WEB-ENABLED DATABASE SECURITY - PowerPoint PPT Presentation

About This Presentation
Title:

WEB-ENABLED DATABASE SECURITY

Description:

INTRODUCTION What is a Web-Enabled Database? Problem and its Importance Two-tier Architecture Three-tier Architecture Need for a compatible centralized directory ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 41
Provided by: JACOBE
Learn more at: https://www.oocities.org
Category:

less

Transcript and Presenter's Notes

Title: WEB-ENABLED DATABASE SECURITY


1
WEB-ENABLED DATABASE SECURITY

Hari Meda Srinivas Garimella
Sujay Jacob Suman Pakala
2
INTRODUCTION
  • What is a Web-Enabled Database?
  • Problem and its Importance
  • Two-tier Architecture
  • Three-tier Architecture
  • Need for a compatible centralized directory
    service

3
REPRESENTATIVE EXAMPLE
  • NASA maintains a very huge database of users.
  • Two-tier cannot be applied because of sensitive
    information.
  • Three-tier suits it but querying is complex
  • X.500 (Directory Service) is now used.

4
RELATED WORKS
  • The three-tier architecture implementation
  • With new requirements of Internet computing and
    new e-business technologies, there is a growing
    need for a common infrastructure to serve as a
    foundation for management and configuration of
    all data and resources on the network
  • What could be the solution to this countless
    increase??

5
RELATED WORKS ..contd
  • A directory service provides a key part of this
    common foundation, by providing a centralized
    vehicle for managing and configuring distributed,
    Heterogeneous networks
  • most organizations today are not looking for
    another directory service
  • Organizations are facing security concerns such
    as how to expose only the information they want
    to, as well as access control

6
RELATED WORKS ..contd
  • decentralized, incompatible directory services do
    not make it easy to articulate and enforce
    security policies
  • There are many different ways to provide a
    Centralized directory service
  • directory services are local, providing service
    to a restricted context , other services are
    global, providing service to a much broader
    context,

7
RELATED WORKS ..contd.
  • One useful directory service is the X.500.
  • . Called the Directory Access Protocol (DAP), it
    is layered on top of the Open Systems
    Interconnection (OSI) protocol stack

8
LIMITATIONS
  • There is a need for a X.500 type of directory
  • Internet runs over TCP/IP
  • X.500 runs over OSI
  • Need to include the features of X.500 in a new
    directory service and still run over TCP/IP
  • The Directory Access Protocol (DAP) was improved
    into a Lightweight Directory Access Protocol
    (LDAP).

9
SOLUTION- LDAP
  • All Internet applications have a common problem
    Security .
  • Also the need for centralization.
  • The solution is Directory Services which can be
    used to administer Internet, intranet or
    extranet.
  • It should also reduce the total cost and points
    of failure ( because of 3 tier architecture)
  • Lightweight Directory Access Protocol (LDAP)
    represents the emerging solution

10
SOLUTION - OID
  • Many LDAP compliant directories are Oracle
    Internet Directory(OID), Microsoft Active
    Directory, Novell Directory Service and the
    Netscape Directory Server.
  • Chosen Directory is the Oracle Internet Directory
  • Features
  • Scalable It scales to support over half a
    billion real-world directory entries
  • High Availability administrators have the
    ability to administer the directory from other
    server to perform functions
  • Secure It offers comprehensive and flexible
    support for directory access control. . OID
    implements three levels of user authentication

11
SOLUTION-ILLUSTRATION
  • Example of a person say X staying in Columbia
  • The method he uses to reveal his details in India
    to a known person
  • The Intermediate involved here in another place,
    say Chicago

12
SOLUTION- CLIENT ACCESS TO A DATABASE
  • A Client initiates a connect request providing a
    connect identifier
  • The connect identifier retrieves a connect
    descriptor (eg. Port number hostname, protocol,
    instance,) stored in Oracle Internet Directory,
    which is sent back to the client.
  • The client makes the connect request to the
    address provided in the connect descriptor.\
  • A listener receives the request and directs it
    to the server

13
SOLUTION-LDAP
  • The concept of Oracle Internet Directory, a
    virtual directory, is an additional feature to
    this architecture to enhance its security An LDAP
    directory service provides a number of stringent
    security mechanisms. Directory users must first
    authenticate themselves to the directory using
    either a username and password or an SSL/X.509
    release 3 certificate (through a bind operation).
  • Once the user has been authenticated, the
    information he can access is still further
    constrained by using an access control list.

