PPT
【文档说明】les__Proxy数据库安全审计课件.ppt,共(25)页,237.501 KB,由小橙橙上传
转载请保留链接:https://www.ichengzhen.cn/view-92278.html
以下为本文档部分文字说明:
Copyright©2009,Oracle.Allrightsreserved.UsingProxyAuthenticationCopyright©2009,Oracle.Allrightsreserved.9-2ObjectivesAftercompl
etingthislesson,youshouldbeabletodothefollowing:•Describehowproxyauthenticationworks•Manageusersauthenticatedbyproxyauthentication•Auditusersau
thenticatedbyproxyCopyright©2009,Oracle.Allrightsreserved.9-3UserAuthenticationIdentifytheuserinthefollowingw
ays:•Basicauthentication–Databaseuseridentifiedbyapassword–Databaseuseridentifiedbytheoperatingsystem•Strongauthentication•EnterpriseUserSecurity•
ProxyauthenticationCopyright©2009,Oracle.Allrightsreserved.9-4SecurityChallengesofThree-TierComputing•Identifythe
realuser•Authenticatetheendusertothedatabase•RestricttheprivilegesofthemiddletierApplicationserverDatabaseUserCopyright©2009,Oracle.Allrightsrese
rved.9-5IdentifyingtheRealUser•Thedatabaseneedstheend-useridentityforthefollowingsecurityfunctions:–Authentication–Dataaccessc
ontrol–Auditing•Application-levelsecurityrequiresthat:–Securitymustbecodedineveryapplication–Applicationsmustbetheonlymethodtoacces
sthedataApplicationserverDatabaseUserAbuserCopyright©2009,Oracle.Allrightsreserved.9-7CommonImplementationsofAuthentication•Pa
ssthrough:Theuserisunknowntotheapplication.•Onebig-applicationuser:Theuserisunknowntothedatabase.•Otherm
ethods:–Theuserisreauthenticatedtothedatabase.–Theuserisidentifiedtothedatabase.–Theuserisproxied.Applicatio
nserverDatabaseUserCopyright©2009,Oracle.Allrightsreserved.9-9UserReauthenticationTypesofauthenticationinthre
e-tiersystems:•Middletier-to-databaseauthentication•Client-to-middletierauthentication•Clientreauthenticationt
hroughthemiddletiertothedatabase:–Doestheenduserneedtologinmultipletimes?–Cantheenduser’sdatabaseaccountinformati
onbestoredintheapplication?–CantheuserbeauthenticatedbyusingLightweightDirectoryAccessProtocol(LDAP)?–Point-to-pointprotocol
s,suchassecuresocketslayer(SSL),canauthenticatetoonlyonenode.•SingleauthenticationCopyright©2009,Oracle.Allrightsreserved.9-11Restricting
thePrivilegesoftheMiddleTier•Middletierwithhighprivileges:–Connectswithonedatabaseuserforallapplicati
onusers–Hasallprivilegesforallapplicationusersforallconnections–Doesnotidentifytheendusertothedatabase.•Middletierwithlimitedprivileges:–Adjustsprivi
legesbyuseridentity–MayidentifyusertodatabaseCopyright©2009,Oracle.Allrightsreserved.9-12ImplementingProxyAuthenticati
onSolutionsProxyauthenticationsolutionsdependonthetypeoftheenduser:•Knowntothedatabase:–Databaseuseranden
terpriseuser–Possibletoreauthenticatetothedatabase–Auditingactionstakenonbehalfoftherealuser•Unknowntothedatabase:–Enduserknownonlytotheappl
ication–Supportforapplication-usermodels–LimitingtheprivilegeofthemiddletierCopyright©2009,Oracle.Allrightsreserved.9-1
4AuthenticatingDatabaseandEnterpriseUsers•UseOracleCallInterface(OCI)orJavaDatabaseConnectivity(JDBC).•Theauthenticationproces
sincludesthefollowingsteps:1.Theclientauthenticatestothemiddletier.2.Themiddletierauthenticatestothedatabase.3.The
middletiercreatestheenduser’ssession.4.Thedatabaseverifiesthatthemiddletiercan:—Createthesessionfortheuser—Assigntherolesassignedtot
heuser•Databaseuserscanbe:–Authenticatedtotheapplicationserver–ReauthenticatedtothedatabaseCopyright©2009,Oracle.Allrightsreserved.9-16UsingProxyAu
thenticationforDatabaseUsers•Authenticatetheuserwithoutadatabasepassword:•Authenticatetheuserwithadatabasepassword:AL
TERUSERphallGRANTCONNECTTHROUGHAPPSVR;ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATIONREQUIREDPASSWORD;Copy
right©2009,Oracle.Allrightsreserved.9-18UsingProxyAuthenticationforEnterpriseUsers•Authenticatetheuserwithadistinguishedname:•Auth
enticatetheuserwithacertificate:ALTERUSERphallGRANTCONNECTTHROUGHAPPSVRAUTHENTICATEDUSINGDISTINGUISHEDNAME;ALTERUSERphallGRANTCONNECTTHROU
GHAPPSVRAUTHENTICATEDUSINGCERTIFICATETYPE'X.509'VERSION'3';Copyright©2009,Oracle.Allrightsreserved.9-20ProxyAccessThroughSQL*Plus
ProxyaccessthroughSQL*Pluswhen:•Userisknowntothedatabase•Userisunknowntothedatabase(EnterpriseUserProxy)CO
