High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications
1 like1,304 views
This document discusses security strategies for Oracle's SPARC SuperCluster systems. It describes security capabilities at each layer of the SuperCluster, including secure isolation, access control, data protection, and monitoring capabilities for the compute, storage, network and database layers. Example deployment architectures are provided showing how these security capabilities can be leveraged in database consolidation and multi-tier application scenarios. Performance results demonstrate the benefits of hardware-accelerated cryptography on SPARC T5 systems.
High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications
- 1. REMINDER Check in on the COLLABORATE mobile app High Performance Security and Virtualization for Oracle Database and Cloud-Enabled Applications Prepared by: Glenn Brunette, Ramesh Nagappan Oracle Corporation
- 2. Program Agenda ■ SPARC SuperCluster Security Overview ■ Secure Database Consolidation Strategies ■ Secure Multi-Tier Deployment Architectures ■ Summary and Q&A
- 3. Engineered Systems Security Strategy SECURITY AT EACH LAYER SECURITY BETWEEN LAYERS SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY BETWEEN SYSTEMS SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY
- 4. SuperCluster Security Focus Areas COMPUTE STORAGE NETWORK DATABASE
- 5. SuperCluster Security Focus Areas Secure Isolation Access Control Data Protection Monitoring and Auditing COMPUTE STORAGE NETWORK DATABASE
- 6. SuperCluster Security Capabilities Compute Storage Network Database Secure Isolation ! Physical ! Hypervisor-Mediated ! Kernel-Mediated ! Physical ! ASM Instances ! ZFS Data Sets ! Physical (Ethernet) ! Ethernet VLANs ! InfiniBand Partitions ! Pluggable DBs ! Instances, Schema ! Labels Access Control ! RBAC ! LDOM Administration ! Zone Administration ! ZFS Administration ! ASM Security ! NFS Security ! IP Filter, Switch ACLs ! Audit Vault and Database Firewall ! Roles and Privileges ! Database Vault ! Mandatory Realms Data Protection ! Immutable Zones ! Read-Only Mounts ! Extended Policies ! ZFS Encryption ! LOFI Encryption ! TDE ! SSH ! SSL / TLS ! IPsec / IKE ! Virtual Private DB ! Data Redaction ! Data Masking Monitoring and Auditing ! Solaris Auditing ! Reliable Syslog ! BART ! ZFS Storage Appliance Auditing ! Exadata Storage Auditing ! IP Filter (Logging) ! Switch Logs ! Database Auditing ! Audit Vault and Database Firewall
- 7. Compute Perspective Physical Isolation Domain 1 Database Domain 1 SPARC T5-8 Server 1 SPARC T5-8 Server 2 Database Zones Isolation Domain 1 SPARC T5-8 Server Zone A Database Zone B Database Zone C Database Zone D Database POSIX Isolation Domain 1 SPARC T5-8 Server Database Database Database Database Hypervisor Isolation Domain 1 Database Domain 2 Database Hypervisor! SPARC T5-8 Server Electrical Isolation Domain 1 Database Domain 2 Database SPARC M6-32 Server Secure Isola,on Access Control Data Protec,on Monitoring and Audi,ng
- 8. Oracle Solaris 11 Layered Capabilities ■ Pluggable Authentication ■ Role-based Access Control ■ Fine-Grained Privileges ■ Extended File Access Controls ■ Application Sandboxing ■ Hardware-Assisted Cryptography ■ Network Security Controls ■ Dynamic Resource Controls ■ Auditing and Monitoring Secure Isola,on Access Control Data Protec,on Monitoring and Audi,ng
- 9. Database Perspective Instance Isolation Schema Isolation Label Isolation Container Isolation Domain 1 SPARC T5-8 Server Database Database Database Database Domain 1 SPARC T5-8 Server Database Schema Schema Schema Schema Domain 1 SPARC T5-8 Server Database Schema Domain 1 SPARC T5-8 Server Container Database Pluggable Database Pluggable Database Pluggable Database Pluggable Database Secure Isola,on Access Control Data Protec,on Monitoring and Audi,ng
