3 Planning a Secure Environment

Security practices should be in place before the arrival of Oracle Exadata Database Machine.

After arrival, the security practices should be periodically reviewed and adjusted to stay current with the security requirements of your organization.

3.1 Considerations for a Secure Environment

Oracle Exadata Database Machine includes many layered security controls that can be tailored to meet an organization's specific policies and requirements.

Organizations must evaluate how to best utilize these capabilities and integrate them into their existing IT security architecture. Effective IT security must consider the people, processes, and technology in order to provide solid risk management and governance practices. Practices and policies should be designed and reviewed during the planning, installation, and deployment stages of Oracle Exadata Database Machine.

A unified approach to identity and access management should be used when integrating Oracle Exadata Database Machine components, and deployed services with an organization's existing identity and access management architecture. Oracle Database supports many open and standard protocols that allow it to be integrated with existing identity and access management deployments. To ensure application availability, unified identity and access management systems must be available, or the availability of Oracle Exadata Database Machine may be compromised.

Before Oracle Exadata Database Machine arrives, the following security considerations should be discussed. These considerations are based on Oracle best practices for Oracle Exadata Database Machine.

  • The ability to directly log in to common operating system accounts such as root, grid and oracle should be disabled. Individual user accounts should be created for each administrator. After logging in with their individual account, the administrator can use sudo to run privileged commands, when required.

  • The use of intrusion prevention systems on database servers to monitor network traffic flowing to and from Oracle Exadata Database Machine. Such systems enable the identification of suspicious communications, potential attack patterns, and unauthorized access attempts.

  • The use of host-based intrusion detection and prevention systems for increased visibility within Oracle Exadata Database Machine. By using the fine-grained auditing capabilities of Oracle Database, host-based systems have a greater likelihood of detecting inappropriate actions and unauthorized activity.

  • The use of application and network-layer firewalls to protect information flowing to and from Oracle Exadata Database Machine. Filtering network ports provides the first line of defense in preventing unauthorized access to systems and services.

    Network-level segmentation using Ethernet virtual local area networks (VLANs) and host-based firewalls enforce inbound and outbound network policy at the host level. Using segmentation allows fine-grained control of communications between components of Oracle Exadata Database Machine. Oracle Exadata Storage Servers include a configured software firewall by default. The database servers can be configured with a software firewall.

  • The use of encryption features such as transparent data encryption (TDE), Oracle Recovery Manager (RMAN) encryption for backups, and Oracle Advanced Security to encrypt traffic to Oracle Data Guard standby databases.

  • The use of centralized audit and log repositories to aggregate the security-relevant information for improved correlation, analysis, and reporting. Oracle Exadata Storage Servers support this through the cell attribute syslogConf. The database servers support centralized logging using the typical system configuration methods.

While many of the features integrated into Oracle Exadata Database Machine are configured by default for secure deployment, organizations have their own security configuration standards. It is important to review Oracle security information before testing any security setting changes to Oracle Exadata Database Machine components. In particular, it is important to identify where existing standards can be improved, and where support issues may limit what changes can be made to a given component.

Note:

To minimize the attack surface, Oracle Exadata Storage Servers do not support customization outside of their management interfaces. No custom users are permitted on the storage servers. The servers have been optimized and hardened for their specific purpose.

The security of the data and system is diminished by weak network security. Oracle recommends the following guidelines to maximize your Ethernet network security:

  • Configure of administrative and operational services to use encryption protocols and key lengths that align with current policies. Cryptographic services provided by Oracle Exadata Database Machine benefit from hardware acceleration, which improves security without impacting performance.

  • Create separate software owner accounts for Oracle Grid Infrastructure and Oracle Database software installations. These accounts should be used when deploying Oracle Exadata Database Machine.

  • Manage and separate switches in Oracle Exadata Database Machine from data traffic on the network. This separation is also referred to as "out-of-band."

  • Separate sensitive clusters of system from the rest of the network when using virtual local area networks (VLANs). This decreases the likelihood that users can gain access to information on these clients and servers.

  • Use a static VLAN configuration.

  • Disable unused switch ports, and assign an unused VLAN number.

  • Assign a unique native VLAN number to trunk ports.

