CHAPTER 1. Overview of Network Security and Single Sign-On
The proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on a computer. Employee records, financial records, product testing information and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that may be compromised, and the increase in distributed computing, in particular, has increased the vulnerability of this data.
The principal challenges in distributed environments are:
- data integrity--ensuring that data is not modified during transmission
- data privacy--ensuring that data is not disclosed during transmission
- authentication--having confidence that users', hosts', and clients' identities are correctly known
- authorization--giving permission to a user, program, or process to access an object or set of objects
The Advanced Networking Option ensures data integrity through cryptographic checksums using the MD5 algorithm. It also ensures data privacy through encryption. Release 2.3.2 provides a 40-bit and 56-bit RSA RC4 algorithm as well as a 40-bit and 56-bit DES algorithm.
Establishing user identity is also of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. For example, unless you have confidence in user authentication mechanisms, how can you be sure that user Smith connecting to Server A from Client B really is user Smith? Furthermore, you need to have confidence in the way clients and servers are made known to one another over the network, so that you have assurance not only that user Smith is who she says she is, but that Client B and Server A are also what they claim to be. The Advanced Networking Option release 2.3.2 provides this authentication ability through SQL*Net authentication adapters that support third-party authentication services such as Kerberos, CyberSAFE (a Kerberos-based authentication server), and SecurID. These are described later in this chapter.
Note: User authentication and authorization are already standard features of Oracle7; however, they are significantly enhanced in the Advanced Networking Option release 2.3.2.
Authentication Adapters Supported
For this release of the Advanced Networking Option the following adapters are supported:
This release of the documentation only provides configuration instructions for Kerberos, CyberSAFE, SecurID, Biometric, and DCE GSSAPI authentication adapters. For the other listed adapters see the platform-specific documentation supplied with the product.
System Requirements
The Advanced Networking Option is an add-on product to standard SQL*Net, making SQL*Net licenses a prerequisite. The Advanced Networking Option is an extra-cost item, and to be functional, must be purchased on both the client and the server.
Install the Advanced Networking Option release 2.3.2 product with the Oracle Installer (both tapes and floppies).
The Advanced Networking Option release 2.3.2 works with:
- SQL*Net release 2.3.2 or later
- Oracle 7.3.2 or later; or Trusted Oracle 7.3.2 or later
Note: The Advanced Networking Option release 2.3.2 will provide secure communication when used with earlier releases (such as 1.0 and 1.1); however, the security functionality will default to that provided by the earlier release.
Attention: The Advanced Networking Option will not work with SQL*Net releases previous to 2.3 and Oracle7 releases previous to 73.2.
Note: The site-specific Diffie-Hellman and the authentication key fold-in encryption features in the Advanced Networking Option release 2.3.2 require Oracle Server 7.3.2 or above and SQL*Net 2.3.2 or above.
CyberSAFE Authentication Adapter Requirements
To use the CyberSAFE Authentication Adapter you need to have:
- CyberSAFE Application Security Toolkit version 1.0 or later
This must be installed on the machine that runs the Oracle client and on the machine that runs the Oracle server.
- CyberSAFE Challenger release 5.2.5 or later
This must be installed on the machine that will run the authentication server.
This must be installed on the machine that runs the Oracle client.
Kerberos Authentication Adapter Requirements
To use the Kerberos Authentication Adapter you need to have:
The Kerberos authentication server must be installed on a physically secure machine.
SecurID Authentication Adapter Requirements
To use the SecurID Authentication Adapter you need to have:
- ACE/Server 1.2.4 or higher
What's Covered in this Chapter
The first part of this chapter contains an introduction to the Oracle Advanced Networking Option encryption and checksumming features, which enable SQL*Net and products based on it to use data encryption and checksumming. These services are available to network products that use SQL*Net, including the Oracle7 Server, Designer 2000, Developer 2000, and any other Oracle or third-party product that supports SQL*Net. For a comparison of the benefits of using one encryption algorithm over another, see "Benefits of Using Encryption Algorithms" ![[*]](jump.gif)
.
