEEV[PARTS_GUEST]/pwdCONNECTJIM[PARTS_GUE
ST]/pwdRajeevJimPARTS_DBCopyright©2009,Oracle.Allrightsreserved.9-24RevokingProxyAuthentication•Revokeproxyauthenticationthroughamiddl
etier:•DonotusetheAUTHENTICATEDUSINGorAUTHENTICATIONREQUIREDclausewithREVOKE.ALTERUSERphallREVOKECONNECTTHROUGHAPPSVR;Copyright©200
9,Oracle.Allrightsreserved.9-25Application-UserModel•UsetheOCI,thinJDBC,orthickJDBC.•End-useridentityissetbythemiddl
etier.•Theauthenticationprocessisasfollows:1.Themiddletierauthenticatestothedatabase.2.Theenduserauthenticatestothemiddlet
ier.3.Themiddletierallocatesasessiontotheuser,identifyingtheuserwithclient_identifier.4.Optionally,themiddletiercanenablerolestorestrictthepr
ivilegesoftheuser.•Examples:–Certificate–ApplicationusernameandpasswordCopyright©2009,Oracle.Allrightsreserved.9-27DataDict
ionaryViewsforProxyAuthentication•DBA_PROXIES:Allproxyconnections•USER_PROXIES:Connectionsthatthecurrentuserisallow
edtoproxy•PROXY_USERS:Userswhocanassumetheidentityofotherusers•V$SESSION_CONNECT_INFO:Networkconnectionsforallcur
rentsessions•V$SESSION:Session-connectdetails:–ThePROGRAMcolumnshows―proxy-user…‖–TheMODULEcolumnsho
ws―proxy-user…‖Copyright©2009,Oracle.Allrightsreserved.9-28DataDictionaryViews:DBA_PROXIESandUSER_PROXIESSQL>SE
LECTproxy,client,authentication,2authorization_constraint3FROMdba_proxiesPROXYCLIENTAUTHAUTHORIZATION_CONSTRAINT-----------
---------------------------------------HRUSERPHALLNOPROXYMAYACTIVATEROLEAPPSVRPHALLNONOCLIENTROLESMAYBEACTIVATEDHRUSERPFAY
YESPROXYMAYACTIVATEALLCLIENTROLESCopyright©2009,Oracle.Allrightsreserved.9-29DataDictionaryViews:V$SESSION_CONNECT_I
NFOSQL>selectSID,AUTHENTICATION_TYPE,2OSUSER,NETWORK_SERVICE_BANNER3fromv$session_connect_infowhereSID=148;SIDAUTHENTICAOSUSERNETWORK_
SERVICE_BANNER------------------------------------------------------------148DATABASEoracleTCP/IPNTProtocolAdapterforL
inux:Version11.1.0.6.0-Production148DATABASEoracleOracleAdvancedSecurity:encryptionserviceforLinux:Version11.1.0.6.0-Production148DATABASEoracleOracl
eAdvancedSecurity:crypto-checksummingserviceforLinux:Version11.1.0.6.0-ProductionCopyright©2009,Oracle.Allrightsreserved.9-
30AuditingActionsTakenonBehalfoftheRealUser•AuditSELECTsontheEMPLOYEEStablethatHRAPPSERVERinitiatesforPHALLasfollows:•AuditSELECTsontheEMPLOYE
EStablethatHRAPPSERVERinitiatesforanyuserasfollows:•ThestatementsinthisslideauditonlySELECTsinitiatedbyHRAPPSERVER.•Youc
annotauditCONNECTONBEHALFOF'DN'.AUDITSELECTTABLEONemployeesBYhrappserverONBEHALFOFphall;AUDITSELECTTABLEONemployeesBYhrappserverONBEHAL
FOFANY;Copyright©2009,Oracle.Allrightsreserved.9-32DataDictionaryViews:DBA_STMT_AUDIT_OPTS•DBA_STMT_AUDIT_OP
TSdescribesthecurrentsystemauditingoptions.•USER_NAMEcolumn:–ANYCLIENT:Auditingaccessbyaproxy–NULL:Systemwideauditing•PROXY_NAMEcolumn:–Thenameofthe
proxyuserperforminganoperationfortheclient–NULLiftheclientisperformingtheoperationdirectlyCopyright©20
09,Oracle.Allrightsreserved.9-33DataDictionaryViews:DBA_AUDIT_TRAIL•Theseviewslistaudit-trailentries:–DBA_AUDIT_TRAIL–USER_AUDIT_TRAIL•TheCOMME
NT_TEXTcolumncanindicatehowtheuserhasbeenauthenticated:–DATABASE:Authenticationdonebythepassword–NETWORK:AuthenticationdonebyO
racleNetServicesorOracleAdvancedSecurity–PROXY:Authenticationbyanotheruser–EXTERNALNAME:Thedistinguishedname(DN)oftheEnterprise
UserSecurity(EUS)userCopyright©2009,Oracle.Allrightsreserved.9-34Practice9Overview:ImplementingProxyAuthen
ticationThispracticecoversthefollowingtopics:•Implementingandtestingdatabaseproxyauthentication•ImplementingEUSproxyCopyright©2009,Oracle.Allrig
htsreserved.9-35SummaryInthislesson,youshouldhavelearnedhowto:•Describehowproxyauthenticationworks•Mana
geusersauthenticatedbyproxyauthentication•Auditusersauthenticatedbyproxy
辽公网安备 21102102000191号
营业执照