  • Limit the VLANs that can be transported over a trunk to only those that are strictly required.

  • Disable VLAN Trunking Protocol (VTP), if possible. If it is not possible, then set the management domain, password and pruning for VTP. In addition, set VTP to transparent mode.

  • Disable unnecessary network services, such as TCP small servers or HTTP. Enable only necessary network services, and configure these services securely.

  • Network switches offer different levels of port security features. Use these port security features if they are available:

  • Lock the Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If a switch port is locked to a particular MAC address, then super users cannot create back doors into the network with rogue access points.

  • Disable a specified MAC address from connecting to a switch.

  • Use each switch port's direct connections so the switch can set security based on its current connections.

Figure 3-2 shows the default network for Oracle Exadata Database Machine X7-2. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-1 Network for Oracle Exadata Database Machine X7-2 with Bonded Client Access

Description of Figure 3-1 follows
Description of "Figure 3-1 Network for Oracle Exadata Database Machine X7-2 with Bonded Client Access"

Figure 3-2 shows the default network for Oracle Exadata Database Machine X6-2, X5-2, X4-2, X3-2, and X2-2. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-2 Network for Oracle Exadata Database Machine X6-2, X5-2, X4-2, X3-2, and X2-2 with Bonded Client Access

Description of Figure 3-2 follows
Description of "Figure 3-2 Network for Oracle Exadata Database Machine X6-2, X5-2, X4-2, X3-2, and X2-2 with Bonded Client Access"

Figure 3-3 shows the default network for Oracle Exadata Database Machine X6-8, X5-8, and X4-8 Full Rack. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-3 Network for Oracle Exadata Database Machine X6-8, X5-8, and X4-8 Full Rack with Bonded Client Access

Description of Figure 3-3 follows
Description of "Figure 3-3 Network for Oracle Exadata Database Machine X6-8, X5-8, and X4-8 Full Rack with Bonded Client Access"

Figure 3-4 shows the default network for Oracle Exadata Database Machine X3-8 Full Rack, and Oracle Exadata Database Machine X2-8 Full Rack. Each Oracle Exadata Database Machine requires a minimum of two Ethernet networks and one InfiniBand network.

Figure 3-4 Network Diagram for Oracle Exadata Database Machine X3-8 Full Rack, and Oracle Exadata Database Machine X2-8 Full Rack with Bonded Client Access

Description of Figure 3-4 follows
Description of "Figure 3-4 Network Diagram for Oracle Exadata Database Machine X3-8 Full Rack, and Oracle Exadata Database Machine X2-8 Full Rack with Bonded Client Access"

3.2 Understanding User Accounts

There are several users used to manage the components of Oracle Exadata Database Machine

In addition to the root user, Oracle Exadata Storage Servers have two users, celladmin and cellmonitor. The celladmin user is used to run all services on the cell. The cellmonitor user is used for monitoring purposes. The cellmonitor user cannot run services on the cell. Other Oracle Exadata Database Machine components have users for the management of the component.

The following table lists the default users and passwords for the Oracle Exadata Database Machine components. All default passwords should be changed after installation of Oracle Exadata Database Machine. Refer to My Oracle Support note 1291766.1 for information about changing the default user accounts passwords.

Table 3-1 Default Users and Passwords

Component User Name and Password

Oracle Exadata Database Servers

  • root/welcome1

  • oracle/We1come$

  • grid/We1come$ (this user exists only if role separation is chosen during deployment)

  • dbmadmin/welcome

  • dbmmonitor/welcome

  • SYS/We1come$ (SYS is a database user)

  • SYSTEM/We1come$ (SYSTEM is a database user)

  • Password for the grub boot loader: sos1Exadata

Oracle Exadata Storage Servers

  • root/welcome1

  • celladmin/welcome

  • cellmonitor/welcome

  • CELLDIAG

    CELLDIAG is an Oracle Exadata System Software user, not an operating system user.

    Password of the CELLDIAG user is reset to a random password during the "Apply Security Fixes" step of Oracle Exadata Deployment Assistant (OEDA). If this step is not run, then the default password is Welcome12345.

