High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications
1. REMINDER
Check in on the COLLABORATE
mobile app
High Performance Security and
Virtualization for Oracle Database and
Cloud-Enabled Applications
Prepared by:
Glenn Brunette, Ramesh Nagappan
Oracle Corporation
3. Engineered Systems Security Strategy
SECURITY
AT EACH LAYER
SECURITY
BETWEEN LAYERS
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
BETWEEN SYSTEMS
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
SECURITY
5. SuperCluster Security Focus Areas
Secure
Isolation
Access
Control
Data
Protection
Monitoring
and Auditing
COMPUTE STORAGE NETWORK DATABASE
6. SuperCluster Security Capabilities
Compute Storage Network Database
Secure
Isolation
! Physical
! Hypervisor-Mediated
! Kernel-Mediated
! Physical
! ASM Instances
! ZFS Data Sets
! Physical (Ethernet)
! Ethernet VLANs
! InfiniBand Partitions
! Pluggable DBs
! Instances, Schema
! Labels
Access
Control
! RBAC
! LDOM Administration
! Zone Administration
! ZFS Administration
! ASM Security
! NFS Security
! IP Filter, Switch ACLs
! Audit Vault and
Database Firewall
! Roles and Privileges
! Database Vault
! Mandatory Realms
Data
Protection
! Immutable Zones
! Read-Only Mounts
! Extended Policies
! ZFS Encryption
! LOFI Encryption
! TDE
! SSH
! SSL / TLS
! IPsec / IKE
! Virtual Private DB
! Data Redaction
! Data Masking
Monitoring
and Auditing
! Solaris Auditing
! Reliable Syslog
! BART
! ZFS Storage
Appliance Auditing
! Exadata Storage
Auditing
! IP Filter (Logging)
! Switch Logs
! Database Auditing
! Audit Vault and
Database Firewall
7. Compute Perspective
Physical
Isolation
Domain 1
Database
Domain 1
SPARC
T5-8
Server
1
SPARC
T5-8
Server
2
Database
Zones
Isolation
Domain 1
SPARC
T5-8
Server
Zone A
Database
Zone B
Database
Zone C
Database
Zone D
Database
POSIX
Isolation
Domain 1
SPARC
T5-8
Server
Database
Database
Database
Database
Hypervisor
Isolation
Domain 1
Database
Domain 2
Database
Hypervisor!
SPARC
T5-8
Server
Electrical
Isolation
Domain 1
Database
Domain 2
Database
SPARC
M6-32
Server
Secure
Isola,on
Access
Control
Data
Protec,on
Monitoring
and
Audi,ng
8. Oracle Solaris 11 Layered Capabilities
■ Pluggable Authentication
■ Role-based Access Control
■ Fine-Grained Privileges
■ Extended File Access Controls
■ Application Sandboxing
■ Hardware-Assisted Cryptography
■ Network Security Controls
■ Dynamic Resource Controls
■ Auditing and Monitoring
Secure
Isola,on
Access
Control
Data
Protec,on
Monitoring
and
Audi,ng
10. Network Perspective
Domain 1
Domain 2
SPARC
T5-8
Server
Zone A
Client
Access
Network
Client
A-1
Zone C
VLAN
C
Database C-1
Client
C-1 IPsec / SSL
Zone B
Database A-1
IPMPA-1
VLAN A-1-0
VLAN A-1-1
Database B-1
Adding
Cryptographic
Isolation
Layer 2
VNIC and VLAN
Isolation
IPMPB-1
VNIC B-1-0
VNIC B-1-1
net1
net0
Client
B-1
VLAN
A
Network
B
11. Storage Perspective
ASM Disk Groups
ASM Disk Group
A-1
ASM Disk Group
