Securing Your Enterprise with Enterprise Manager 10g

Amir NajmiPrincipal Member of Technical Staff

System Management Products

Oracle Corporation

Session id: 40034

“Through 2005, 90 percent of cyber-attacks will continue to exploit known security flaws for which a

patch is available or a preventive measure is known.”

“Through 2005, 90 percent of cyber-attacks will continue to exploit known security flaws for which a

patch is available or a preventive measure is known.”

-Gartner report, May 2002

Common security best practices are not quite so common

Gartner report Slammer virus exploited known security flaw

– Patch was available 6 months before attack– Many of Microsoft’s own servers were affected

Conclusion: Administrators often do not take common security measures

Why is security difficult for administrators?

Lack of knowledge No knowledge of the vulnerability No understanding of impact, justification for fix

Lack of logistical support No easy way to identify vulnerable installations No convenient way to administer the fix No easy way to ensure the fix remains in place

Grid security requires infrastructure support

Grid has greater security requirements due to– Sheer scale– Heterogeneity– Connectivity (weakest link in the chain)– Dynamic configuration

Security must be reduced to routine procedure Management tools must facilitate this practice

at low overhead

Aspects of enterprise security

Develop secure applications

Deploy secure installations, patches

Employ secure configurations

Provision users with appropriate access

Detect and contain intruders

Design and development time

Install time

Operations and Management

Real time

Timescale

Post-install update

Aspects of enterprise security

Develop secure applications

Deploy secure installations, patches

Employ secure configurations

Provision users with appropriate access

Detect and contain intruders

Design and development time

Install time

Operations and Management

Real time

Timescale

Post-install update

EM helps enforce common security best practices

within the Oracle ecosystem

EM helps enforce common security best practices

within the Oracle ecosystem

EM Security is built on the Policy Framework

Policy Framework

Database Configuration

Policy

Security Policy

Storage Configuration

Policy

Policy Framework: concepts

Rule– Specific to target type– Severity: Critical, Warning, Informational

Violation– Can be overridden by administrator

Policy– Collected rules of a single category

Provides common paradigm, user interface Policy is essential to the Grid

35

06

34

EM security management

Software security– Addressing vulnerabilities in Oracle software

Instance hardening– Configuring Oracle for security

Database security– Guarding against excessive privilege

EM security management

Software security– Addressing vulnerabilities in Oracle software

Instance hardening– Configuring Oracle for security

Database security– Guarding against excessive privilege

Patch management with EM

HostsHosts

Grid ControlGrid Control

Oracle Oracle MetalinkMetalinkPatch CachePatch Cache

Software security with EM

Fetch latest security alert metadata (Metalink) Automatically add to software security rule If targets found vulnerable, list patches which

address the problem Help stage (and in some cases, apply) patch Going forward, test for vulnerability as part of

software security rule

31

34

32

33

23

21

22

24

25

EM security management

Software security– Addressing vulnerabilities in Oracle software

Instance hardening– Configuring Oracle for security

Database security– Guarding against excessive privilege

Instance hardening with EM

Identify products deployed in common insecure configurations

Check for weak authentication practices Examples

– Identify insecure services– Track down demo features enabled in production

Database security with EM

Check for excessive user privilege Identify weak privilege model

– Roles should be granular

Examples– Find default passwords– Identify excessive privileges to PUBLIC role

05

06

07

08

09

10

Aspects of enterprise security

Develop secure applications

Deploy secure installations, patches

Employ secure configurations

Provision users with appropriate access

Detect and contain intruders

Design and development time

Install time

Operations and Management

Real time

Timescale

Post-install update

EM helps enforce security best practices

Deploy secure installations, patches– Provide rapid notification of security patches on Oracle

products– Facilitate application of security patches

Employ secure configurations– Alert customer if an Oracle product is deployed in a common

insecure configurations

Provision users with appropriate access– Check systems for accounts with excessive privileges– Provide in-context links to EM user management

Security administrator usage Predefined test library (by target type)

– Software– Instance hardening– Privileges

Tests are conducted automatically, periodically Administrator views results

– Roll-up reporting – Which tests revealed security flaws– Impact of the security flaw– Known workarounds and remedies

Overrides inappropriate violations Takes corrective action

The future of EM Security

More elaborate security roles Security compliance history Extensions to EM Policy Framework

– E.g. policy groups, exemptions, timed exemptions

Greater automation for addressing problems Editable remedies Downloadable test definitions User-defined tests

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S

Reminder – please complete the OracleWorld online session survey

Thank you.