1
Network Security and Single Sign-On

The proliferation of distributed computing has been matched by an increase in the amount of information that organizations now place on computers. Employee records, financial records, product testing information, and other sensitive or critical data have moved from filing cabinets into file structures. The volume of critical or sensitive information on computers has increased the value of data that may be compromised, and the increase in distributed computing, in particular, has increased the vulnerability of this data.

The principal challenges in distributed environments are:

• data integrity-ensuring that data is not modified during transmission
• data privacy-ensuring that data is not disclosed during transmission
• authentication-having confidence that users', hosts', and clients' identities are correctly known
• authorization-giving permission to a user, program, or process to access an object or set of objects

The Oracle Advanced Networking Option ensures data integrity through cryptographic checksums using the MD5 algorithm. It also ensures data privacy through encryption. Release 8.0 provides 40-bit, 56-bit, and 128-bit RSA RC4 algorithms as well as 40-bit and 56-bit DES algorithms.

Establishing user identity is also of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. For example, unless you have confidence in user authentication mechanisms, how can you be sure that user Smith connecting to Server A from Client B really is user Smith? Furthermore, you need to have confidence in the way clients and servers are made known to one another over the network, so that you have assurance not only that user Smith is who she says she is, but that Client B and Server A are also what they claim to be. The Oracle Advanced Networking Option release 8.0 provides this authentication ability through Oracle authentication adapters that support third-party authentication services such as Kerberos, CyberSAFE Challenger (a Kerberos-based authentication server), SecurID, and Identix TouchNet II. These adapters are described later in this chapter.

1.1 What's Covered in this Chapter

The first part of this chapter contains an introduction to the Oracle Advanced Networking Option encryption and checksumming features. These services are available to network products that use Net8, including the Oracle8 Server, Designer 2000, Developer 2000, and any other Oracle or third-party products that support Net8. For a comparison of the benefits of using one encryption algorithm over another, see Chapter 2.2, "Benefits of the Oracle Advanced Networking Option Encryption and Checksum Algorithms".

The second part of this chapter contains a discussion of how the Oracle Advanced Networking Option release 8.0 supports network user authentication in distributed environments through the use of Oracle authentication adapters.

1.2 Authentication Adapters Supported

For this release of the Oracle Advanced Networking Option, the following adapters are supported:

• Kerberos
• CyberSAFE Challenger
• SecurID
• Identix TouchNet II

This release of the documentation only provides configuration instructions for Kerberos, CyberSAFE Challenger, SecurID, and Identix authentication adapters.

1.2.1 System Requirements

The Oracle Advanced Networking Option is an add-on product to standard Net8 which makes getting Net8 licenses a prerequisite. The Oracle Advanced Networking Option is an extra cost item, and to be functional, must be purchased on both the client and the server.

The Oracle Advanced Networking Option must be installed with the Oracle Installer (tapes, CDs, and floppies) on all clients and servers where the Oracle Advanced Networking Option is required.

• The Oracle Advanced Networking Option release 8.0 work or later
• Oracle 8.0 or later

  Note: The Oracle Advanced Networking Option release 8.0 will provide secure communication when used with earlier releases (such as 1.0 and 1.1); however, the security functionality will default to that provided by the earlier release.

1.2.1.1 CyberSAFE Challenger Authentication Adapter Requirements

To use the CyberSAFE Challenger Authentication Adapter you need to have:

• CyberSAFE Application Security Toolkit version 1.0.4 or later
• This must be installed on both the machine that runs the Oracle client and on the machine that runs the Oracle server.
• CyberSAFE Challenger release 5.2.5 or later
• This must be installed on a physically secure machine that will run the authentication server.
• CyberSAFE Challenger Client
• This must be installed on the machine that runs the Oracle client.

1.2.1.2 Kerberos Authentication Adapter Requirements

To use the Kerberos Authentication Adapter you need to have:

• Kerberos 5.4.2

  The Kerberos authentication server must be installed on a physically secure machine.

1.2.1.3 SecurID Authentication Adapter Requirements

To use the SecurID Authentication Adapter you need to have:

• ACE/Server 1.2.4 or higher running on the authentication server.

