les--Proxy数据库安全审计课件.ppt

1、9Copyright 2009,Oracle.All rights reserved.Using Proxy AuthenticationCopyright 2009,Oracle.All rights reserved.9-2ObjectivesAfter completing this lesson,you should be able to do the following:Describe how proxy authentication worksManage users authenticated by proxy authenticationAudit users authent

2、icated by proxyCopyright 2009,Oracle.All rights reserved.9-3User Authentication Identify the user in the following ways:Basic authentication Database user identified by a password Database user identified by the operating systemStrong authenticationEnterprise User SecurityProxy authenticationCopyrig

3、ht 2009,Oracle.All rights reserved.9-4Security Challenges ofThree-Tier ComputingIdentify the real userAuthenticate the end user to the database Restrict the privileges of the middle tierApplication serverDatabaseUserCopyright 2009,Oracle.All rights reserved.9-5Identifying the Real UserThe database n

4、eeds the end-user identity for the following security functions:Authentication Data access control AuditingApplication-level security requires that:Security must be coded in every application Applications must be the only method to access the dataApplication serverDatabaseUserAbuserCopyright 2009,Or

5、acle.All rights reserved.9-6Identifying the Real User(continued)Copyright 2009,Oracle.All rights reserved.9-7Common Implementations of Authentication Pass through:The user is unknown to the application.One big-application user:The user is unknown to the database.Other methods:The user is reauthentic

6、ated to the database.The user is identified to the database.The user is proxied.Application serverDatabaseUserCopyright 2009,Oracle.All rights reserved.9-8Copyright 2009,Oracle.All rights reserved.9-9User ReauthenticationTypes of authentication in three-tier systems:Middle tier-to-database authentic

7、ationClient-to-middle tier authenticationClient reauthentication through the middle tier to the database:Does the end user need to log in multiple times?Can the end users database account information be stored in the application?Can the user be authenticated by using Lightweight Directory Access Pro

8、tocol(LDAP)?Point-to-point protocols,such as secure sockets layer(SSL),can authenticate to only one node.Single authenticationCopyright 2009,Oracle.All rights reserved.9-10Copyright 2009,Oracle.All rights reserved.9-11Restricting the Privileges of the Middle TierMiddle tier with high privileges:Conn

9、ects with one database user for all application users Has all privileges for all application users for all connections Does not identify the end user to the database.Middle tier with limited privileges:Adjusts privileges by user identity May identify user to databaseCopyright 2009,Oracle.All rights

10、reserved.9-12Implementing Proxy Authentication SolutionsProxy authentication solutions depend on the type of the end user:Known to the database:Database user and enterprise user Possible to reauthenticate to the database Auditing actions taken on behalf of the real userUnknown to the database:End us

11、er known only to the application Support for application-user models Limiting the privilege of the middle tierCopyright 2009,Oracle.All rights reserved.9-13Copyright 2009,Oracle.All rights reserved.9-14Authenticating Database andEnterprise UsersUse Oracle Call Interface(OCI)or Java Database Connecti

12、vity(JDBC).The authentication process includes the following steps:1.The client authenticates to the middle tier.2.The middle tier authenticates to the database.3.The middle tier creates the end users session.4.The database verifies that the middle tier can:Create the session for the userAssign the

13、roles assigned to the userDatabase users can be:Authenticated to the application serverReauthenticated to the databaseCopyright 2009,Oracle.All rights reserved.9-15Copyright 2009,Oracle.All rights reserved.9-16Using Proxy Authenticationfor Database UsersAuthenticate the user without a database passw

14、ord:Authenticate the user with a database password:ALTER USER phallGRANT CONNECTTHROUGH APPSVR;ALTER USER phallGRANT CONNECTTHROUGH APPSVRAUTHENTICATION REQUIRED PASSWORD;Copyright 2009,Oracle.All rights reserved.9-17Copyright 2009,Oracle.All rights reserved.9-18Using Proxy Authentication for Enterp

15、rise UsersAuthenticate the user with a distinguished name:Authenticate the user with a certificate:ALTER USER phall GRANT CONNECT THROUGH APPSVR AUTHENTICATED USING DISTINGUISHED NAME;ALTER USER phallGRANT CONNECT THROUGH APPSVRAUTHENTICATED USING CERTIFICATETYPE X.509 VERSION 3;Copyright 2009,Oracl

16、e.All rights reserved.9-19Copyright 2009,Oracle.All rights reserved.9-20Proxy Access Through SQL*PlusProxy access through SQL*Plus when:User is known to the database User is unknown to the database(Enterprise User Proxy)CONNECT rajeevAPPSVR/rajeev_pwdCONNECT APPSVRPHALL/appsvr_pwdCopyright 2009,Orac

17、le.All rights reserved.9-21Enterprise User ProxyUse enterprise users with current applications.Let the directory authenticate the users.Connect as a database user.CONNECT georgeAPPSVR/george_pwdgeorgegeorgeAPPSVRAPPSVRCopyright 2009,Oracle.All rights reserved.9-22Enterprise User Proxy:ExampleCONNECT

