WEB-ENABLED DATABASE SECURITY

1
WEB-ENABLED DATABASE SECURITY

Hari Meda Srinivas Garimella
Sujay Jacob Suman Pakala
2
INTRODUCTION

• What is a Web-Enabled Database?
• Problem and its Importance
• Two-tier Architecture
• Three-tier Architecture
• Need for a compatible centralized directory
  service

3
REPRESENTATIVE EXAMPLE

• NASA maintains a very huge database of users.
• Two-tier cannot be applied because of sensitive
  information.
• Three-tier suits it but querying is complex
• X.500 (Directory Service) is now used.

4
RELATED WORKS

• The three-tier architecture implementation
• With new requirements of Internet computing and
  new e-business technologies, there is a growing
  need for a common infrastructure to serve as a
  foundation for management and configuration of
  all data and resources on the network
• What could be the solution to this countless
  increase??

5
RELATED WORKS ..contd

• A directory service provides a key part of this
  common foundation, by providing a centralized
  vehicle for managing and configuring distributed,
  Heterogeneous networks
• most organizations today are not looking for
  another directory service
• Organizations are facing security concerns such
  as how to expose only the information they want
  to, as well as access control

6
RELATED WORKS ..contd

• decentralized, incompatible directory services do
  not make it easy to articulate and enforce
  security policies
• There are many different ways to provide a
  Centralized directory service
• directory services are local, providing service
  to a restricted context , other services are
  global, providing service to a much broader
  context,

7
RELATED WORKS ..contd.

• One useful directory service is the X.500.
• . Called the Directory Access Protocol (DAP), it
  is layered on top of the Open Systems
  Interconnection (OSI) protocol stack

8
LIMITATIONS

• There is a need for a X.500 type of directory
• Internet runs over TCP/IP
• X.500 runs over OSI
• Need to include the features of X.500 in a new
  directory service and still run over TCP/IP
• The Directory Access Protocol (DAP) was improved
  into a Lightweight Directory Access Protocol
  (LDAP).

9
SOLUTION- LDAP

• All Internet applications have a common problem
  Security .
• Also the need for centralization.
• The solution is Directory Services which can be
  used to administer Internet, intranet or
  extranet.
• It should also reduce the total cost and points
  of failure ( because of 3 tier architecture)
• Lightweight Directory Access Protocol (LDAP)
  represents the emerging solution

10
SOLUTION - OID

• Many LDAP compliant directories are Oracle
  Internet Directory(OID), Microsoft Active
  Directory, Novell Directory Service and the
  Netscape Directory Server.
• Chosen Directory is the Oracle Internet Directory
• Features
• Scalable It scales to support over half a
  billion real-world directory entries
• High Availability administrators have the
  ability to administer the directory from other
  server to perform functions
• Secure It offers comprehensive and flexible
  support for directory access control. . OID
  implements three levels of user authentication

11
SOLUTION-ILLUSTRATION

• Example of a person say X staying in Columbia
• The method he uses to reveal his details in India
  to a known person
• The Intermediate involved here in another place,
  say Chicago

12
SOLUTION- CLIENT ACCESS TO A DATABASE

• A Client initiates a connect request providing a
  connect identifier
• The connect identifier retrieves a connect
  descriptor (eg. Port number hostname, protocol,
  instance,) stored in Oracle Internet Directory,
  which is sent back to the client.
• The client makes the connect request to the
  address provided in the connect descriptor.\
• A listener receives the request and directs it
  to the server

13
SOLUTION-LDAP

• The concept of Oracle Internet Directory, a
  virtual directory, is an additional feature to
  this architecture to enhance its security An LDAP
  directory service provides a number of stringent
  security mechanisms. Directory users must first
  authenticate themselves to the directory using
  either a username and password or an SSL/X.509
  release 3 certificate (through a bind operation).
  
• Once the user has been authenticated, the
  information he can access is still further
  constrained by using an access control list.

