Upload
ramesh-nagappan
View
277
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
REMINDER
Check in on the COLLABORATE mobile app
High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications
Prepared by: Glenn Brunette, Ramesh Nagappan Oracle Corporation
Program Agenda
■ SPARC SuperCluster Security Overview ■ Secure Database Consolidation Strategies ■ Secure Multi-Tier Deployment Architectures ■ Summary and Q&A
Engineered Systems Security Strategy
SECURITY AT EACH LAYER
SECURITY BETWEEN LAYERS
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY BETWEEN SYSTEMS
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SuperCluster Security Focus Areas
COMPUTE STORAGE NETWORK DATABASE
SuperCluster Security Focus Areas
Secure Isolation
Access Control
Data Protection
Monitoring and Auditing
COMPUTE STORAGE NETWORK DATABASE
SuperCluster Security Capabilities
Compute Storage Network Database
Secure Isolation
! Physical
! Hypervisor-Mediated
! Kernel-Mediated
! Physical
! ASM Instances
! ZFS Data Sets
! Physical (Ethernet)
! Ethernet VLANs
! InfiniBand Partitions
! Pluggable DBs
! Instances, Schema
! Labels
Access Control
! RBAC
! LDOM Administration
! Zone Administration
! ZFS Administration
! ASM Security
! NFS Security
! IP Filter, Switch ACLs
! Audit Vault and Database Firewall
! Roles and Privileges
! Database Vault
! Mandatory Realms
Data Protection
! Immutable Zones
! Read-Only Mounts
! Extended Policies
! ZFS Encryption
! LOFI Encryption
! TDE
! SSH
! SSL / TLS
! IPsec / IKE
! Virtual Private DB
! Data Redaction
! Data Masking
Monitoring and Auditing
! Solaris Auditing
! Reliable Syslog
! BART
! ZFS Storage Appliance Auditing
! Exadata Storage Auditing
! IP Filter (Logging)
! Switch Logs
! Database Auditing
! Audit Vault and Database Firewall
Compute Perspective
Physical Isolation
Domain 1
Database
Domain 1
SPARC T5-8
Server 1
SPARC T5-8
Server 2
Database
Zones Isolation
Domain 1
SPARC T5-8
Server
Zone A
Database
Zone B
Database
Zone C
Database
Zone D
Database
POSIX Isolation
Domain 1
SPARC T5-8
Server
Database
Database
Database
Database
Hypervisor Isolation
Domain 1
Database
Domain 2
Database
Hyperv
isor
!
SPARC T5-8
Server
Electrical Isolation
Domain 1
Database
Domain 2
Database
SPARC M6-32 Server
Secure Isola,on
Access Control
Data Protec,on
Monitoring and Audi,ng
Oracle Solaris 11 Layered Capabilities
■ Pluggable Authentication ■ Role-based Access Control ■ Fine-Grained Privileges ■ Extended File Access Controls ■ Application Sandboxing ■ Hardware-Assisted Cryptography ■ Network Security Controls ■ Dynamic Resource Controls ■ Auditing and Monitoring
Secure Isola,on
Access Control
Data Protec,on
Monitoring and Audi,ng
Database Perspective
Instance Isolation
Schema Isolation
Label Isolation
Container Isolation
Domain 1
SPARC T5-8
Server
Database
Database
Database
Database
Domain 1
SPARC T5-8
Server
Database
Schema
Schema
Schema
Schema
Domain 1
SPARC T5-8
Server
Database
Schema
Domain 1
SPARC T5-8
Server
Container Database
Pluggable Database
Pluggable Database
Pluggable Database
Pluggable Database
Secure Isola,on
Access Control
Data Protec,on
Monitoring and Audi,ng
Network Perspective
Domain 1
Domain 2
SPARC T5-8
Server
Zone A
Client Access Network
