1
Introduction to Oracle Advanced Security

This chapter introduces Oracle Advanced Security (formerly Oracle Advanced Networking Option) encryption, integrity, and authentication features. These features are available to network products using Net8, including Oracle8i, Oracle Designer, Oracle Developer, and any other Oracle or third-party products that support Net8.

Topics covered in this chapter include the following:

• About Oracle Advanced Security

• Oracle Advanced Security Features

• Oracle Advanced Security Architecture

• Secure Data Transfer Across Network Protocol Boundaries

• System Requirements

• Oracle Configuration for Network Authentication

• Oracle Advanced Security Restrictions

About Oracle Advanced Security

Oracle Advanced Security (formerly Oracle Advanced Networking Option and Secure Network Services) provides a comprehensive suite of security features to protect enterprise networks and securely extend corporate networks to the Internet. Oracle Advanced Security provides a single source of integration with network encryption and authentication solutions, single sign-on services, and security protocols. By integrating industry standards, it delivers unparalleled security to the Oracle network and beyond.

This section contains the following topics:

• Network Security in a Distributed Environment

• Security Threats

Network Security in a Distributed Environment

Oracle databases power the largest and most popular web sites. Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a global scale, based on Net8 and Oracle8i. This proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on computers. Employee records, financial records, product testing information, and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that can be compromised.

Security Threats

The increased distribution of data in distributed environments brings with it serious security threats, including the following:

• Data Tampering

• Eavesdropping and Data Theft

• Falsifying User Identities

• Managing Multiple Passwords

Data Tampering

Distributed environments bring with them the possibility that a malicious third party can execute a computer crime by tampering with data as it moves between sites.

Eavesdropping and Data Theft

Over the Internet and in Wide Area Network (WAN) environments, both public carriers and private network owners often route portions of their network through insecure land lines, extremely vulnerable microwave and satellite links, or a number of servers, leaving valuable data open to view by any interested party. In Local Area Network (LAN) environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them, and network sniffers can be easily installed to eavesdrop on network traffic.

Falsifying User Identities

In a distributed environment, it becomes more feasible for a user to falsify an identity to gain access to sensitive and important information. How can you be sure that user Pat connecting to Server A from Client B really is user Pat?
Moreover, in distributed environments, malefactors can hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and routed instead to a terminal masquerading as Server B.

Managing Multiple Passwords

In a distributed system, users often need to remember multiple passwords for the different applications and services that they use. For example, a developer can have access to an application in development on a workstation, a production system on a mini-computer, a PC for creating documents, and several computers or intranet sites for testing, reporting bugs, and managing configurations.

Users generally respond to managing the passwords of multiple accounts in one of the following ways:

• If they can choose their own passwords, users can select easy-to-guess passwords such as a name, fictional character, or a word found in a dictionary. All of these passwords are vulnerable to dictionary attacks.

• They can also choose to standardize them so that they are the same on all machines. This results in a potentially large exposure in the event of a compromised password. They can also use passwords with slight variations that can be easily guessed from knowing one password.

• Users with complex passwords can simply write them down where an attacker can easily find them, or forget them, requiring administration and support efforts.

All three strategies severely compromise password secrecy and service availability. Moreover, administration of all these accounts and passwords is complex, time-consuming, and expensive.

Oracle Advanced Security Features

Oracle Advanced Security protects against these threats to the security of distributed environments. It provides the following features, each of which is described in this section:

• Data Privacy

• Data Integrity

• Authentication

• Single Sign-On

• Authorization

Data Privacy

Oracle Advanced Security ensures that data is not disclosed during transmission through the following types of encryption:

• RSA Encryption

• DES Encryption

RSA Encryption

RSA encryption is an encryption module that uses the RSA Data Security RC4 encryption algorithm. Using a secret, randomly-generated key unique to each session, all network traffic is fully safeguarded--including all data values, SQL statements, and stored procedure calls and results. The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40 bits, 56 bits, and 128 bits.