The second part of this chapter contains a discussion of how the Advanced Networking Option release 2.3.2 supports network user authentication in distributed environments through the use of Oracle authentication adapters.
Protection from Tampering and Unauthorized Viewing
Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a national or global scale, based on SQL*Net version 2 and the Oracle7 Server. Along with the increased distribution of data in these environments comes increased exposure to theft of data through eavesdropping. In WAN environments, both public carriers and private network owners often route portions of their network through either insecure land lines or extremely vulnerable microwave and satellite links, leaving valuable data open to view for any interested party. In LAN environments within a building or campus, potential exists for insiders with access to the physical wiring to view data not intended for them. Even more dangerous is the possibility that a malicious third party can execute a computer crime by actually tampering with data as it moves between sites. Oracle's Advanced Networking Option protects against these possibilities in distributed environments containing confidential or otherwise sensitive data.
Verification of Data Integrity
To ensure that data has not been modified, deleted, or replayed during transmission, the Advanced Networking Option optionally generates a cryptographically secure message digest and includes it with each packet sent across the network.
High-Speed Global Data Encryption
To protect data from unauthorized viewing, the Advanced Networking Option includes an encryption module that uses the RSA Data Security RC4(tm) encryption algorithm. Using a secret, randomly-generated key for every SQL*Net session, all network traffic is fully safeguarded (including all data values, SQL statements, and stored procedure calls and results). The client, the server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40 bits, 56 bits, and 128 bits.
Since the Advanced Networking Option RSA RC4 40-bit implementation meets the U.S. government export guidelines for encryption products, Oracle provides an export version of the media and exports it to all but a few countries, allowing most companies to safeguard their entire worldwide operations with this software.
Standards-Based Encryption
For financial institutions and other organizations that are required to use the U.S. Data Encryption Standard (DES), the Advanced Networking Option for Domestic Use offers a standard, optimized 56-bit key DES encryption algorithm. Due to current U.S. government export restrictions, standard DES is initially available only to customers located in the U.S.A. and Canada. For customers located outside the U.S.A. and Canada, the Advanced Networking Option for Export Use also offers DES40(tm), a version of DES which combines the standard DES encryption algorithm with the international availability of a 40-bit key. Selecting the algorithm to use for SQL*Net encryption is a user configuration option, allowing varying levels of security and performance for different types of data transfers.
Data Security Across Protocols
The Advanced Networking Option is fully supported by the Oracle MultiProtocol Interchange, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for instance, can now securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Oracle Multi-Protocol Interchanges pass encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.
The Advanced Networking Option Not Yet Supported by Some Oracle SQL*Net Products
The Advanced Networking Option requires SQL*Net to transmit data securely. Accordingly, the Advanced Networking Option is not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the MS-Windows platform. The portions of these products that use Oracle Display Manager (ODM) can not yet take advantage of the Advanced Networking Option, since ODM does not currently use SQL*Net. A maintenance version of Release 10 will allow the Advanced Networking Option to be used in all parts of these applications.
How Encryption and Checksumming are Activated
In any network connection, it is possible that both ends (client and server) may support more than one encryption algorithm and more than one cryptographic checksumming algorithm. When each connection is made, the server decides which algorithm to use, if any, based on which algorithms are available on each end of the connection and what preferences have been specified in the SQL*Net configuration files.
When the server is trying to find a match between the algorithms it has made available and the algorithms the client has made available, it picks the first algorithm in its own list that also appears in the client's list.
If one side of the connection does not specify a list of algorithms, all the algorithms that are installed on that side are acceptable.
Encryption and checksumming parameters, like all other SQL*Net configuration information, are defined by entering information into Oracle Network Manager. Information specific to the Advanced Networking Option appears on the following screens:
- Client Profile--Encryption seed value
After you validate the network configuration within Network Manager, you can generate the configuration files, including SQLNET.ORA files (which contain the encryption and checksumming configuration parameters) for all clients and servers in your network.