1.2.1.4 Identix TouchNet II

To use the Identix TouchNet II Authentication Adapter you need to have:

• Identix hardware installed on each Biometric Manager station and client.
• Identix driver installed (it is supplied by both the Oracle Enterprise Manager and NT media.

1.3 Protection from Tampering and Unauthorized Viewing

Organizations around the world are deploying distributed databases and client/server applications in record numbers, often on a national or global scale, based on Net8 and the Oracle8 Server. Along with the increased distribution of data in these environments comes increased exposure to theft of data through eavesdropping. In Wide Area Network (WAN) environments, both public carriers and private network owners often route portions of their network through either insecure land lines or extremely vulnerable microwave and satellite links, leaving valuable data open to view for any interested party. In Local Area Network (LAN) environments within a building or campus, the potential exists for insiders with access to the physical wiring to view data not intended for them. Even more dangerous is the possibility that a malicious third party can execute a computer crime by actually tampering with data as it moves between sites. Oracle Advanced Networking Option protects against these possibilities in distributed environments containing confidential or otherwise sensitive data.

1.3.1 Verification of Data Integrity

To ensure that data has not been modified, deleted, or replayed during transmission, the Oracle Advanced Networking Option optionally generates a cryptographically secure message digest and includes it with each packet sent across the network.

1.3.2 High-Speed Global Data Encryption

To protect data from unauthorized viewing, the Oracle Advanced Networking Option includes an encryption module that uses the RSA Data Security RC4 encryption algorithm. Using a secret, randomly-generated key for every session, all network traffic is fully safeguarded (including all data values, SQL statements, and stored procedure calls and results). The client, server, or both, can request or require the use of the encryption module to guarantee that data is protected. Oracle's optimized implementation provides a high degree of security for a minimal performance penalty. For the RC4 algorithm, Oracle provides encryption key lengths of 40 bits, 56 bits, and 128 bits.

Since the Oracle Advanced Networking Option RSA RC4 40-bit implementation meets the U.S. government export guidelines for encryption products, Oracle provides an export version of the media and exports it to all but a few countries, allowing most companies to safeguard their entire worldwide operations with this software.

1.3.3 Standards-Based Encryption

For financial institutions and other organizations that are required to use the U.S. Data Encryption Standard (DES), the Oracle Advanced Networking Option for Domestic Use offers a standard, optimized 56-bit key DES encryption algorithm. Due to current U.S. government export restrictions, standard DES is initially available only to customers located in the U.S.A. and Canada. For customers located outside the U.S.A. and Canada, the Oracle Advanced Networking Option for Export Use also offers DES40, a version of DES which combines the standard DES encryption algorithm with the international availability of a 40-bit key. Selecting the algorithm to use for network encryption is a user configuration option, allowing varying levels of security and performance for different types of data transfers.

1.3.4 Data Security Across Protocols

The Oracle Advanced Networking Option is fully supported by the Connection Manager, making secure data transfer a reality across network protocol boundaries. Clients using LAN protocols such as NetWare (SPX/IPX), for instance, can now securely share data with large servers using different network protocols such as LU6.2, TCP/IP, or DECnet. To eliminate potential weak points in the network infrastructure and to maximize performance, Connection Manager passes encrypted data from protocol to protocol without the cost and exposure of decryption and re-encryption.

1.3.5 The Oracle Advanced Networking Option is Not Yet Supported by Some Oracle Products

The Oracle Advanced Networking Option requires Net8 to transmit data securely. Accordingly, the Oracle Advanced Networking Option's authentication features are not currently supported by some parts of Oracle Financial, Human Resource, and Manufacturing Applications when they are running on the MS-Windows platform. The portions of these products that use Oracle Display Manager (ODM) can not yet take advantage of the Oracle Advanced Networking Option, since ODM does not currently use Net8. A maintenance version of Release 10 will allow the Oracle Advanced Networking Option to be used in all parts of these applications.

1.4 How Encryption and Checksumming are Activated

In any network connection, it is possible that both ends (client and server) may support more than one encryption algorithm and more than one cryptographic checksumming algorithm. When each connection is made, the server decides which algorithm to use, if any, based on which algorithms are available on each end of the connection and on what preferences have been specified in the Net8 configuration files.