A-2
Oracle Exadata
Storage Servers
ZFS Data Sets
ZFS Data Set
C-1
ZFS Data Set
D-1
Sun ZFS Storage Appliance
InfiniBand
Network
Partition: 0xFFFF
Protocol: RDSv3
Partition: 0x8503
Protocol: NFS / IPoIB
Oracle VM Server for SPARC
Database Domain
Oracle Solaris 11 Zone
(Zone A)
Oracle Database
11g Release 2
Instance A-1
Oracle Database
11g Release 2
Instance A-2
Application Domain
Zone C
Oracle Database
11g Release 2
Instance C-1
Zone D
Oracle Database
11g Release 2
Instance D-1
12. Cryptographic Perspective
Database Domain
SPARC T5 Hardware
Assisted Cryptography
Zone A
Oracle Database
A-1
Client
Access
Network
SSL
InfiniBand
Network
Partition
Intel AES-NI Hardware
Assisted Cryptography
Client
A-1
Oracle PKCS#11 Wallet
(Oracle Solaris PKCS#11 Softtoken)
SSL
Certificate
A-1
Oracle Solaris
Cryptographic Framework
ASM Disk Groups
Disk Group A-1
Oracle
Exadata
Storage
Servers
Encrypted
Tablespaces
ZFS Data Sets
Data Sets A-1
Encrypted
Backups
Export Files
Sun ZFS
Storage
Appliance
RDSv3
NFSv4
TDE
Master Key
A-1
13. Database Consolidation Example
InfiniBand
Network
Partition
ASM Disk Groups
RDSv3
RDSv3
InfiniBand
Network
Partition
ZFS Data Sets
NFS
NFS
Oracle
Exadata
Storage
Servers
Sun ZFS
Storage
Appliance
Database Domain
Application Domain
SPARC
T5-8
Server
Zone A
Database
A-1
Zone C
Database C-1
Zone D
Database D-1
Database
A-2
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Tablespace
Client
Access
Network
Management Network
14. Multi-Tier Application Security
Secure
Isola,on
Access
Control
Data
Protec,on
Monitoring
and
Audi,ng
Presenta,on
Data
Compute
Storage
Network
Service
Logic
15. Multi-Tier Network Isolation
InfiniBand Partitioning Strategy
ZFS
Storage
(Web)
RDSv3
Application Domain
Database Domain
SPARC
T5-8
Server
App to
DB
Web to
App
0x0503
0x8751
0x8761
0x8761
Exadata
Storage
0xFFFF0x0751
ZFS
Storage
(App)
0x0513
0x8503
0x8513
0xFFFFZone C
Database
Server
Zone A
Web Server
Zone B
Application Server
Oracle
Exadata
Storage
Servers
Sun ZFS
Storage
Appliance
Client
Access
Network
VLAN A
Client
A
HTTPS
16. Multi-Tier Network Isolation
End to End Deployment Scenario
Client
Access
Network
Application Domain
Database Domain
SPARC
T5-8
Server
Zone A
Database A
Zone B
Database B
VLAN B
Client
B
HTTPS
VLAN A
HTTPS
Client
A
InfiniBandNetworkPartitions
IPoIB
for
NFSv4,
iSCSI
Application B
Share (0x8503)
Application A
Share (0x8513)
Database A
Share (0x8523)
Database B
Share (0x8533)
RDSv3
Database A
ASM DG
(0xFFFF)
Database B
ASM DG
(0xFFFF)
IPoIB/TCP
(0x0751)
IPoIB/TCP
(0x8751)
SDP
(0x0752)
SDP
(0x8752)
Zone B
Application B
Zone A
Application A
Zone C
Load
Balancing
Proxy
17. Encrypted and Immutable Zones
■ Read-Only Non-Global Zone
▪ Protects the system binaries from
malicious or accidental tampering
▪ MWAC Policy (Strict or Fixed)
▪ Can be augmented with additional read
only ZFS data sets to protect specific
applications, data sets, etc.