14
SOLUTION-IMPLEMENTATION OF LDAP
  • Directory Information Tree

15
SOLUTION-AUTHENTICATION AND ACCESS CONTROL IN LDAP
  • Initiation of a request by a client
  • The LDAP searches in the OID to check whether the
    client actually exists or not.
  • Accordingly it sends or doesnt send an instance
    back.
  • The privileges that are ascribed to the
    particular user are then enabled and sent back
    through the instance.
  • It doesnt allow unauthorized access privileges
    since the privileges were enabled prior to the
    client accessing the database.

16
PRACTICAL IMPLEMENTATION- DATABASE CREATION
  • Create a database
  • Global database name miracle1
  • SID miracle1
  • Oracle Enterprise Edition 8.1.7 was installed in
    a typical installation mode
  • the Oracle Internet Directory in the database was
    custom installed.

17
CHECK THE DATABASE
  • To check whether the database has been created
    and could be started or not.
  • Use the server manager to perform administrative
    functions
  • Server manager in line mode svrmgrl Password
    internal

18
LISTENER
  • The listener has to be started here.
  • The name of the listener configured here is
    LISTENER
  • Type lsnrctl at the command prompt

19
CONNECTION TO THE DATABASE
  • It has to be ensured whether it is possible to
    logon to the database using the net service (here
    net8)

20
Test
  • Connect as system/manager

21
LDAP STARTS
  • To enable the creation of variables and commands
    of LDAP run the newldap.sql file from the svrmgrl
    prompt.
  • It will create all the variables.
  • At this stage, the server is running, the net
    service (miracle1.engr.sc.edu) is running and the
    client can connect to the database as seen from
    the test.

22
OID CONFIGURATION
  • Run a batch file postconfig.bat from the command
    prompt for the OID to start configuring.
  • The OID configuration starts.

23
MONITOR AND SERVER
  • Start the OID monitor using the command
  • oidmon connectmiracle1(database name) sleep 10
    start.
  • Start the LDAP server
  • oidctl connectmiracle1.engr.sc.edu
    serveroidldapd instance3 configset5 start

24
ORACLE DIRECTORY MANAGER
  • Once this is started, it is now possible to add
    entries into the OID
  • There are three kinds of logons anonymous,
    simple and SSL.
  • Simple login is orcladmin/welcome

25
ORACLE DIRECTORY MANAGER
  • ODM

26
ADDING ENTRIES
  • It can now be used to add entries.
  • Entries added through the command line.

27
ADDING ENTRIES
  • The LDAP Data Interchange Format (LDIF ) file.

28
NEW ENTRY
  • The added entries

29
NEW ENTRY
  • New Entries

30
ACCESS CONTROL
  • Specifying Access Controls

31
ACCESS CONTROL
  • Failed attempt.

32
CREATIONS
  • Possibility to create new object classes as well
    as attributes

33
ORACLE DIRECTORY MANAGER
  • Schema Management

34
CONCLUSION
  • Lightweight Directory Access Protocol (LDAP)
    seems to be the most probable solution in the
    present scenario
  • The database can be easily configured with LDAP
    than any other independent directory service
  • LDAP offers a very good authentication service

35
CONCLUSION
  • Reduces the chance of a denial of service attack
  • Example say a billion users are there
  • 50 million are genuine users
  • 50 million are non-genuine
  • LDAP also implements the access control policy of
    the enterprise

36
LIMITATIONS IN LDAP
  • The protocol cannot and will not supplant
    relational databases
  • It does not offer two-phase commits, true
    relational structure, or a relational query
    language like SQL.
  • It is not reasonable to expect LDAP to serve as a
    file system

37
LIMITATIONS IN LDAP
  • It is developed mainly to serve as a simple
    look-up protocol .
  • LDAP for specific applications which involve
    frequent updates, etc wouldnt be the right
    choice.
  • Research should be concentrated on developing a
    similar protocol, which is equally simple and
    able to overcome the limitations cited above.

38
LDAP at GMU
39
LDAP at GMU
40
  • Shooooot !!!
Write a Comment
User Comments (0)
About PowerShow.com