When the server is trying to find a match between the algorithms it has made available and the algorithms the client has made available, it picks the first algorithm in its own list that also appears in the client's list. If one side of the connection does not specify a list of algorithms, all the algorithms that are installed on that side are acceptable.

1.4.1 Encryption and Checksumming Configuration

Encryption and checksumming parameters are defined by modifying a profile for the clients and servers on your network. Refer to Appendix A, "Encryption and Checksum Parameters" for an example of a profile (SQLNET.ORA) for the client and server nodes in a network using encryption and checksumming.

1.5 The Oracle Advanced Networking Option Provides Enhanced Client/Server Authentication

Oracle servers and the Oracle Advanced Networking Option together provide the enhanced client/server authentication required in distributed, heterogeneous environments.

1.5.1 Why Single Sign-On?

In a distributed system, users may need to remember multiple passwords for the different applications and services that they use. To use a software development organization as an example, a developer may have access to an application in development on a workstation, a production system on a mini-computer, a PC for creating documents, and several mini-computers or workstations for testing, reporting bugs, configuration management, and so on. Administration of all these accounts and passwords is complex and time-consuming.

Users generally respond to multiple accounts in one of two ways: if they can choose their own passwords, they may standardize them so that they are the same on all machines (which results in a potentially large exposure in the event of a compromised password) or use passwords with slight variations (which may be easily guessed from knowing one password). Users with complex passwords may just write them down or forget them, either of which severely compromises password secrecy and service availability.

Providing a single sign-on, so that users can access multiple accounts and applications with a single password, eliminates the need for multiple passwords for users and simplifies management of user accounts and passwords for system administrators.

1.6 How Oracle Authentication Adapters Provide Enhanced Security

Among the types of authentication mechanisms that can be used in networked environments are the following:

• "Network Authentication Services" (such as the ACE/Server, Kerberos and CyberSAFE), provide secure, centralized authentication of users and servers.
• "Token Cards". Token cards (such as SecurID) provide one-time passwords.
• "Biometric Authentication Adapter" provides centralized management of biometrically identified users and of database servers that authenticate them.

These authentication mechanisms are discussed in more detail in the following sections.

1.6.1 Network Authentication Services

In distributed environments, unless you can physically secure all connections in a network, which may be either physically or economically impossible, malefactors may hijack connections. For example, a transaction that should go from the Personnel system on Server A to the Payroll system on Server B may be intercepted in transit and routed instead to a terminal masquerading as Server B.

This threat may be addressed by having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers), rather than relying on parties identifying themselves to one another directly. By having a centralized, secure authentication service, you can have high confidence in the identity of users, clients, and servers in distributed environments. Network authentication services also can provide the benefit of single sign-on for users (refer to Section 1.5.1, "Why Single Sign-On?").

1.6.2 Centralized Authentication

Figure 1-1, "How a Network Authentication Service Works" illustrates how a network authentication service typically operates, while the steps below describe each operation.

1. A user (client) requests authentication services, providing some identification that he is who he claims to be, such as a token or password.
2. After authenticating the user, the authentication server passes a ticket or credentials back to the client. (This ticket may include an expiration time.)
3. The client can now take these credentials and pass them to the server while asking for a service, such as connection to a database.
4. The server, to verify that the credentials are valid, sends them back to the authentication server.
5. If the authentication server accepts the credentials, it notifies the server.
6. The server provides the requested service to the user. If the credentials are not accepted, the requested service is denied.
   

   Figure 1-1 How a Network Authentication Service Works

   

1.6.3 Kerberos and CyberSAFE Support

Attention: The Oracle Authentication Adapter for Kerberos provides database link authentication (also called "proxy authentication"). CyberSAFE and SecurID do not provide support for proxy authentication.

The Oracle Advanced Networking Option support for Kerberos and CyberSAFE provides the benefits of single sign-on and centralized authentication in an Oracle environment. As shown in Figure 1-2, "Net8 with authentication adapters", support for authentication services is provided through authentication adapters, which are very much like the existing Net8 protocol adapters. Authentication adapters integrate below the Net8 interface and allow existing applications to take advantage of new authentication systems transparently, without any changes to the application.