18、 RAJEEVPARTS_GUEST/pwdCONNECT JIMPARTS_GUEST/pwdRajeevJimPARTS_DBCopyright 2009,Oracle.All rights reserved.9-23Copyright 2009,Oracle.All rights reserved.9-24Revoking Proxy AuthenticationRevoke proxy authentication through a middle tier:Do not use the AUTHENTICATED USING or AUTHENTICATION REQUIRED cl

19、ause with REVOKE.ALTER USER phall REVOKE CONNECT THROUGH APPSVR;Copyright 2009,Oracle.All rights reserved.9-25Application-User ModelUse the OCI,thin JDBC,or thick JDBC.End-user identity is set by the middle tier.The authentication process is as follows:1.The middle tier authenticates to the database

20、.2.The end user authenticates to the middle tier.3.The middle tier allocates a session to the user,identifying the user with client_identifier.4.Optionally,the middle tier can enable roles to restrict the privileges of the user.Examples:CertificateApplication username and passwordCopyright 2009,Orac

21、le.All rights reserved.9-26Copyright 2009,Oracle.All rights reserved.9-27Data Dictionary Views forProxy AuthenticationDBA_PROXIES:All proxy connectionsUSER_PROXIES:Connections that the current user is allowed to proxyPROXY_USERS:Users who can assume the identity of other usersV$SESSION_CONNECT_INFO:

22、Network connections for all current sessionsV$SESSION:Session-connect details:The PROGRAM column shows“proxy-user”The MODULE column shows“proxy-user”Copyright 2009,Oracle.All rights reserved.9-28Data Dictionary Views:DBA_PROXIES and USER_PROXIES SQL SELECT proxy,client,authentication,2 authorization

23、_constraint 3 FROM dba_proxiesPROXY CLIENT AUTH AUTHORIZATION_CONSTRAINT-HRUSER PHALL NO PROXY MAY ACTIVATE ROLEAPPSVR PHALL NO NO CLIENT ROLES MAY BE ACTIVATEDHRUSER PFAY YES PROXY MAY ACTIVATE ALL CLIENT ROLESCopyright 2009,Oracle.All rights reserved.9-29Data Dictionary Views:V$SESSION_CONNECT_INF

24、OSQL select SID,AUTHENTICATION_TYPE,2 OSUSER,NETWORK_SERVICE_BANNER 3 from v$session_connect_info where SID=148;SID AUTHENTICA OSUSER NETWORK_SERVICE_BANNER-148 DATABASE oracle TCP/IP NT Protocol Adapter for Linux:Version 11.1.0.6.0-Production 148 DATABASE oracle Oracle Advanced Security:encryption

25、service for Linux:Version 11.1.0.6.0-Production 148 DATABASE oracle Oracle Advanced Security:crypto-checksumming service for Linux:Version 11.1.0.6.0-ProductionCopyright 2009,Oracle.All rights reserved.9-30Auditing Actions Taken on Behalfof the Real UserAudit SELECTs on the EMPLOYEES table that HRAP

26、PSERVER initiates for PHALL as follows:Audit SELECTs on the EMPLOYEES table that HRAPPSERVER initiates for any user as follows:The statements in this slide audit only SELECTs initiated by HRAPPSERVER.You cannot audit CONNECT ON BEHALF OF DN.AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF

27、 phall;AUDIT SELECT TABLE ON employees BY hrappserver ON BEHALF OF ANY;Copyright 2009,Oracle.All rights reserved.9-31Copyright 2009,Oracle.All rights reserved.9-32Data Dictionary Views:DBA_STMT_AUDIT_OPTSDBA_STMT_AUDIT_OPTS describes the current system auditing options.USER_NAME column:ANY CLIENT:Au

28、diting access by a proxy NULL:Systemwide auditingPROXY_NAME column:The name of the proxy user performing an operation for the client NULL if the client is performing the operation directlyCopyright 2009,Oracle.All rights reserved.9-33Data Dictionary Views:DBA_AUDIT_TRAILThese views list audit-trail

29、entries:DBA_AUDIT_TRAIL USER_AUDIT_TRAILThe COMMENT_TEXT column can indicate how the user has been authenticated:DATABASE:Authentication done by the password NETWORK:Authentication done by Oracle Net Services or Oracle Advanced Security PROXY:Authentication by another user EXTERNAL NAME:The distingu

30、ished name(DN)of the Enterprise User Security(EUS)userCopyright 2009,Oracle.All rights reserved.9-34Practice 9 Overview:Implementing Proxy AuthenticationThis practice covers the following topics:Implementing and testing database proxy authenticationImplementing EUS proxyCopyright 2009,Oracle.All rights reserved.9-35SummaryIn this lesson,you should have learned how to:Describe how proxy authentication worksManage users authenticated by proxy authenticationAudit users authenticated by proxyCopyright 2009,Oracle.All rights reserved.9-36