REMINDER

Check in on the COLLABORATE mobile app

High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications

Prepared by: Glenn Brunette, Ramesh Nagappan Oracle Corporation

Program Agenda

■  SPARC SuperCluster Security Overview ■  Secure Database Consolidation Strategies ■  Secure Multi-Tier Deployment Architectures ■  Summary and Q&A

Engineered Systems Security Strategy

SECURITY AT EACH LAYER

SECURITY BETWEEN LAYERS

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY BETWEEN SYSTEMS

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY

SECURITY

SuperCluster Security Focus Areas

COMPUTE STORAGE NETWORK DATABASE

SuperCluster Security Focus Areas

Secure Isolation

Access Control

Data Protection

Monitoring and Auditing

COMPUTE STORAGE NETWORK DATABASE

SuperCluster Security Capabilities

Compute Storage Network Database

Secure Isolation

!  Physical

!  Hypervisor-Mediated

!  Kernel-Mediated

!  Physical

!  ASM Instances

!  ZFS Data Sets

!  Physical (Ethernet)

!  Ethernet VLANs

!  InfiniBand Partitions

!  Pluggable DBs

!  Instances, Schema

!  Labels

Access Control

!  RBAC

!  LDOM Administration

!  Zone Administration

!  ZFS Administration

!  ASM Security

!  NFS Security

!  IP Filter, Switch ACLs

!  Audit Vault and Database Firewall

!  Roles and Privileges

!  Database Vault

!  Mandatory Realms

Data Protection

!  Immutable Zones

!  Read-Only Mounts

!  Extended Policies

!  ZFS Encryption

!  LOFI Encryption

!  TDE

!  SSH

!  SSL / TLS

!  IPsec / IKE

!  Virtual Private DB

!  Data Redaction

!  Data Masking

Monitoring and Auditing

!  Solaris Auditing

!  Reliable Syslog

!  BART

!  ZFS Storage Appliance Auditing

!  Exadata Storage Auditing

!  IP Filter (Logging)

!  Switch Logs

!  Database Auditing

!  Audit Vault and Database Firewall

Compute Perspective

Physical Isolation

Domain 1

Database

Domain 1

SPARC T5-8

Server 1

SPARC T5-8

Server 2

Database

Zones Isolation

Domain 1

SPARC T5-8

Server

Zone A

Database

Zone B

Database

Zone C

Database

Zone D

Database

POSIX Isolation

Domain 1

SPARC T5-8

Server

Database

Database

Database

Database

Hypervisor Isolation

Domain 1

Database

Domain 2

Database

Hyperv

isor

!

SPARC T5-8

Server

Electrical Isolation

Domain 1

Database

Domain 2

Database

SPARC M6-32 Server

Secure  Isola,on  

Access  Control  

Data  Protec,on  

Monitoring  and  Audi,ng  

Oracle Solaris 11 Layered Capabilities

■  Pluggable Authentication ■  Role-based Access Control ■  Fine-Grained Privileges ■  Extended File Access Controls ■  Application Sandboxing ■  Hardware-Assisted Cryptography ■  Network Security Controls ■  Dynamic Resource Controls ■  Auditing and Monitoring

Secure  Isola,on  

Access  Control  

Data  Protec,on  

Monitoring  and  Audi,ng  

Database Perspective

Instance Isolation

Schema Isolation

Label Isolation

Container Isolation

Domain 1

SPARC T5-8

Server

Database

Database

Database

Database

Domain 1

SPARC T5-8

Server

Database

Schema

Schema

Schema

Schema

Domain 1

SPARC T5-8

Server

Database

Schema

Domain 1

SPARC T5-8

Server

Container Database

Pluggable Database

Pluggable Database

Pluggable Database

Pluggable Database

Secure  Isola,on  

Access  Control  

Data  Protec,on  

Monitoring  and  Audi,ng  

Network Perspective

Domain 1

Domain 2

SPARC T5-8

Server

Zone A

Client Access Network

Client A-1

Zone C

VLAN C Database C-1

Client C-1 IPsec / SSL

Zone B

Database A-1

IPM

P A

-1

VLAN A-1-0

VLAN A-1-1

Database B-1

Adding Cryptographic

Isolation

Layer 2 VNIC and VLAN

Isolation

IPM

P B

-1

VNIC B-1-0

VNIC B-1-1

net1

net0

Client B-1

VLAN A

Network B

Storage Perspective

ASM Disk Groups

ASM Disk Group A-1

ASM Disk Group A-2

Oracle Exadata Storage Servers

ZFS Data Sets

ZFS Data Set C-1

ZFS Data Set D-1

Sun ZFS Storage Appliance

InfiniBand Network

Partition: 0xFFFF Protocol: RDSv3

Partition: 0x8503 Protocol: NFS / IPoIB

Oracle VM Server for SPARC

Database Domain

Oracle Solaris 11 Zone (Zone A)