Figure 1-2 Net8 with authentication adapters

Kerberos is a trusted third-party authentication system that relies on shared secrets. It assumes that the third party is secure. It provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security.

Support for Kerberos is provided in the Oracle Advanced Networking Option in two ways:

• through the Kerberos Authentication Adapter
• through the CyberSAFE Challenger: an Authentication Adapter

  Note: Oracle Corporation does not provide centralized authentication servers-only support for the authentication services provided through other vendors' security services or third-party Kerberos-based servers such as CyberSAFE. Oracle Corporation does provide a distributed authentication mechanism based on X.509 v1 certificates through the Oracle Security Server.

1.6.4 Token Cards

Token cards can provide improved ease-of-use for users through several different mechanisms. Some token cards offer one-time passwords that are synchronized with an authentication service. The server can verify the password provided by the smart card at any given time by contacting the authentication service. Other token cards operate on a challenge-response basis, in which the server offers a challenge (a number) and the user types the challenge into a token card, which provides another number (cryptographically-derived from the challenge), which the user then offers to the server.

Token cards provide the following benefits:

• ease of use for users, who need only remember, at most, a personal identification number (PIN) instead of multiple passwords
• ease of password management (one smart card rather than multiple passwords)
• enhanced password security, since to masquerade as a user, a malefactor would have to have the smart card as well as the PIN required to operate it
• enhanced accountability through a stronger authentication mechanism

1.6.5 SecurID Token Card

The Oracle Advanced Networking Option supports the Security Dynamics'
SecurID card. SecurID provides two-factor user identification. Factor one is something the user knows: a PIN. The second factor is something the user possesses: the SecurID card. Single-use access codes change automatically every 60 seconds, and no two cards ever display the same number at the same time. The Oracle Advanced Networking Option support for SecurID provides the convenience of token cards in an Oracle environment.

1.6.6 Biometric Authentication Adapter

The Oracle Advanced Networking Option provides support for the Oracle Biometric Authentication adapter. Oracle Biometric Authentication adapters are used on both the clients and on the database servers to communicate biometric authentication data between the authentication server and the clients.

1.6.7 Oracle Parameters that Must be Configured for Network Authentication

For clients and servers to be able to use an Oracle Authentication Adapter, the following parameter must be in a profile:

SQLNET.AUTHENTICATION_SERVICES=(oracle_authent_adapter)

For example, the following parameter must be set in a profile on all clients and servers that use the Kerberos Authentication Adapter to authenticate users:

SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)

1.6.7.1 Set REMOTE_OS_AUTHENT to False

It is strongly recommended that when configuring the Oracle authentication adapters, you add the following parameter to the initialization file used for the database instance:

REMOTE_OS_AUTHENT=FALSE





Attention:



Setting REMOTE_OS_AUTHENT to TRUE may create a security hole, because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).

  

If REMOTE_OS_AUTHENT is set to FALSE, and the server cannot support any of the authentication services requested by the client, the authentication service negotiation will fail, and the connection will be terminated.

If the following parameter is set in the SQLNET.ORA file on either the client or server side:

SQLNET.AUTHENTICATION_SERVICES=(NONE)

the database will attempt to use the provided username and password to log the user in. However, if REMOTE_OS_AUTHENT is set to FALSE, the connection will fail.

1.6.7.2 Set OS_AUTHENT_PREFIX to a Null Value

Authentication service-based user names can be long, and Oracle user names are limited to 30 characters. So, it is strongly recommended that you enter a null value for the OS_AUTHENT_PREFIX parameter in the initialization file used for the database instance:

	OS_AUTHENT_PREFIX=""





Note:



The default value for OS_AUTHENT_PREFIX is OPS$; however, you can set it to any string.

  













Attention:



If a database already has the OS_AUTHENT_PREFIX set to a value other than null ("") do not change it, since it could result in previously created externally-identified users not being able to connect to the Oracle server.

  

The command to create a user is:

create user <os_authent_prefix><username> identified externally;

When OS_AUTHENT_PREFIX is set to a null value (""), you would create the user "king" with the following command:

create user king identified externally;

The advantage of creating a user in this way is that the administrator no longer needs to maintain different usernames for externally-identified users.

---