14
SOLUTION-IMPLEMENTATION OF LDAP

• Directory Information Tree

15
SOLUTION-AUTHENTICATION AND ACCESS CONTROL IN LDAP

• Initiation of a request by a client
• The LDAP searches in the OID to check whether the
  client actually exists or not.
• Accordingly it sends or doesnt send an instance
  back.
• The privileges that are ascribed to the
  particular user are then enabled and sent back
  through the instance.
• It doesnt allow unauthorized access privileges
  since the privileges were enabled prior to the
  client accessing the database.

16
PRACTICAL IMPLEMENTATION- DATABASE CREATION

• Create a database
• Global database name miracle1
• SID miracle1
• Oracle Enterprise Edition 8.1.7 was installed in
  a typical installation mode
• the Oracle Internet Directory in the database was
  custom installed.

17
CHECK THE DATABASE

• To check whether the database has been created
  and could be started or not.
• Use the server manager to perform administrative
  functions
• Server manager in line mode svrmgrl Password
  internal

18
LISTENER

• The listener has to be started here.
• The name of the listener configured here is
  LISTENER
• Type lsnrctl at the command prompt

19
CONNECTION TO THE DATABASE

• It has to be ensured whether it is possible to
  logon to the database using the net service (here
  net8)

20
Test

• Connect as system/manager

21
LDAP STARTS

• To enable the creation of variables and commands
  of LDAP run the newldap.sql file from the svrmgrl
  prompt.
• It will create all the variables.
• At this stage, the server is running, the net
  service (miracle1.engr.sc.edu) is running and the
  client can connect to the database as seen from
  the test.

22
OID CONFIGURATION

• Run a batch file postconfig.bat from the command
  prompt for the OID to start configuring.
• The OID configuration starts.

23
MONITOR AND SERVER

• Start the OID monitor using the command
• oidmon connectmiracle1(database name) sleep 10
  start.
• Start the LDAP server
• oidctl connectmiracle1.engr.sc.edu
  serveroidldapd instance3 configset5 start

24
ORACLE DIRECTORY MANAGER

• Once this is started, it is now possible to add
  entries into the OID
• There are three kinds of logons anonymous,
  simple and SSL.
• Simple login is orcladmin/welcome

25
ORACLE DIRECTORY MANAGER

• ODM

26
ADDING ENTRIES

• It can now be used to add entries.
• Entries added through the command line.

27
ADDING ENTRIES

• The LDAP Data Interchange Format (LDIF ) file.

28
NEW ENTRY

• The added entries

29
NEW ENTRY

• New Entries

30
ACCESS CONTROL

• Specifying Access Controls

31
ACCESS CONTROL

• Failed attempt.

32
CREATIONS

• Possibility to create new object classes as well
  as attributes

33
ORACLE DIRECTORY MANAGER

• Schema Management

34
CONCLUSION

• Lightweight Directory Access Protocol (LDAP)
  seems to be the most probable solution in the
  present scenario
• The database can be easily configured with LDAP
  than any other independent directory service
• LDAP offers a very good authentication service

35
CONCLUSION

• Reduces the chance of a denial of service attack
• Example say a billion users are there
• 50 million are genuine users
• 50 million are non-genuine
• LDAP also implements the access control policy of
  the enterprise

36
LIMITATIONS IN LDAP

• The protocol cannot and will not supplant
  relational databases
• It does not offer two-phase commits, true
  relational structure, or a relational query
  language like SQL.
• It is not reasonable to expect LDAP to serve as a
  file system

37
LIMITATIONS IN LDAP

• It is developed mainly to serve as a simple
  look-up protocol .
• LDAP for specific applications which involve
  frequent updates, etc wouldnt be the right
  choice.
• Research should be concentrated on developing a
  similar protocol, which is equally simple and
  able to overcome the limitations cited above.

38
LDAP at GMU
39
LDAP at GMU
40

• Shooooot !!!