- 10. Network Perspective Domain 1 Domain 2 SPARC T5-8 Server Zone A Client Access Network Client A-1 Zone C VLAN C Database C-1 Client C-1 IPsec / SSL Zone B Database A-1 IPMPA-1 VLAN A-1-0 VLAN A-1-1 Database B-1 Adding Cryptographic Isolation Layer 2 VNIC and VLAN Isolation IPMPB-1 VNIC B-1-0 VNIC B-1-1 net1 net0 Client B-1 VLAN A Network B
- 11. Storage Perspective ASM Disk Groups ASM Disk Group A-1 ASM Disk Group A-2 Oracle Exadata Storage Servers ZFS Data Sets ZFS Data Set C-1 ZFS Data Set D-1 Sun ZFS Storage Appliance InfiniBand Network Partition: 0xFFFF Protocol: RDSv3 Partition: 0x8503 Protocol: NFS / IPoIB Oracle VM Server for SPARC Database Domain Oracle Solaris 11 Zone (Zone A) Oracle Database 11g Release 2 Instance A-1 Oracle Database 11g Release 2 Instance A-2 Application Domain Zone C Oracle Database 11g Release 2 Instance C-1 Zone D Oracle Database 11g Release 2 Instance D-1
- 12. Cryptographic Perspective Database Domain SPARC T5 Hardware Assisted Cryptography Zone A Oracle Database A-1 Client Access Network SSL InfiniBand Network Partition Intel AES-NI Hardware Assisted Cryptography Client A-1 Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken) SSL Certificate A-1 Oracle Solaris Cryptographic Framework ASM Disk Groups Disk Group A-1 Oracle Exadata Storage Servers Encrypted Tablespaces ZFS Data Sets Data Sets A-1 Encrypted Backups Export Files Sun ZFS Storage Appliance RDSv3 NFSv4 TDE Master Key A-1
- 13. Database Consolidation Example InfiniBand Network Partition ASM Disk Groups RDSv3 RDSv3 InfiniBand Network Partition ZFS Data Sets NFS NFS Oracle Exadata Storage Servers Sun ZFS Storage Appliance Database Domain Application Domain SPARC T5-8 Server Zone A Database A-1 Zone C Database C-1 Zone D Database D-1 Database A-2 Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Tablespace Client Access Network Management Network
- 14. Multi-Tier Application Security Secure Isola,on Access Control Data Protec,on Monitoring and Audi,ng Presenta,on Data Compute Storage Network Service Logic
- 15. Multi-Tier Network Isolation InfiniBand Partitioning Strategy ZFS Storage (Web) RDSv3 Application Domain Database Domain SPARC T5-8 Server App to DB Web to App 0x0503 0x8751 0x8761 0x8761 Exadata Storage 0xFFFF0x0751 ZFS Storage (App) 0x0513 0x8503 0x8513 0xFFFFZone C Database Server Zone A Web Server Zone B Application Server Oracle Exadata Storage Servers Sun ZFS Storage Appliance Client Access Network VLAN A Client A HTTPS
- 16. Multi-Tier Network Isolation End to End Deployment Scenario Client Access Network Application Domain Database Domain SPARC T5-8 Server Zone A Database A Zone B Database B VLAN B Client B HTTPS VLAN A HTTPS Client A InfiniBandNetworkPartitions IPoIB for NFSv4, iSCSI Application B Share (0x8503) Application A Share (0x8513) Database A Share (0x8523) Database B Share (0x8533) RDSv3 Database A ASM DG (0xFFFF) Database B ASM DG (0xFFFF) IPoIB/TCP (0x0751) IPoIB/TCP (0x8751) SDP (0x0752) SDP (0x8752) Zone B Application B Zone A Application A Zone C Load Balancing Proxy
- 17. Encrypted and Immutable Zones ■ Read-Only Non-Global Zone ▪ Protects the system binaries from malicious or accidental tampering ▪ MWAC Policy (Strict or Fixed) ▪ Can be augmented with additional read only ZFS data sets to protect specific applications, data sets, etc. ■ Encrypted Non-Global Zone Root ▪ ZFS encryption implemented on iSCSI LUNs from ZFS Storage Appliance ▪ Leverages FIPS 140-2 validated cryptography ▪ Secure key storage using Solaris Softtoken Keystore or Oracle Key Manager Read Only Read Only Read Only Read Only WriteableWriteable Writeable Writeable Writeable Writeable* Read Only Writeable* Read Only Read Only Read Only Read Only /, /usr /lib, … /etc /var other None Flexible Fixed Strict Solaris 11 Immutable Zone Options
