Covering The Blind Spots: Auditing and Securing Oracle’s Encrypted Communication
Almost 18 months I wrote this white paper and then forgot all about until today when I found out that it is actually used internally. It uses some marketing lingo but nothing exceptional or unaccepted.
So, here it is, enjoy.
Full Visibility into Database Usage for Robust Data Governance
Meeting compliance Mandates requires visibility and control over business applications and databases – including monitoring the actions of privileged database users. Imperva delivers comprehensive database auditing and visibility into database changes that helps organizations ensure and demonstrate the integrity of applications and databases. This is a critical component of regulatory compliance for not only Sarbanes-Oxley, but also similar legislation outside of the US such as “J-SOX” (Japan), “K-SOX” (Korea), and PIPEDA (Canada).
Industry's Best Database Activity Monitoring and Auditing
SecureSphere® Database Monitoring Gateways are a family of automated database activity monitoring and audit appliances that establish a detailed, independent record of application user activity for Oracle, MS-SQL, IBM DB2 Sybase and Informix database environments.
Protects Databases and Database Servers
Deployed as non-inline network monitors, SecureSphere Database Gateways are designed to help organizations meet compliance requirements, with specific emphasis on packaged applications such as Oracle E-Business Suite, SAP, and PeopleSoft. A dedicated host agent is also available to monitor privileged user activity, including console, telnet, SSH as well as shared memory and IPC connection activity. The SecureSphere system can be deployed as a standalone appliance, while a central management server enables unified management of distributed gateways and agents.
Covering the Communication Blind Spots
Chief Security Officers are in dilemma trying to fulfill two contradicting mandates that seemed to be mutually exclusive: Privacy regulations require that database communication will be encrypted while Governance requirements demand activity monitoring. Oracle’s native logging and auditing is proved to be insufficient and organizations used to be in a deadlock situation as encryption can protect privacy but also eliminates the auditor’s visibility. SecureSphere solves this dilemma by providing a robust auditing, activity monitoring and security solution while allowing using industry standard SSL encryption with Oracle Databases.
Oracle Communication Encryption
Oracle Advanced Security adds encryption to and from the Oracle Database by implementing one of two supported encryption methods: Native encryption with data integrity algorithms or industry standard-based SSL.
Native Encryption and Data Integrity algorithms in Oracle Advanced Security do not support PKI and can not be used when there is a need to support industry standards for certificate management, renewal and revocation. In contrast, Oracle Advanced Security’s SSL client can be used with industry standards compliant systems. For instance, certificates issued by Verisign, Thawte, RSA Keon and Oracle Certificate Authority. It can be used for authentication to supported Oracle Databases as they accept standard PKCS#7 certificate requests and issue X509v3 certificates. Oracle Advanced Security’s provides an Entrust adapter that allows business applications to leverage Entrust’s PKI with supported Oracle Database such as Oracle Database 10g.
Oracle Advanced Security includes a Kerberos client and is compatible with a Kerberos v5 ticket that is issued by any MIT v5 compliant Kerberos server or Microsoft KDC. As a result, businesses can continue to operate in a heterogeneous environment using Oracle Advanced Security’s Kerberos solution.
Oracle and SSL
Oracle implements the SSL protocol for encryption of data exchanged between database clients and the database. This includes data in Oracle Net Services (formerly known as Net8), LDAP, thick JDBC, and IIOP format. SSL encryption provides users with an alternative to the previously released native Oracle Net Services encryption protocol which has been supported in Oracle Advanced Security (formerly known as Advanced Networking Option) since Oracle7. A benefit of SSL is that it is a defacto Internet standard, and can be used with clients using protocols other than Oracle Net Services.
The SSL protocol has gained confidence of users, and it is perhaps the most widely-deployed and well-understood encryption protocol in use today. Oracle’s implementation of SSL supports the three standard modes of authentication, including anonymous (Diffie-Hellman), server-only authentication using X.509 certificates, and mutual (client-server) authentication with X.509.
Oracle Application Server also supports SSL encryption between thin clients and the Oracle Application Server, as well as between Oracle Application Server and Oracle Data Server. As in Oracle, anonymous, server-only, and client-server authentication via X.509 are supported.
SSL addresses the problem of protecting user data exchanged between tiers in a three-tier system. By providing strong, standards-based encryption, SSL provides system developers and users with confidence that data will not be compromised in the Internet. Note also that unlike other methods, which authenticates client to server only, SSL can authenticate server to client as well as client to server. This is a useful feature when building a web-based three-tier system, since users often insist on authenticating the identity of a web server before they will provide the server with sensitive information, such as credit card numbers.
Oracle and PKI
Public Key Infrastructure (PKI) encompasses technologies, policies and procedures for authentication based on the principles of public key cryptography. Public Key Infrastructure (PKI) has emerged as the authentication technology which is most appropriate for securing Internet and e-commerce applications. There are a number of reasons for this. First, PKI is highly scalable. Since users maintain their own certificates, and certificate authentication involves exchange of data between client and server only (i.e., no third party authentication server needs to be online), there is no limit to the number of users which can be supported using PKI. Moreover, PKI allows delegated trust. A user who has obtained a certificate from a recognized and trusted Certificate Authority (CA) can authenticate himself to a server the very first time he connects to that server, without that user having previously been registered with the system.
Oracle supports standard X.509v3 certificates and relevant Public Key Certificate Standards (PKCS) for certificate request and installation. This allows users to request certificates from any CA supporting these standards. It also allows users to install trusted root certificates from their choice of CA's, allowing the server to recognize and validate certificates issued by those CA's.
Conclusion
Implementing SSL with Oracle’s Advanced Security is the preferred solution to ensure secured, encrypted communications to and from the database as it uses industry standards, is more secure and ensures heterogeneous system compatibility. Introduced with Oracle Database 10g Release 2, SSL is considered preferred over the native method that was first introduced in previous releases.
Implementing SSL with Oracle’s Advanced Security ensures privacy, prevents eavesdropping and enables strong certificate based authentication, and it also allows SecureSphere to provide activity monitoring and audit into this environment, providing security, audit and compliance officers the necessary tools to comply with multiple and sometimes, contradicting, mandates.