Since the Oracle Advanced Security RSA RC4 40-bit and 56-bit implementations meet the U.S. government export guidelines for encryption products, Oracle provides an export version of the media and exports it to all but a few countries, allowing most companies to safeguard their entire worldwide operations with this software.

DES Encryption

The U.S. Data Encryption Standard (DES) is required for financial and many other institutions. Oracle Advanced Security offers a standard, optimized 56-bit key DES encryption algorithm. Due to former U.S. government export restrictions, Oracle Advanced Security also offers DES40, a version of DES that combines the standard DES encryption algorithm with the international availability of a 40-bit key. While DES56 is now exportable, Oracle Advanced Security supports DES40 for backwards compatibility. Selecting the algorithm to use for network encryption is a user configuration option, allowing varying levels of security and performance for different types of data transfers.

More Information: For more information, see Chapter 2, "Configuring Data Encryption and Integrity" and Appendix A, "Data Encryption and Integrity Parameters."

Data Integrity

To ensure that data has not been modified, deleted, or replayed during transmission, Oracle Advanced Security optionally generates a cryptographically secure message digest--through cryptographic checksums using the MD5 algorithm--and includes it with each packet sent across the network.

Moreover, the SSL feature of Oracle Advanced Security allows the use of the Secure Hash Algorithm (SHA). SHA is slightly slower than MD5, but produces a larger message digest to make it more secure against brute-force collision and inversion attacks.

Authentication

Establishing user identity is of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. Passwords are the most common authentication method in use, and Oracle Advanced Security integrates with stronger authentication services. Oracle Advanced Security release 8.1.6 provides authentication through Oracle authentication adapters that support various third-party authentication services.

Many Oracle Advanced Security authentication methods use centralized authentication. This can give you high confidence in the identity of users, clients, and servers in distributed environments. Having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of nodes on a network falsifying their identities.

Single Sign-On

Centralized authentication can also provide the benefit of single sign-on for users. Single sign-on allows users to access multiple accounts and applications with a single password, eliminates the need for multiple passwords, and simplifies management of user accounts and passwords for system administrators.

Figure 1-1 shows how a centralized network authentication service typically operates.

Figure 1-1 How a Network Authentication Service Authenticates a User

Oracle Advanced Security supports the following authentication methods:

• SSL

• RADIUS

• Kerberos and CyberSafe

• Smart Cards (RADIUS-Compliant)

• Token Cards (SecurID or RADIUS-Compliant)

• Biometric Authentication (Identix or RADIUS-Compliant)

• Bull ISM

SSL

SSL (Secure Sockets Layer) is an industry standard protocol for securing network connections. SSL provides authentication, data encryption, and data integrity, and it contributes to a public key infrastructure (PKI).

The Oracle Advanced Security SSL feature can be used to secure communications between any client and any server. Specifically, you can use SSL to authenticate the following:

• any client or server to one or more Oracle servers

• an Oracle server to any client

SSL features can be used by themselves or in combination with other authentication methods supported by Oracle Advanced Security. For example, SSL can be used with Kerberos, using the encryption provided by SSL in combination with the Kerberos authentication method.

You can configure SSL to require server authentication only, or both client and server authentication.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client-server security protocol that is most widely known for enabling remote authentication and access. Oracle Advanced Security uses this standard in a client-server network environment to enable use of any authentication method that supports the RADIUS protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards, smart cards, and biometrics.

Kerberos and CyberSafe

The Oracle Advanced Security support for Kerberos and CyberSafe provides the benefits of single sign-on and centralized authentication in an Oracle environment. Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through Kerberos authentication and through the CyberSafe TrustBroker, a commercial Kerberos-based authentication server.

Note: Oracle authentication for Kerberos provides database link authentication (also called proxy authentication). CyberSafe and SecurID do not provide support for proxy authentication.

Smart Cards (RADIUS-Compliant)

This authentication method uses a hardware device that looks like a credit card. It has memory and a processor and is read by a smart card reader located at the client workstation.