Client A-1
Zone C
VLAN C Database C-1
Client C-1 IPsec / SSL
Zone B
Database A-1
IPM
P A
-1
VLAN A-1-0
VLAN A-1-1
Database B-1
Adding Cryptographic
Isolation
Layer 2 VNIC and VLAN
Isolation
IPM
P B
-1
VNIC B-1-0
VNIC B-1-1
net1
net0
Client B-1
VLAN A
Network B
Storage Perspective
ASM Disk Groups
ASM Disk Group A-1
ASM Disk Group A-2
Oracle Exadata Storage Servers
ZFS Data Sets
ZFS Data Set C-1
ZFS Data Set D-1
Sun ZFS Storage Appliance
InfiniBand Network
Partition: 0xFFFF Protocol: RDSv3
Partition: 0x8503 Protocol: NFS / IPoIB
Oracle VM Server for SPARC
Database Domain
Oracle Solaris 11 Zone (Zone A)
Oracle Database 11g Release 2 Instance A-1
Oracle Database 11g Release 2 Instance A-2
Application Domain
Zone C
Oracle Database 11g Release 2 Instance C-1
Zone D
Oracle Database 11g Release 2 Instance D-1
Cryptographic Perspective
Database Domain
SPARC T5 Hardware Assisted Cryptography
Zone A
Oracle Database A-1
Client Access Network
SSL
InfiniBand Network Partition
Intel AES-NI Hardware Assisted Cryptography
Client A-1
Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken)
SSL Certificate
A-1
Oracle Solaris Cryptographic Framework
ASM Disk Groups
Disk Group A-1
Oracle Exadata Storage Servers
Encrypted
Tablespaces
ZFS Data Sets
Data Sets A-1
Encrypted
Backups
Export Files Sun ZFS Storage
Appliance
RDSv3
NFSv4
TDE Master Key
A-1
Database Consolidation Example
InfiniBand Network Partition
ASM Disk Groups
RDSv3
RDSv3
InfiniBand Network Partition
ZFS Data Sets
NFS
NFS
Oracle Exadata Storage Servers
Sun ZFS Storage
Appliance
Database Domain
Application Domain
SPARC T5-8
Server
Zone A
Database A-1
Zone C
Database C-1
Zone D
Database D-1
Database A-2
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Client Access Network
Management Network
Multi-Tier Application Security
Secure Isola,on
Access Control
Data Protec,on
Monitoring and Audi,ng
Presenta,on
Data
Compute
Storage
Network
Service
Logic
Multi-Tier Network Isolation InfiniBand Partitioning Strategy
ZFS Storage (Web)
RDSv3
Application Domain
Database Domain
SPARC T5-8
Server
App to DB
Web to App
0x0503
0x8751
0x8761
0x8761
Exadata Storage
0xFFFF 0x0751
ZFS Storage
(App)
0x0513
0x8503
0x8513
0xFFFF Zone C
Database Server
Zone A
Web Server
Zone B
Application Server
Oracle Exadata Storage Servers
Sun ZFS Storage
Appliance
Client Access Network
VLAN A Client
A HTTPS
Multi-Tier Network Isolation End to End Deployment Scenario
Client Access Network
Application Domain
Database Domain
SPARC T5-8
Server
Zone A
Database A
Zone B
Database B
VLAN B Client
B HTTPS
VLAN A HTTPS Client
A
InfiniB
and Netw
ork Partitions
IPoIB for
NFSv4, iSCSI
Application B Share (0x8503)
Application A Share (0x8513)
Database A Share (0x8523)
Database B Share (0x8533)
RDSv3
Database A ASM DG (0xFFFF)
Database B ASM DG (0xFFFF)
IPoIB/TCP (0x0751)
IPoIB/TCP (0x8751)
SDP (0x0752)
SDP (0x8752)
Zone B
Application B
Zone A
Application A
Zone C
Load Balancing
Proxy
Encrypted and Immutable Zones
■ Read-Only Non-Global Zone ▪ Protects the system binaries from
malicious or accidental tampering
▪ MWAC Policy (Strict or Fixed)
▪ Can be augmented with additional read only ZFS data sets to protect specific applications, data sets, etc.