Refer to Appendix A for an example of a SQLNET.ORA file for client and server nodes in a network using encryption and checksumming.
Note: Oracle Network Manager, which runs on Windows 3.1, is provided with Oracle 7.3.2 and SQL*Net 2.3. You should use Network Manager 3.1 to configure the Advanced Networking Option release 2.3.2 product.
The Advanced Networking Option Provides Enhanced Client/Server Authentication
Distributed environments face challenges to data security in the areas of data confidentiality, data integrity, and authentication of all parties on a network (users, clients, and servers). Oracle7 servers and the Advanced Networking Option together provide the enhanced client/server authentication users require in distributed, heterogeneous environments.
Why Single Sign-On?
In a distributed system, users may need to remember multiple passwords for the different applications and services that they use. To use a software development organization as an example, a developer may have access to an application in development on a workstation, a production system on a mini-computer, a PC for creating documents, and several mini-computers or workstations for testing, reporting bugs, configuration management, and so on. Administration of all these accounts and passwords is complex and time-consuming.
Users generally respond to multiple accounts in one of two ways: if they can choose their own passwords, they may standardize them so that they are the same on all machines (which results in a potentially large exposure in the event of a compromised password) or use passwords with slight variations (which may be easily guessed from knowing one password). Users with complex passwords may just write them down or forget them, either of which severely compromises password secrecy and service availability.
Providing a single sign-on, so that users can access multiple accounts and applications with a single password, eliminates the need for multiple passwords for users and simplifies management of user accounts and passwords for system administrators.
How Oracle Authentication Adapters Provide Enhanced Security
Among the types of authentication mechanisms that can be used in networked environments are the following:
- network authentication services (such as the ACE/Server, Kerberos and CyberSAFE), which provide secure, centralized authentication of users and servers
- smart cards (such as SecurID) which provide one-time passwords
These are discussed in more detail in the following sections.
Network Authentication Services
In distributed environments, unless you can physically secure all connections in a network, which may be either physically or economically impossible, malefactors may hijack connections. For example, a transaction that should go from the Personnel system on Server A to the Payroll system on Server B may be intercepted in-transit and routed instead to a terminal masquerading as Server B.
This threat may be addressed by having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers), rather than relying on parties identifying themselves to one another directly. By having a centralized, secure authentication service, you can have high confidence in the identity of users, clients, and servers in distributed environments. Network authentication services also can provide the benefit of single sign-on for users.
Centralized Authentication
Figure 1 - 1 illustrates how a network authentication service typically operates, while the steps below describe each operation.
1. A user requests authentication services, providing some identification that he is who he claims to be, such as a token or password.
2. After authenticating the user, the authentication server passes a ticket or credentials back to the client. (The ticket may include an expiration time.)
3. The client can now take these credentials and pass them to the server while asking for a service, such as connection to a database.
4. The server, to verify that the credentials are valid, sends them back to the authentication server.
5. If the authentication server accepts the credentials, it notifies the server.
6. The server provides the requested service. If the credentials are not accepted, the requested service is denied.
Figure 1 - 1. How a Network Authentication Service Works
Attention: The Oracle Authentication Adapter for Kerberos provides database link authentication (also called "proxy authentication"). CyberSAFE and SecurID do not provide support for proxy authentication.
The Advanced Networking Option support for Kerberos and CyberSAFE provides the benefits of single sign-on and centralized authentication in an Oracle environment. As shown in Figure 1 - 2, support for authentication services is provided through authentication adapters, which are very much like the existing protocol adapters of SQL*Net. Authentication adapters integrate below the SQL*Net interface, and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.
Figure 1 - 2. SQL*Net with authentication adapters
Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure. It provides single sign-on capabilities, centralized password storage, database link authentication, and enhances PC security.