Oracle Database 11g Release 2 Instance A-1

Oracle Database 11g Release 2 Instance A-2

Application Domain

Zone C

Oracle Database 11g Release 2 Instance C-1

Zone D

Oracle Database 11g Release 2 Instance D-1

Cryptographic Perspective

Database Domain

SPARC T5 Hardware Assisted Cryptography

Zone A

Oracle Database A-1

Client Access Network

SSL

InfiniBand Network Partition

Intel AES-NI Hardware Assisted Cryptography

Client A-1

Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken)

SSL Certificate

A-1

Oracle Solaris Cryptographic Framework

ASM Disk Groups

Disk Group A-1

Oracle Exadata Storage Servers

Encrypted

Tablespaces

ZFS Data Sets

Data Sets A-1

Encrypted

Backups

Export Files Sun ZFS Storage

Appliance

RDSv3

NFSv4

TDE Master Key

A-1

Database Consolidation Example

InfiniBand Network Partition

ASM Disk Groups

RDSv3

RDSv3

InfiniBand Network Partition

ZFS Data Sets

NFS

NFS

Oracle Exadata Storage Servers

Sun ZFS Storage

Appliance

Database Domain

Application Domain

SPARC T5-8

Server

Zone A

Database A-1

Zone C

Database C-1

Zone D

Database D-1

Database A-2

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Tablespace

Client Access Network

Management Network

Multi-Tier Application Security

Secure  Isola,on  

Access  Control  

Data  Protec,on  

Monitoring  and  Audi,ng  

Presenta,on  

Data  

Compute  

Storage  

Network  

Service  

Logic  

Multi-Tier Network Isolation InfiniBand Partitioning Strategy

ZFS Storage (Web)

RDSv3

Application Domain

Database Domain

SPARC T5-8

Server

App to DB

Web to App

0x0503

0x8751

0x8761

0x8761

Exadata Storage

0xFFFF 0x0751

ZFS Storage

(App)

0x0513

0x8503

0x8513

0xFFFF Zone C

Database Server

Zone A

Web Server

Zone B

Application Server

Oracle Exadata Storage Servers

Sun ZFS Storage

Appliance

Client Access Network

VLAN A Client

A HTTPS

Multi-Tier Network Isolation End to End Deployment Scenario

Client Access Network

Application Domain

Database Domain

SPARC T5-8

Server

Zone A

Database A

Zone B

Database B

VLAN B Client

B HTTPS

VLAN A HTTPS Client

A

InfiniB

and Netw

ork Partitions

IPoIB for

NFSv4, iSCSI

Application B Share (0x8503)

Application A Share (0x8513)

Database A Share (0x8523)

Database B Share (0x8533)

RDSv3

Database A ASM DG (0xFFFF)

Database B ASM DG (0xFFFF)

IPoIB/TCP (0x0751)

IPoIB/TCP (0x8751)

SDP (0x0752)

SDP (0x8752)

Zone B

Application B

Zone A

Application A

Zone C

Load Balancing

Proxy

Encrypted and Immutable Zones

■  Read-Only Non-Global Zone ▪  Protects the system binaries from

malicious or accidental tampering

▪  MWAC Policy (Strict or Fixed)

▪  Can be augmented with additional read only ZFS data sets to protect specific applications, data sets, etc.

■  Encrypted Non-Global Zone Root ▪  ZFS encryption implemented on iSCSI LUNs from ZFS Storage Appliance

▪  Leverages FIPS 140-2 validated cryptography

▪  Secure key storage using Solaris Softtoken Keystore or Oracle Key Manager

Read Only

Read Only

Read Only

Read Only

Writeable Writeable Writeable Writeable

Writeable Writeable* Read Only

Writeable*

Read Only

Read Only

Read Only

Read Only

/, /usr /lib, …

/etc /var other

None

Flexible

Fixed

Strict

Solaris 11 Immutable Zone Options

Multi-tier Deployment Scenario Immutable and Encrypted Zones and InfiniBand Partitions

Database Access Network

InfiniBand Partition (RDSv3) 0xFFFF

WebLogic Access Network

InfiniBand Partition (IPoIB)

Coherence

Access Net

(IPoIB)