■ Encrypted Non-Global Zone Root ▪ ZFS encryption implemented on iSCSI LUNs from ZFS Storage Appliance
▪ Leverages FIPS 140-2 validated cryptography
▪ Secure key storage using Solaris Softtoken Keystore or Oracle Key Manager
Read Only
Read Only
Read Only
Read Only
Writeable Writeable Writeable Writeable
Writeable Writeable* Read Only
Writeable*
Read Only
Read Only
Read Only
Read Only
/, /usr /lib, …
/etc /var other
None
Flexible
Fixed
Strict
Solaris 11 Immutable Zone Options
Multi-tier Deployment Scenario Immutable and Encrypted Zones and InfiniBand Partitions
Database Access Network
InfiniBand Partition (RDSv3) 0xFFFF
WebLogic Access Network
InfiniBand Partition (IPoIB)
Coherence
Access Net
(IPoIB)
Coherence
Access Network
InfiniBand Partition (IPoIB)
Limited
SPARC T4-4 Server
Solaris 11 Domain
Immutable Solaris Zone (app01)
Immutable Solaris Zone (app02)
Weblogic Server Cluster (app-cluster)
WLS 12c (as-app01-01, TCP/8001)
WLS 12c (as-app01-02, TCP 8002)
WLS 12c (as-app02-01, TCP/8001)
WLS 12c (as-app02-02, TCP/8002)
Encrypted ZFS Data Set (Mounted In Zone As Zone Read-Only /apps)
Encrypted Per-Zone ZFS Data Sets (Mounted In Zone As Zone Read-Write /data)
ZFS Keys (Stored In PKCS#11
Token)
Encrypted Per-Zone ZFS Data Sets (Mounted In Zone as Zone Root)
net1:1
net0:1
net1:2
net1
net0
net0:2
Limited
Full
Limited
SPARC T5-8 Server
Client Access Network
Application
Domain
Application
Domain
Zone Cluster
Oracle Traffic Director
Oracle Traffic Director
Encrypted Per-Zone ZFS Data Sets
Encrypted Per-Zone ZFS Data Sets
VLAN A HTTPS HTTPS
Cryptographic Isolation: Multi-Tier Scenario
InfiniBand Network Partition
#1
SPARC T5 Hardware Assisted Cryptography
Client Access Network
Database Domain
Oracle Solaris Cryptographic Framework
Zone C
Oracle Database (SSL and TDE)
Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken)
SSL Certificate
TDE Master Key
Intel AES-NI Hardware Assisted Cryptography
ASM Disk Groups
Oracle Exadata Storage Servers ENCRYPTED
Tablespaces
ZFS Volumes/Data Sets
ENCRYPTED
Sun ZFS Storage
Appliance
Binaries
Configurations
Backups Application Domain
Zone B
Oracle WebLogic
Oracle Solaris Cryptographic Framework
Zone A
Oracle Traffic Director
TLS InfiniBand Network Partition
#2
RDSv3
InfiniBand Network Partition
#3
iSCSI, NFS
TLS
TLS
Security Performance on SuperCluster T5-8 Multi-Tier Application Security – SSL/TLS, TDE and Encrypted ZFS
• RSA-‐2048 (Key Alg) • AES-‐256 (Bulk Alg) • SHA256withRSA (Signature Alg) • TLS_RSA_WITH_AES_256_CBC_SHA (SSL Cipher Suite) • Immutable Zones on Encrypted ZFS Data sets – (AES 128)
• Oracle Fusion Middleware • Weblogic 12cR1 • 300 Users • Two-‐way SSL
• JDK 7u17 • Oracle 11gR2 TDE • Solaris 11.1 (SuperCluster T5-‐8)
9195
4296
8478 8404
1000 2000 3000 4000 5000 6000 7000 8000 9000
10000
No SSL 3rd Party JCE (Software SSL) and TDE
Oracle Ucrypto SSL and TDE (SPARC T5)
SPARC T5 - SSL, TDE, Encrypted ZFS on Solaris
Zone
Ope
ratio
ns /
sec
SPARC T5-8
SuperCluster Security Summary
Complete • Layered, Defense in Depth From Applications to Disk • Lifecycle Data Protection - In Use, In Transit and At Rest
Integrated • Hardware-Assisted Security for Encryption and Isolation • Comprehensive Activity Monitoring and Key Management
Flexible • Enables Single and Multiple Tier and Tenant Architectures • Satisfies Various Quality of Service and Security Levels
Trusted • Protecting Mission Critical Environments Around the Globe • Designed, Pre-Integrated, and Tested to Work Best Together
Additional Resources
■ Oracle SuperCluster T5-8 Platform Security Principles and Capabilities ▪ http://www.oracle.com/technetwork/server-storage/
sun-sparc-enterprise/documentation/ o13-052-osc-t5-8-security-1989641.pdf
■ Secure Database Consolidation using the Oracle SuperCluster T5-8 Platform ▪ http://www.oracle.com/technetwork/server-storage/
sun-sparc-enterprise/documentation/ o13-053-securedb-osc-t5-8-1990064.pdf
■ High Performance Security for Oracle WebLogic and Fusion Middleware Applications ▪ http://www.oracle.com/technetwork/articles/systems-hardware-
architecture/security-weblogic-t-series-168447.pdf
Questions?