Support for Kerberos is provided in the Advanced Networking Option in two ways:
- through support of an Oracle Kerberos Authentication Adapter
- through support of CyberSAFE Challenger, a Kerberos-based Authentication Adapter
Note: Oracle Corporation does not provide authentication servers--only support for the authentication services provided through other vendors' security services or third-party Kerberos-based servers such as CyberSAFE.
Smart Cards Provide Increased Password Security Over Traditional Password Mechanisms
Smart cards can provide improved ease-of-use for users through several different mechanisms. Some smart cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the smart card at any given time by contacting the authentication service. Other smart cards operate on a 'challenge-response' basis, in which the server offers a 'challenge' (a number) and the user enters the challenge into a smart card, which provides another number (cryptographically-derived from the challenge), which the user then offers to the server.
Smart cards provide the following benefits:
- ease of use for users, who need only remember, at most, a personal identification number (PIN) instead of multiple passwords
- ease of password management (one smart card rather than multiple passwords)
- enhanced password security; since, to masquerade as a user, a malefactor would have to have the smart card as well as the PIN required to operate it
- enhanced accountability through a stronger authentication mechanism
The Advanced Networking Option provides support for Security Dynamics' SecurID card. SecurID provides two-factor user identification. Factor one is something the user knows: a PIN, while the second is something the user possesses: the SecurID card. Single-use access codes change automatically every 60 seconds, and no two cards ever display the same number at the same time. The Advanced Networking Option support for SecurID provides the convenience of smart cards in an Oracle environment.
Oracle Parameters that Must be Configured for Network Authentication
For clients and servers to be able to use an Oracle Authentication Adapter, the following parameter must be in the SQLNET.ORA configuration file:
SQLNET.AUTHENTICATION_SERVICES=
(beq,oracle_authent_adapter)
For example, the following parameter must be set in the SQLNET.ORA file on all clients and servers that use the Kerberos Authentication Adapter to authenticate users:
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
Setting REMOTE_OS_AUTHENT to False
It is strongly recommended that when configuring the Oracle authentication adapters, you add the following parameter to the initialization file used for the database instance:
REMOTE_OS_AUTHENT=FALSE
Attention: Setting REMOTE_OS_AUTHENT to TRUE may create a security hole because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).
If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication services requested by the client, the authentication service negotiation will fail, and the connection will be terminated.
If REMOTE_OS_AUTHENT is set to FALSE for a particular database, and the client has the following parameter set in its SQLNET.ORA file:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
and the server has, for example,
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
set in its SQLNET.ORA file, the connection will fail.
If the following parameter is set in the SQLNET.ORA file on either the client or server side:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
the database will attempt to use the provided username and password to log the user in.
Set OS_AUTHENT_PREFIX to a Null Value
Because authentication service-based user names can be long and Oracle user names are limited to 30 characters, it is strongly recommended that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance:
OS_AUTHENT_PREFIX=""
Note: The default value for OS_AUTHENT_PREFIX is OPS$, though you can set it to any string.
Attention: If a database already has the OS_AUTHENT_PREFIX set to a value other than null ("") do not change it, as it could result in previously created externally-identified users not being able to connect to the Oracle server.
The command to create a user is
create user <os_authent_prefix><username>
identified externally;
When OS_AUTHENT_PREFIX is set to a null value (""), you would create the user "king" with the following command:
create user king identified externally;
The advantage of creating a user in this way is that the administrator no longer needs to maintain different usernames for externally-identified users.
Note: This applies to creating Oracle users for use with all Oracle authentication adapters.
Required Parameter on all Oracle Servers
The following parameter should always be set in the LISTENER.ORA file on all servers:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
Note: The reason this parameter must be set to NONE is that the listener itself is not involved in authentication. Authentication is used directly by client and server processes only; the listener's purpose is to let you connect to the server.
Configuring So Users Can Log in with a Username/Password
For users to be able to log into an Oracle database server using username/password, for example:
sqlplus scott/tiger@oracle_dbname
authentication must be disabled. In the SQLNET.ORA file, set the following parameter:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
