home |  contact
The BasicsCountermeasuresTools

Oracle Authentication


External attacks by hackers and internal abuses by employees are on the rise, CERT reported that computer security incidents doubled in 2001 over 2000. Overall, "...85% of US corporations and government agencies detected computer security breaches within the last twelve months." (survey conducted by the FBI and Computer Security Institute.) Networks and systems are the focus of security efforts for most corporations with most companies implementing firewalls, virus protection, etc. Indeed, over half of all respondents to Information Security's 2000 Industry Survey said their top priority for 2001 was either strengthening the perimeter to prevent external intrusions or securing e-commerce operations.

Database security is an often neglected and misunderstood dimension of an overall information protection strategy.The need to protect information at the database level has never been greater. Industry requirements such as the Health Information Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act of 1999 (GLB) require higher levels of protection and access than previously implemented by most companies.

While all database vendors are working diligently to improve security, Oracle is the industry's leading database management system (DBMS) and has taken the lead in implementing security features. This is the first in a series of articles that will look at implementing a secure Oracle database. Future articles will look at access control, auditing, and configuration issues.

Authentication - Some History

In release 7.0, Oracle included only simple passwords for user authentication.Since that time, Oracle has significantly expanded the options available, including:

  • Oracle 7.1 added password encryption over the network.
  • Oracle 7.2.3 added network encryption of the entire data stream with a product called Secure Network Services (SNS).
  • Oracle 7.3 added support for authentication mechanisms such as Kerberos and RSA Security's SecurID tokens. Oracle also renamed SNS the Advanced Networking Option (ANO).
  • Oracle 8 added functions to detect password cracking, account locking, and strong password enforcement.
  • Oracle 8i (8.1.5) and Oracle 8i Enterprise Edition v2 (8.1.6) saw another rename for ANO, advanced security features are now called Oracle Advanced Security or the Advanced Security Option (ASO). ASO includes modules for encryption, authentication, and for data integrity. ASO also added additional support for network encryption with support for RSA's RC4, DES and Triple-DES. Authentication support includes Kerberos, authentication tokens, biometrics, and RADIUS.
  • Oracle 9i added the ability to manage password-authenticated users in an LDAP-compliant directory. Oracle also dropped support for CONNECT INTERNAL improving accountability for privileged accesses.

Native Authentication Methods

Authentication is used to prove the identity of a user and the most common method is the password. Oracle natively provides two password authentication mechanisms; one relies on the user providing a password to the host operating system and the second requires that the user provide a password that is validated by Oracle.

Host-based

Oracle allows users to be authenticated by the underlying operating system (create user username identified externally). This feature provides operational advantages such as the consolidation of user/password maintenance and the use of operating system groups for access control.In addition, this type of authentication negates the need to imbed clear-text passwords in operational (batch) scripts. The disadvantage to this approach is the need for every database user to have an operating system account and the resulting inability to tightly restrict system services.

Recommendations

The default prefix for operating system-authenticated accounts is OPS$.It is recommended that this prefix be changed in the init.ora file (os_authent_prefix parameter) to another non-null value.The use of a non-default value creates a hurdle for would-be intruders and assures that access to the account is via the host operating system and proper host account.The default prefix, OPS$, allows access to the account by both host-based and Oracle password mechanisms.While this can be an operational advantage, the security implications should be carefully considered before choosing this option, i.e., the ability to login from a different host account.

When using host-based authentication you want to make sure that the host can be trusted. The remote_os_auth parameter should be set to 'false' (the default) unless application requirements dictate otherwise, e.g. SAP, to assure that the local host, and not just any host on the network, is the one being trusted.Setting this parameter to 'true' represents a significant security risk.

Note:In an SAP environment, the database machine must be protected by network and system-level mechanisms to prevent unauthorized privileged access.

Oracle Passwords

Oracle passwords provide user authentication in a client-server environment (create user username identified by password). Passwords are stored in an encrypted format in the DBA_USERS table; with the introduction of Oracle 8, password management can be handled within Oracle itself. Passwords are typically one of the weakest areas in security - good passwords are hard to remember so they get written down and easily remembered passwords are just as easy to crack.

With Oracle 8i and later, Oracle provides the mechanisms to ensure that passwords are changed regularly and are of sufficient complexity that they cannot be easily guessed. Password management features including the following:

  • Enforcing minimal password length,
  • Prohibiting password reuse,
  • Ensure passwords contain symbols or numbers, and
  • Disallowing easily guessed passwords like the user's name.