Smart cards offer the following benefits:

Increased security	Smart cards rely on two-factor authentication. The smart card can be locked, and only the user who possesses the card and knows the correct personal identification number (PIN) can unlock it.
Improved performance	Some sophisticated smart cards contain hardware-based encryption chips that can provide better throughput than software-based implementations. A smart card can also store a user name.
Accessibility from any workstation	Users log in by inserting the smart card in a hardware device that reads the card and prompts the user for whatever authentication information the card requires, such as a PIN. Once the user enters the correct authentication information, the smart card generates and enters whatever other authentication information is required.

Token Cards (SecurID or RADIUS-Compliant)

Token cards can provide improved ease-of-use through several different mechanisms. Some token cards dynamically display one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the token card at any given time by contacting the authentication service. Other token cards have a keypad and operate on a challenge-response basis. In this case, the server offers a challenge (a number) that the user enters into a token card. The token card provides a response, namely, another number cryptographically-derived from the challenge, which the user offers to the server.

Token cards offer the following benefits:

Ease of password management	Password management is easy because there is one token card rather than multiple passwords.
Enhanced password security	To masquerade as a user, a malefactor has to have the token card as well as the personal identification number (PIN) required to operate it. This is called two-factor authentication.
Ease of use	Users only need to remember, at most, a PIN instead of multiple passwords.
Enhanced accountability	Token cards provide a stronger authentication mechanism, therefore users are more accountable for their actions.

You can use SecurID tokens through either the SecurID adapter or through RADIUS.

Biometric Authentication (Identix or RADIUS-Compliant)

Identix Biometric Authentication is used on both the clients and Oracle servers to communicate fingerprint-based authentication data between the authentication server and the clients. Other biometric authentication devices that are RADIUS compliant can integrate with Oracle Advanced Security using RADIUS to authenticate Oracle users.

Bull ISM

Bull Integrated System Management (ISM) is an offering from Bull Worldwide Information Systems that provides system administrators with a variety of management tools. This authentication method is available on the AIX platform only. See the AIX-specific documentation for more information.

Authorization

User authorization, already a standard feature of Oracle8i with roles and privileges, is significantly enhanced by using the authentication methods supported by Oracle Advanced Security. For example, on certain platforms such as Solaris, Oracle Advanced Security supports authorization with DCE.

Authorizations are also provided with the Oracle Advanced Security directory integration feature. Oracle Advanced Security can integrate with LDAP version 3-compliant directories. Your Oracle Advanced Security license entitles you to deploy Oracle Internet Directory for user management as well as authorization storage and retrieval. You must license Oracle Internet Directory separately if you intend to use it for additional purposes.

Oracle Advanced Security Architecture

Oracle Advanced Security is an add-on product to a standard Net8 Server or Net8 Client. Figure 1-2 shows the location of Oracle Advanced Security within a typical stack in an Oracle networking environment.

Figure 1-2 Oracle Advanced Security in an Oracle Networking Environment

Oracle Advanced Security supports authentication through adapters that are very much like the existing Oracle protocol adapters. As shown in Figure 1-3, authentication adapters integrate below the Net8 interface and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.

Figure 1-3 Net8 with Authentication Adapters

More Information: For more information on stack communications in an Oracle networking environment, see Net8 Administrator's Guide.

Secure Data Transfer Across Network Protocol Boundaries

Oracle Advanced Security is fully supported by Oracle Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for example, can securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.

System Requirements

Oracle Advanced Security is an add-on product to the standard Net8 Server or Net8 Client. It must be purchased and installed on both the client and the server.

Oracle Advanced Security release 8.1.6 requires Net8 release 8.1.6 and supports Oracle8i Enterprise Edition. Table 1-1 lists additional system requirements.

Important: Oracle Advanced Security is not available with Oracle8i Standard Edition, nor are any of its components.

Install Oracle Advanced Security on each client and server where Oracle Advanced Security is required.