- 18. Multi-tier Deployment Scenario Immutable and Encrypted Zones and InfiniBand Partitions Database Access Network InfiniBand Partition (RDSv3) 0xFFFF WebLogic Access Network InfiniBand Partition (IPoIB) Cohere nce Access Net (IPoIB) Coherence Access Network InfiniBand Partition (IPoIB) Limited SPARC T4-4 Server Solaris 11 Domain Immutable Solaris Zone (app01) Immutable Solaris Zone (app02) Weblogic Server Cluster (app-cluster) WLS 12c (as-app01-01, TCP/8001) WLS 12c (as-app01-02, TCP 8002) WLS 12c (as-app02-01, TCP/8001) WLS 12c (as-app02-02, TCP/8002) Encrypted ZFS Data Set (Mounted In Zone As Zone Read-Only /apps) Encrypted Per-Zone ZFS Data Sets (Mounted In Zone As Zone Read-Write /data) ZFS Keys (Stored In PKCS#11 Token) Encrypted Per-Zone ZFS Data Sets (Mounted In Zone as Zone Root) net1:1 net0:1 net1:2 net1 net0 net0:2 Limited Full Limited SPARC T5-8 Server Client Access Network Application Domain Application Domain Zone Cluster Oracle Traffic Director Oracle Traffic Director Encrypted Per-Zone ZFS Data Sets Encrypted Per-Zone ZFS Data Sets VLAN A HTTPS HTTPS
- 19. Cryptographic Isolation: Multi-Tier Scenario InfiniBand Network Partition #1 SPARC T5 Hardware Assisted Cryptography Client Access Network Database Domain Oracle Solaris Cryptographic Framework Zone C Oracle Database (SSL and TDE) Oracle PKCS#11 Wallet (Oracle Solaris PKCS#11 Softtoken) SSL Certificate TDE Master Key Intel AES-NI Hardware Assisted Cryptography ASM Disk Groups Oracle Exadata Storage ServersENCRYPTED Tablespaces ZFS Volumes/Data Sets ENCRYPTED Sun ZFS Storage Appliance Binaries Configurations BackupsApplication Domain Zone B Oracle WebLogic Oracle Solaris Cryptographic Framework Zone A Oracle Traffic Director TLS InfiniBand Network Partition #2 RDSv3 InfiniBand Network Partition #3 iSCSI, NFS TLS TLS
- 20. Security Performance on SuperCluster T5-8 Multi-Tier Application Security – SSL/TLS, TDE and Encrypted ZFS • RSA-‐2048 (Key Alg) • AES-‐256 (Bulk Alg) • SHA256withRSA (Signature Alg) • TLS_RSA_WITH_AES_256_CBC_SHA (SSL Cipher Suite) • Immutable Zones on Encrypted ZFS Data sets – (AES 128) • Oracle Fusion Middleware • Weblogic 12cR1 • 300 Users • Two-‐way SSL • JDK 7u17 • Oracle 11gR2 TDE • Solaris 11.1 (SuperCluster T5-‐8) 9195 4296 8478 8404 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 No SSL 3rd Party JCE (Software SSL) and TDE Oracle Ucrypto SSL and TDE (SPARC T5) SPARC T5 - SSL, TDE, Encrypted ZFS on Solaris Zone Operations/sec SPARC T5-8
- 21. SuperCluster Security Summary Complete • Layered, Defense in Depth From Applications to Disk • Lifecycle Data Protection - In Use, In Transit and At Rest Integrated • Hardware-Assisted Security for Encryption and Isolation • Comprehensive Activity Monitoring and Key Management Flexible • Enables Single and Multiple Tier and Tenant Architectures • Satisfies Various Quality of Service and Security Levels Trusted • Protecting Mission Critical Environments Around the Globe • Designed, Pre-Integrated, and Tested to Work Best Together
- 22. Additional Resources ■ Oracle SuperCluster T5-8 Platform Security Principles and Capabilities ▪ http://www.oracle.com/technetwork/server-storage/ sun-sparc-enterprise/documentation/ o13-052-osc-t5-8-security-1989641.pdf ■ Secure Database Consolidation using the Oracle SuperCluster T5-8 Platform ▪ http://www.oracle.com/technetwork/server-storage/ sun-sparc-enterprise/documentation/ o13-053-securedb-osc-t5-8-1990064.pdf ■ High Performance Security for Oracle WebLogic and Fusion Middleware Applications ▪ http://www.oracle.com/technetwork/articles/systems-hardware- architecture/security-weblogic-t-series-168447.pdf
- 23. Questions?