These password management features are implemented with Profiles much like limits on resource usage. Oracle provides a function called VERIFY_FUNCTION to simplify the process of enforcing password complexity. This function is not created by default; you must run the $ORACLE_HOME/rdbms/admin/utlpwdmg.sql script to create it.

Recommendations

Any changes made to the DEFAULT profile will be applied to the SYS and SYSTEM accounts as well. Changes to the DEFAULT profile should be carefully considered to assure the SYS and SYSTEM accounts can function properly with the newly imposed limits.It is recommended that a new profile be created for all non-DBA users that limits resource use and enforces password management policies.A DBA profile should also be created for password management to assure passwords are routinely changed and that password complexity is enforced. Application owner accounts should have their own profiles that provide sufficient security without negatively impacting the application.

Note:An "expired" account (password_life_time and password_grace_time parameters) is different from a "locked" account (failed_login_attempts and password_lock_time parameters).A locked account may be automatically unlocked by the passage of time whereas an expired account requires manual intervention to be re-enabled.

Advanced Authentication Options

Oracle Advanced Security supports a wide variety of authentication options that provide stronger authentication than passwords.The following third-party technologies are supported:

  • Tokens,
  • PKI,
  • Kerberos and CyberSafe,
  • Smart cards,
  • Biometrics, and
  • RADIUS-compliant devices.

These authentication mechanisms require third party products that will integrate with Oracle. Products currently supported include Entrust's PKI, CyberSafe's Active Trust, Identix, RADIUS-compliant smart cards or tokens, and RSA's SecurID tokens.Oracle has support for its own Kerberos implementation as well.If your company is already using these technologies, integration with Oracle requires the Advanced Security Option, Net8, and a global approach to user management rather than a local database approach. While the global approach is ultimately easier to manage, the effort required to reach that goal should not be underestimated.

Certificate-based Authentication

Oracle Advanced Security also offers PKI-based authentication through the use of X.509 (version 3) certificates over SSL connections. The primary component of the PKI infrastructure provided by Oracle is the Oracle Wallet Manager, which provides secure management of user credentials. Once users securely open their "wallets", they can connect to multiple Oracle database servers without needing to provide additional passwords. The use of this technology provides the benefit of stronger authentication as well as reduced sign-on.

N-tier Authentication

For applications and systems that rely on a middle tier, Oracle9i introduced n-tier authentication, i.e., that is "lightweight session" creation via the Oracle Call Interface (OCI). In a "lightweight session", applications can have multiple user sessions within a single database server session. These "lightweight sessions" allow each user to be authenticated by a database password, without the overhead of a separate database connection, as well as reserving the identity of the real user through the middle tier.

Oracle Security and Directory Integration

In Oracle 8i, Oracle introduced the Oracle Internet Directory (OID).The OID integrates with Oracle 8i/9i and Oracle Advanced Security to provide directory-based user and privilege management.For large computing environments, the potential cost savings are significant in that users and access privileges can be managed centrally for all databases and other computing platforms.

Database Links

A database link allows data in a remote database to be accessed without the user providing additional authentication credentials. There are two types of database links, private and public.Private database links can only be used by the user that created them, while public links are available to all users.If the database link is created to use the current user's credentials (connect to current_user), all users must have accounts in all databases to be accessed. If the database link is created with authentication credentials provided (connect to user identified by password), only that username must exist in the remote database.

Note:If a database link is created with the "connect to user identified by password" clause, the password is stored in the LINK$ table in clear text.

Recommendation

While only DBAs should have access to the LINK$ table, access to highly sensitive data using public database links is not recommended.If public database links are used, it is recommended that the user name used for the connection not be a valid username in the local database. Regardless of database link type, only necessary privileges should be granted in the remote database.In addition, the DBLINK_ENCRYPT_LOGIN parameter in the init.ora file should be set to true to force Oracle to encrypt the passwords prior to transmission.

Note:Oracle authentication for Kerberos provides database link authentication (also called proxy authentication) while CyberSafe's implementation does not.

Conclusion

Oracle provides several options for authenticating users, applications, clients, and servers. Passwords are the most commonly used form of authentication, but have inherent weaknesses that may not be acceptable in today's web-based, widely-distributed computing environment. Stronger authentication such as tokens or digital certificates is recommended when economically feasible.Passwords should never be stored in clear text in operational or support-type scripts and good password management procedures/practices should be employed (forced password changes, password complexity enforced, account lockout on 5+ failed login attempts, etc.).Database security is a critical component of an overall security strategy and should not be overlooked by companies wanting to minimize risk and ensure information privacy and protection.

Home

Services

Partners

About Us

Contact Us
 

©2001-2003 by Itillious, Inc. All Rights Reserved.
Privacy Policy