■ Encrypted Non-Global Zone Root
▪ ZFS encryption implemented on iSCSI LUNs from ZFS Storage Appliance
▪ Leverages FIPS 140-2 validated cryptography
▪ Secure key storage using Solaris Softtoken Keystore or Oracle Key Manager
Read
Only
Read
Only
Read
Only
Read
Only
WriteableWriteable Writeable Writeable
Writeable Writeable*
Read
Only
Writeable*
Read
Only
Read
Only
Read
Only
Read
Only
/, /usr
/lib, …
/etc /var other
None
Flexible
Fixed
Strict
Solaris 11 Immutable Zone Options
18. Multi-tier Deployment Scenario
Immutable and Encrypted Zones and InfiniBand Partitions
Database
Access
Network
InfiniBand
Partition
(RDSv3)
0xFFFF
WebLogic
Access
Network
InfiniBand
Partition
(IPoIB)
Cohere
nce
Access
Net
(IPoIB)
Coherence
Access
Network
InfiniBand
Partition
(IPoIB)
Limited
SPARC T4-4 Server
Solaris 11 Domain
Immutable Solaris Zone
(app01)
Immutable Solaris Zone
(app02)
Weblogic Server Cluster (app-cluster)
WLS 12c
(as-app01-01, TCP/8001)
WLS 12c
(as-app01-02, TCP 8002)
WLS 12c
(as-app02-01, TCP/8001)
WLS 12c
(as-app02-02, TCP/8002)
Encrypted ZFS Data Set
(Mounted In Zone As Zone Read-Only /apps)
Encrypted Per-Zone ZFS Data Sets
(Mounted In Zone As Zone Read-Write /data)
ZFS Keys
(Stored In
PKCS#11
Token)
Encrypted Per-Zone ZFS Data Sets
(Mounted In Zone as Zone Root)
net1:1
net0:1
net1:2
net1
net0
net0:2
Limited
Full
Limited
SPARC T5-8 Server
Client
Access
Network
Application
Domain
Application
Domain
Zone
Cluster
Oracle Traffic
Director
Oracle Traffic
Director
Encrypted Per-Zone
ZFS Data Sets
Encrypted Per-Zone
ZFS Data Sets
VLAN A
HTTPS HTTPS
19. Cryptographic Isolation: Multi-Tier Scenario
InfiniBand
Network
Partition
#1
SPARC T5 Hardware
Assisted Cryptography
Client
Access
Network
Database Domain
Oracle Solaris
Cryptographic Framework
Zone C
Oracle Database
(SSL and TDE)
Oracle PKCS#11 Wallet
(Oracle Solaris PKCS#11 Softtoken)
SSL
Certificate
TDE
Master Key
Intel AES-NI Hardware
Assisted Cryptography
ASM Disk Groups
Oracle
Exadata
Storage
ServersENCRYPTED
Tablespaces
ZFS Volumes/Data Sets
ENCRYPTED
Sun ZFS
Storage
Appliance
Binaries
Configurations
BackupsApplication Domain
Zone B
Oracle
WebLogic
Oracle Solaris
Cryptographic Framework
Zone A
Oracle Traffic
Director
TLS InfiniBand
Network
Partition
#2
RDSv3
InfiniBand
Network
Partition
#3
iSCSI,
NFS
TLS
TLS
20. Security Performance on SuperCluster T5-8
Multi-Tier Application Security – SSL/TLS, TDE and
Encrypted ZFS
• RSA-‐2048
(Key
Alg)
• AES-‐256
(Bulk
Alg)
• SHA256withRSA
(Signature
Alg)
• TLS_RSA_WITH_AES_256_CBC_SHA
(SSL
Cipher
Suite)
• Immutable
Zones
on
Encrypted
ZFS
Data
sets
–
(AES
128)
• Oracle
Fusion
Middleware
• Weblogic
12cR1
• 300
Users
• Two-‐way
SSL
• JDK
7u17
• Oracle
11gR2
TDE
• Solaris
11.1
(SuperCluster
T5-‐8)
9195
4296
8478 8404
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
No SSL 3rd Party JCE (Software
SSL) and TDE
Oracle Ucrypto SSL and
TDE (SPARC T5)
SPARC T5 - SSL, TDE,
Encrypted ZFS on Solaris
Zone
Operations/sec
SPARC T5-8
21. SuperCluster Security Summary
Complete
• Layered, Defense in Depth From Applications to Disk
• Lifecycle Data Protection - In Use, In Transit and At Rest
Integrated
• Hardware-Assisted Security for Encryption and Isolation
• Comprehensive Activity Monitoring and Key Management
Flexible
• Enables Single and Multiple Tier and Tenant Architectures
• Satisfies Various Quality of Service and Security Levels
Trusted
• Protecting Mission Critical Environments Around the Globe
• Designed, Pre-Integrated, and Tested to Work Best Together
22. Additional Resources
■ Oracle SuperCluster T5-8 Platform Security Principles and
Capabilities
▪ http://www.oracle.com/technetwork/server-storage/
sun-sparc-enterprise/documentation/
o13-052-osc-t5-8-security-1989641.pdf
■ Secure Database Consolidation using the Oracle
SuperCluster T5-8 Platform
▪ http://www.oracle.com/technetwork/server-storage/
sun-sparc-enterprise/documentation/
o13-053-securedb-osc-t5-8-1990064.pdf
■ High Performance Security for Oracle WebLogic and Fusion
Middleware Applications
▪ http://www.oracle.com/technetwork/articles/systems-hardware-
architecture/security-weblogic-t-series-168447.pdf