NNECTrajeev[APPSVR]/rajeev_pwdCONNECTAPPSVR[PHALL]/appsvr_pwdCopyright©2009,Oracle.Allrightsreserved.9-21EnterpriseUserPro
xyUseenterpriseuserswithcurrentapplications.•Letthedirectoryauthenticatetheusers.•Connectasadatabaseuser.CONNECTgeo
rge[APPSVR]/george_pwdgeorgegeorge[APPSVR]APPSVRCopyright©2009,Oracle.Allrightsreserved.9-22EnterpriseUserProxy:Ex
ampleCONNECTRAJEEV[PARTS_GUEST]/pwdCONNECTJIM[PARTS_GUEST]/pwdRajeevJimPARTS_DBCopyright©2009,Oracle.Allrightsreserved.9-24RevokingProxyAuthenticat
ion•Revokeproxyauthenticationthroughamiddletier:•DonotusetheAUTHENTICATEDUSINGorAUTHENTICATIONREQUIREDclausewithREVOKE.ALTERUSERphallREV
OKECONNECTTHROUGHAPPSVR;Copyright©2009,Oracle.Allrightsreserved.9-25Application-UserModel•UsetheOCI,thinJDBC,or
thickJDBC.•End-useridentityissetbythemiddletier.•Theauthenticationprocessisasfollows:1.Themiddletierauthent
icatestothedatabase.2.Theenduserauthenticatestothemiddletier.3.Themiddletierallocatesasessiontotheuser,identifyingtheuserwithcli
ent_identifier.4.Optionally,themiddletiercanenablerolestorestricttheprivilegesoftheuser.•Examples:–Certificate–Applicationusern
ameandpasswordCopyright©2009,Oracle.Allrightsreserved.9-27DataDictionaryViewsforProxyAuthentication•DBA_PROXIES:Al
lproxyconnections•USER_PROXIES:Connectionsthatthecurrentuserisallowedtoproxy•PROXY_USERS:Userswhocanassumetheidentityof
otherusers•V$SESSION_CONNECT_INFO:Networkconnectionsforallcurrentsessions•V$SESSION:Session-connectdetails:–ThePROGRAMcolumnshows―proxy-user…‖–
TheMODULEcolumnshows―proxy-user…‖Copyright©2009,Oracle.Allrightsreserved.9-28DataDictionaryViews:DBA_PROXIESandUSER_PROXIESSQL>SELECTproxy,client,a
uthentication,2authorization_constraint3FROMdba_proxiesPROXYCLIENTAUTHAUTHORIZATION_CONSTRAINT--------
------------------------------------------HRUSERPHALLNOPROXYMAYACTIVATEROLEAPPSVRPHALLNONOCLIENTROLESMAYBEACTIVATEDH
RUSERPFAYYESPROXYMAYACTIVATEALLCLIENTROLESCopyright©2009,Oracle.Allrightsreserved.9-29DataDictionaryViews:V$SESSION_CONN
ECT_INFOSQL>selectSID,AUTHENTICATION_TYPE,2OSUSER,NETWORK_SERVICE_BANNER3fromv$session_connect_infowhereSID=148;SIDAUTHENTICAOSUSERNETWORK_SER
VICE_BANNER------------------------------------------------------------148DATABASEoracleTCP/IPNTProtocol
AdapterforLinux:Version11.1.0.6.0-Production148DATABASEoracleOracleAdvancedSecurity:encryptionserviceforLinux:Version11.1.0
.6.0-Production148DATABASEoracleOracleAdvancedSecurity:crypto-checksummingserviceforLinux:Version11.1.0.6.0-Produc
tionCopyright©2009,Oracle.Allrightsreserved.9-30AuditingActionsTakenonBehalfoftheRealUser•AuditSELECTsontheEMPLOYEEStablethatHRAPPSERVERinit
iatesforPHALLasfollows:•AuditSELECTsontheEMPLOYEEStablethatHRAPPSERVERinitiatesforanyuserasfollows:•Thes
tatementsinthisslideauditonlySELECTsinitiatedbyHRAPPSERVER.•YoucannotauditCONNECTONBEHALFOF'DN'.AUDITSELECTTABLEONemplo
yeesBYhrappserverONBEHALFOFphall;AUDITSELECTTABLEONemployeesBYhrappserverONBEHALFOFANY;Copyright©2009,Oracle.Allrightsreserved.9-32Data
DictionaryViews:DBA_STMT_AUDIT_OPTS•DBA_STMT_AUDIT_OPTSdescribesthecurrentsystemauditingoptions.•USER_NAMEcolumn:–A
NYCLIENT:Auditingaccessbyaproxy–NULL:Systemwideauditing•PROXY_NAMEcolumn:–Thenameoftheproxyuserperforminga
noperationfortheclient–NULLiftheclientisperformingtheoperationdirectlyCopyright©2009,Oracle.Allrightsreserved.9-33DataDictionaryViews:DBA_AUDIT_
TRAIL•Theseviewslistaudit-trailentries:–DBA_AUDIT_TRAIL–USER_AUDIT_TRAIL•TheCOMMENT_TEXTcolumncanindica
tehowtheuserhasbeenauthenticated:–DATABASE:Authenticationdonebythepassword–NETWORK:Authenticationdoneby
OracleNetServicesorOracleAdvancedSecurity–PROXY:Authenticationbyanotheruser–EXTERNALNAME:Thedistinguishedname(DN)oftheEnterpriseUserSecurity(EUS)us
erCopyright©2009,Oracle.Allrightsreserved.9-34Practice9Overview:ImplementingProxyAuthenticationThispracticecoversthefollowingtopics:•Implementinga
ndtestingdatabaseproxyauthentication•ImplementingEUSproxyCopyright©2009,Oracle.Allrightsreserved.9-35SummaryInthisl
esson,youshouldhavelearnedhowto:•Describehowproxyauthenticationworks•Manageusersauthenticatedbyproxyauthentication•Auditusersauth
enticatedbyproxy
辽公网安备 21102102000191号
营业执照