Coherence

Access Network

InfiniBand Partition (IPoIB)

Limited

SPARC T4-4 Server

Solaris 11 Domain

Immutable Solaris Zone (app01)

Immutable Solaris Zone (app02)

Weblogic Server Cluster (app-cluster)

WLS 12c (as-app01-01, TCP/8001)

WLS 12c (as-app01-02, TCP 8002)

WLS 12c (as-app02-01, TCP/8001)

WLS 12c (as-app02-02, TCP/8002)

Encrypted ZFS Data Set (Mounted In Zone As Zone Read-Only /apps)

Encrypted Per-Zone ZFS Data Sets (Mounted In Zone As Zone Read-Write /data)

ZFS Keys (Stored In PKCS#11

Token)

Encrypted Per-Zone ZFS Data Sets (Mounted In Zone as Zone Root)

net1:1

net0:1

net1:2

net1

net0

net0:2

Limited

Full

Limited

SPARC T5-8 Server

Client Access Network

Application

Domain

Application

Domain

Zone Cluster

Oracle Traffic Director

Oracle Traffic Director

Encrypted Per-Zone ZFS Data Sets

Encrypted Per-Zone ZFS Data Sets

VLAN A HTTPS HTTPS

Cryptographic Isolation: Multi-Tier Scenario

InfiniBand Network Partition

#1

SPARC T5 Hardware Assisted Cryptography

Client Access Network

Database Domain

Oracle Solaris Cryptographic Framework

Zone C

Oracle Database (SSL and TDE)

Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken)

SSL Certificate

TDE Master Key

Intel AES-NI Hardware Assisted Cryptography

ASM Disk Groups

Oracle Exadata Storage Servers ENCRYPTED

Tablespaces

ZFS Volumes/Data Sets

ENCRYPTED

Sun ZFS Storage

Appliance

Binaries

Configurations

Backups Application Domain

Zone B

Oracle WebLogic

Oracle Solaris Cryptographic Framework

Zone A

Oracle Traffic Director

TLS InfiniBand Network Partition

#2

RDSv3

InfiniBand Network Partition

#3

iSCSI, NFS

TLS

TLS

Security Performance on SuperCluster T5-8 Multi-Tier Application Security – SSL/TLS, TDE and Encrypted ZFS

•  RSA-­‐2048    (Key  Alg)  •  AES-­‐256    (Bulk  Alg)  •  SHA256withRSA    (Signature  Alg)  •  TLS_RSA_WITH_AES_256_CBC_SHA  (SSL  Cipher  Suite)  •  Immutable  Zones  on  Encrypted  ZFS  Data  sets  –  (AES  128)  

•  Oracle  Fusion  Middleware    •  Weblogic  12cR1  •  300  Users  •  Two-­‐way  SSL  

•  JDK  7u17  •  Oracle  11gR2  TDE  •  Solaris  11.1  (SuperCluster  T5-­‐8)  

9195

4296

8478 8404

1000 2000 3000 4000 5000 6000 7000 8000 9000

10000

No SSL 3rd Party JCE (Software SSL) and TDE

Oracle Ucrypto SSL and TDE (SPARC T5)

SPARC T5 - SSL, TDE, Encrypted ZFS on Solaris

Zone

Ope

ratio

ns /

sec

SPARC T5-8

SuperCluster Security Summary

Complete •  Layered, Defense in Depth From Applications to Disk •  Lifecycle Data Protection - In Use, In Transit and At Rest

Integrated •  Hardware-Assisted Security for Encryption and Isolation •  Comprehensive Activity Monitoring and Key Management

Flexible •  Enables Single and Multiple Tier and Tenant Architectures •  Satisfies Various Quality of Service and Security Levels

Trusted •  Protecting Mission Critical Environments Around the Globe •  Designed, Pre-Integrated, and Tested to Work Best Together

Additional Resources

■  Oracle SuperCluster T5-8 Platform Security Principles and Capabilities ▪  http://www.oracle.com/technetwork/server-storage/

sun-sparc-enterprise/documentation/ o13-052-osc-t5-8-security-1989641.pdf

■  Secure Database Consolidation using the Oracle SuperCluster T5-8 Platform ▪  http://www.oracle.com/technetwork/server-storage/

sun-sparc-enterprise/documentation/ o13-053-securedb-osc-t5-8-1990064.pdf

■  High Performance Security for Oracle WebLogic and Fusion Middleware Applications ▪  http://www.oracle.com/technetwork/articles/systems-hardware-

architecture/security-weblogic-t-series-168447.pdf

Questions?