Table 1-1 Authentication Methods and System Requirements

Authentication Method	System Requirements
CyberSafe TrustBroker	CyberSafe GSS Runtime Library, version 1.1 or later, installed on both the machine that runs the Oracle client and on the machine that runs the Oracle server. CyberSafe TrustBroker, release 1.2 or later installed on a physically secure machine that runs the authentication server. CyberSafe TrustBroker Client, release 1.2 or later installed on the machine that runs the Oracle client.
Kerberos	MIT Kerberos Version 5, release 1.1 The Kerberos authentication server must be installed on a physically secure machine.
SecurID	ACE/Server 3.3 or higher running on the authentication server.
Identix Biometric	Identix hardware and driver installed on each Biometric Manager station and client.
RADIUS	A RADIUS server that is compliant with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. To enable challenge-response authentication, you must run RADIUS on a platform that supports the Java Native Interface as specified in release 1.1 of the Java Development Kit from JavaSoft.
SSL	A wallet that is compatible with the Oracle Wallet Manager version 2.1. Wallets created in earlier releases of the Oracle Wallet Manager are not forward compatible.

Note: Oracle Advanced Security release 8.1.6 provides secure communication when used with earlier releases, however the security functionality defaults to that provided by the earlier release.

Oracle Configuration for Network Authentication

This section describes the following parameters that are set when configuring Oracle for network authentication. Specifically, it describes the following tasks:

• Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora

• Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE

• Setting OS_AUTHENT_PREFIX to a Null Value

  More Information: For information on configuring a particular authentication method, see the method's corresponding chapter in this guide. See also Appendix A, "Data Encryption and Integrity Parameters."

Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora

The following parameter must be set in the sqlnet.ora file for clients and servers to be able to use an Oracle Advanced Security authentication method:

SQLNET.AUTHENTICATION_SERVICES=(oracle_authentication_method)

For example, the parameter must be set in the sqlnet.ora files on all clients and servers that use the Kerberos Authentication as follows:

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)

Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE

Oracle Corporation recommends that you add the following parameter to the initialization file used for the database instance when you configure the Oracle authentication method:

REMOTE_OS_AUTHENT=FALSE

Attention: Setting REMOTE_OS_AUTHENT to TRUE can allow a security breach, because it allows someone using a non-secure protocol, such as TCP, to perform an operating system-authorized login (formerly referred to as an OPS$ login).

If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication methods requested by the client, the authentication service negotiation fails and the connection terminates.

If the following parameter is set in the sqlnet.ora file on either the client or server side:

SQLNET.AUTHENTICATION_SERVICES=(NONE)

the database attempts to use the provided user name and password to log the user in. However, if REMOTE_OS_AUTHENT is set to FALSE, the connection fails.

Setting OS_AUTHENT_PREFIX to a Null Value

Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. Oracle Corporation strongly recommends that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance as follows:

OS_AUTHENT_PREFIX=""

Note: The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string.

Attention: If a database already has the OS_AUTHENT_PREFIX set to a value other than NULL (" ") do not change it, since it can result in previously created externally-identified users not being able to connect to the Oracle server.

To create a user, launch SQL*Plus and enter the following:

SQL> CREATE USER os_authent_prefix username IDENTIFIED EXTERNALLY;

When OS_AUTHENT_PREFIX is set to a null value (" "), enter the following to create the user king:

SQL> CREATE USER king IDENTIFIED EXTERNALLY;

The advantage of creating a user in this way is that the administrator no longer needs to maintain different user names for externally-identified users.

Note: This applies to creating Oracle users for use with all Oracle authentication methods.

More Information: Refer to Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems.

Oracle Advanced Security Restrictions

Oracle Applications support Oracle Advanced Security encryption and data integrity. However, because Oracle Advanced Security requires Net8 to transmit data securely, Oracle Advanced Security external authentication features are not supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the Windows platform. The portions of these products that use Oracle Display Manager (ODM) do not take advantage of Oracle Advanced Security, since ODM does not use Net8.