VPD and Oracle Label Security

1
VPD and Oracle Label Security
2
Grant Execute on DBMS_RLS

• CONNECT TO ORACLE AS SYSDBA
• SQLgt connect sys as sysdba
• Enter password
• Connected.
• SYSDBA creates a user called SECMAN (Security
  manager)
• SQLgt create user secman identified by s default
  tablespace users
• SYSDBA GRANTS EXECUTE ON DBMS_RLS TO SECMAN so
  this user can create the VPD
• SQLgt grant dba to secman
• SQLgt grant execute on dbms_rls to secman
• CONNECT AS SECMAN
• SQLgt connect secman/s

3
VPD - Definition
Ex. SELECT FROM Emp -- becomes
SELECT FROM Emp where Emp.Name User
4
Sample project

• http//science.kennesaw.edu/mguimara/8080/guimara
  es_securityProject2.doc
• III.1) CREATE TABLES
• III.2) LOAD TABLES
• III.3) CREATE USERS and ROLES
• III.4) CREATING VIEWS VERSUS VPD
• SQLgt connect sys as sysdba
• Enter password
• Connected.
• SQLgt create user mn668b14 identified by m
• SQLgt grant dba to mn668b14
• SQLgt grant execute on dbms_rls to mn668b14

5
Solution with views

• SQLgt CREATE VIEW employeeView
• as
• select
• from employees e where
  upper(e.lastName) user
• SQLgt GRANT update ON employeeView
• to
  EmployeeRole
• SQLgt UPDATE mn668b14.EmployeeView set ext
  777
• -- note that mn668b14 is schema where data
  was created
• -

6
VPD Update Example
Connecting Policy, Table and Function
UPDATE mn668b14.Employees set ext 777 1 row
updated.
7
Security Policy

• -- create security policy
• BEGIN
• DBMS_RLS.drop_policy
• (object_schema gt 'MN668B14',
• object_name gt '
  EmployeeUpdateOrderView',
• policy_name gt
  'EMP_UPDATE_ORDERS_POLICY')
• END
• BEGIN
• dbms_rls.add_policy (
• object_schema gt 'MN668B14',
• object_name gt '
  EmployeeUpdateOrderView ',
• policy_name gt
  'EMP_ORDERS_UPDATE__POLICY,
• function_schema gt 'MN668B14',
• policy_function gt
  'EMPUSER_ONLY',
• statement_types gt
  'SELECT,UPDATE,INSERT,DELETE',
• update_check gt TRUE
• )
• END

8
Virtual Private Databases

• VPD security provides a new way to control access
  to Oracle data.
• One Schema, several virtual schemas.
• Dynamic nature of a VPD. At runtime, DBMS
  modifies SQL statement to add security.
• Burleson, Donald (2003), "Establish security
  policy with Oracle virtual private database",
  http//www.dba-oracle.com/art_builder_vpd.htm

9
http//bgoug.org/seminar-Velingrad-oct-2005/Presen
tations/Presentation_OLS.ppt
Virtual Private Database Technology
Virtual Private Database Technology

• Data access via Virtual Private Database will
  perform the following five steps
• User sends SQL to the database server.
• The associated table triggers a pre-defined
  security policy.
• The security policy returns a predicate.
• The SQL statement is modified according to the
  security policy.
• Secured data returns to user.

• Data access via Virtual Private Database will
  perform the following five steps
• User sends SQL to the database server.
• The associated table triggers a pre-defined
  security policy.
• The security policy returns a predicate.
• The SQL statement is modified according to the
  security policy.
• Secured data returns to user.

10
http//bgoug.org/seminar-Velingrad-oct-2005/Presen
tations/Presentation_OLS.ppt
Virtual Private Database Technology
A VPD security model uses the Oracle dbms_rls
package (RLS stands for row-level security) to
implement the security policies and application
contexts. This requires a policy that is defined
to control access to tables and rows
11
Oracle Label Security

• simulates multilevel db.
• Adds a field for each row to store the rows
  sensitive label.
• Access is granted (or denied) comparing users
  identity and security clearance label with rows
  sensitive label.
• Label contains LEVEL, GROUP and COMPARTMENT

12
OLS

• Like VPD, OLS creates Policies
• A policy is a name that associates labels, rules,
  and authorizations.
• DBA defines a set of labels for data and users,
  along with authorizations for users and program
  units, that defines all access to objects.

13
LABEL has 3 Components

• level mandatory, simple hierarchy
• compartment optional, non-hierarchical
• group optional, tree level hierarchy
• OLS compares the user security clearance with the
  sensitivity label assigned to the data.
• IF a label contains all 3 components, THEN
• the security clearance of the user gt the data
  sensitivity level, contain all compartments and
  at least one group.

14
More on 3 components

• label has 3 components
• a single level (sensitivity) ranking
• zero or more horizontal compartments
• zero or more hierarchical groups

15

• When an Oracle Label Security policy, a column is
  added to the table that is protected by the
  policy. This policy label column contains the
  label information for each data row.
• DBA can choose to display or hide this column

16
Levels
17
Compartments
18
Groups
19
VPD OLS

• FGAC Fine Grained Access Control (A mechanism
  to implement Row level security in Oracle
  Database)
• OLS and VPD are the utilities which are used for
  FGAC.
• OLS GUI tool
• ROW LEVEL SECURITY
• COLUMN LEVEL SECUITY in Oracle 9i, neither. use
  views. in Oracle 10g you can o column masking
  with VPD, but not with OLS.

20
OLS Conclusion

• Built on top of VPD
• Higher Level, more refined than VPD
• Built around Row Level Security, Not much for
  Column Level Security

21
Next Topics

• Encryption and Auditing

22
Encryption

• What should a DBA encrypt ?
• How can a DBA encrypt ?
• Oracle, MS-SQL Server, other DBMSs ?

23
Auditing

• Audit all actions by users on all data is not an
  option due to performance.
• Define an Access Policy as the center of your DB
  Auditing

24
Where is the threat

• Most of computer security money is spent in
  prevention
• Most loss is from insider activity (around 80)
• Intrusion Detection is the art of detecting and
  responding to computer misuse

25
Defense in Depth

• Security Professional 100, Hacker once
• DB security must be part of a defense in depth
  strategy, including firewalls, VPN, IDS/IPS, etc.
• DB should not be accessed directly from the
  outside world. Should have DMZ.
• DB Application Security
• Cryptography - PKI

26
Track Logins

• Through tracking tools, you must audit the
  network database connections.
• Track IP address of where the connections are
  coming from.
• Track tools and versions being used to connect.
• Compare tools and versions w/ network locations.

27
Check unnecessary libraries

• Todays networks almost everyone uses TCP/IP.
• Dont make the other network protocols available
  if you dont need it (PIX/SPX, NetBIOS, etc.)

28
DB Application

• Hide application code
• Check for possibities of SQL injection for each
  user input.
• Granular access Use VPD / Label Security
• Use stored procedures. Disable external
  procedures, extended stored procedures.
• Check for and monitor Database Links (DDB).

29
Intrusion Detection (ID)

• Deterrence (we will find out what you did and
  catch you)
• Detection
• Misuse detection based on known patterns of
  attack (signatures)
• Anomaly detection (profile of expected behavior)
• patterns of acceptable behavior
• patterns of known misbehavior

30
End of Lecture

• End
• Of
• Todays
• Lecture.