  • Password for the grub boot loader: sos1Exadata

InfiniBand switches

  • root/welcome1

  • nm2user/changeme

  • ilom-admin/ilom-admin

  • ilom-operator/ilom-operator

Ethernet switches

admin/welcome1

Note: Secure the enable mode password and secret values for the admin user.

Power distribution units (PDUs)

  • admin/welcome1

    The password for the admin user is adm1n if you reset the PDU to factory default settings.

Database server ILOMs

  • root/welcome1

  • MSUser

    Management Server (MS) uses this account to manage ILOM and reset it if it detects a hang.

    Do not modify this account. This account is to be used by MS only.

    Each time MS starts up, it deletes the previous MSUser account and re-creates the account with a randomly generated password.

    MS communicates with ILOM using MSUser through the lanplus interface. It uses the IPMI v2.0 RMCP+ protocol for authentication. RMCP+ (remote management control protocol) is a UDP-based protocol with stronger authentication than RMCP.

    The MSUser password is not persisted anywhere. If you need to change account passwords regularly, you can restart MS to change the password of the MSUser account.

Oracle Exadata Storage Server ILOMs

  • root/welcome1

  • MSUser

    See the description above for details about this user.

InfiniBand ILOMs

  • ilom-admin/ilom-admin

  • ilom-operator/ilom-operator

  • root/welcome1

Keyboard, video, mouse (KVM)

admin/welcome1

Note:

After Oracle Exadata Database Machine has been deployed, the installation process disables all root SSH keys and expires all user passwords as a security measure for your system. If you do not want the SSH keys disabled or the passwords expired, advise the installation engineer before the deployment.

3.3 Understanding the Default Security Settings

Oracle Exadata System Software is installed with many default security settings.

Whenever possible and practical, secure default settings should be chosen and configured. The following default settings are used in Oracle Exadata Database Machine:

  • A minimal software installation to reduce attack surface.

  • Oracle Database secure settings developed and implemented using Oracle best practices.

  • A password policy that enforces a minimum password complexity.

  • Failed log in attempts cause a lockout after a set number of failed attempts.

  • All default system accounts in the operating system are locked and prohibited from logging in.

  • Limited ability to use the su command.

  • Password-protected boot loader installation.

  • All unnecessary system services are disabled, including the Internet service daemon (inetd/xinetd).

  • Software firewall configured on the storage cells.

  • Restrictive file permissions on key security-related configuration files and executable files.

  • SSH listen ports restricted to management and private networks.

  • SSH limited to v2 protocol.

  • Disabled insecure SSH authentication mechanisms.

  • Configured specific cryptographic ciphers.

  • Unnecessary protocols and modules are disabled from the operating system kernel.

3.4 Using OEDA for Greater Security

Oracle Exadata Deployment Assistant (OEDA) includes a step to increase hardware security on Oracle Exadata Database Machine. The last step of OEDA, "Secure Oracle Exadata Database Machine" implements the following security policies:

  • For the root user, and all users with their home directory in the /home directory, on the database servers and Oracle Exadata Storage Servers, the following password-aging values are set:

    • The maximum number of days for a password is 90 days.

    • The minimum amount of time between password changes is 24 hours.

    • The number of days of alerts before a password change is seven days.

    • All non-root users must change their password at their next log in.

  • For all users, the following password qualifications are set:

    • Password using one character class is not allowed.

    • Password using two character classes is not allowed.

    • A minimum of 16 characters are required for a passphrase.

    • A minimum length of 12 characters for a password when using three character classes.

    • A minimum length of eight characters for a password when using four character classes.

    • Character classes for passwords are uppercase letters, lowercase letters, digits, and other characters.

    • Uppercase letters at the beginning of the password, and digits at the end of the password are not counted when calculating the number of character classes.

    • The maximum length for a password is 40 characters.

    • A new password cannot be similar to old passwords.

  • For the root user, SSH equivalency is removed for all database servers and Oracle Exadata Storage Servers.

  • The following permissions are set by OEDA:

    • The Automatic Diagnostic Repository (ADR) base directory, $ADR_BASE, has SUID ((Set owner User ID) on the diag directory and its sub-directories.

    • The celladmin user group has read and write permissions.