sparc supercluster t4-4 platform security principles and ... · system designed, tested and...
TRANSCRIPT
An Oracle Technical White Paper
August 2013
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
SPARC SuperCluster T4-4 Platform Security Principles and Capabilities
Introduction ....................................................................................... 1
Product Security Principles ................................................................ 1
Survivability ................................................................................... 1
Defense in Depth ........................................................................... 2
Least Privilege ............................................................................... 2
Accountability ................................................................................ 2
Product Security Capabilities ............................................................. 3
Secure Isolation ............................................................................. 4
Access Control .............................................................................. 7
Cryptographic Services.................................................................. 9
Monitoring and Auditing ............................................................... 10
Quality of Service ........................................................................ 11
Security Management .................................................................. 13
General Recommendations and Considerations .............................. 15
Architectural ................................................................................ 15
Deployment ................................................................................. 16
Operational .................................................................................. 17
Conclusion ...................................................................................... 17
References ...................................................................................... 18
General White Papers and Documentation .................................. 18
Product Security Guides .............................................................. 18
Security White Papers and Documentation .................................. 18
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
1
Introduction
The Oracle SuperCluster T5-8 (Oracle SuperCluster) is a high performance, multi-purpose engineered
system designed, tested and integrated to run a wide array of enterprise applications. It is well suited to
many different tasks including database and application consolidation, running multi-tier enterprise
applications, and multi-tenant application delivery. To realize secure architectures such as these, the
Oracle SuperCluster platform enjoys a level of security synergy not often found in today’s IT
architectures. Stemming from its high degree of engineering innovation and integration, the security
posture and potential of this platform is truly greater than the sum of its individual components.
In this paper, the security principles and capabilities of the Oracle SuperCluster platform will be
discussed to highlight the comprehensive set of security controls that can be employed to meet even
the most challenging security demands. While discussed individually, it is important to understand that
each capability offers an opportunity to be layered with the others to create reinforced security
postures. Additional architectural, deployment and operational guidance will also be offered to help
organizations understand where and how their Oracle SuperCluster platform can be integrated into
their existing IT security environment.
Product Security Principles
Before discussing the individual security capabilities of the Oracle SuperCluster platform, it is
important to highlight the principles that guided the development of this engineered system. The
security principles of survivability, defense in depth, least privilege, and accountability sit at the very
heart of the Oracle SuperCluster platform’s security architecture. The platform embodies these time-
tested principles and delivers a well-integrated collection of security capabilities that help organizations
address their most pressing security requirements and concerns.
Survivability
Organizations selecting hardware and software platforms for their mission critical workloads must be
assured that the platforms can prevent or minimize the damage caused from both accidental and
malicious actions taken by internal users or external parties. The Oracle SuperCluster platform
supports the principle of survivability by:
Ensuring that the components used by platform have been designed, engineered and tested to work
well together in support of secure deployment architectures. The Oracle SuperCluster platform and
its constituent products support secure isolation, access control, cryptographic services, monitoring
and auditing, quality of service as well as secure management.
Reducing the default attack surface of its constituent products to help minimize the overall exposure
of the platform. Organizations can then customize the security posture of the Oracle SuperCluster
platform based upon their policies and needs.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
2
Protecting the platform, including its operational and management interfaces, using a complement of
open and vetted protocols and APIs capable of supporting the traditional security goals of strong
authentication and access control, confidentiality, integrity, and availability.
Defense in Depth
The Oracle SuperCluster platform employs multiple, independent, and mutually reinforcing security
controls to help organizations create a secure operating environment for their workloads and data.
Properly employed, the principle of defense in depth ensures that a layered set of defenses exist,
helping organizations continue secure operations even after a vulnerability or failure of a single security
control. The Oracle SuperCluster platform supports the principle of defense in depth by:
Offering a strong complement of protections to secure information in transit, in use, and at rest.
Security controls are available at the server, storage, network, virtualization, database, and application
layers. More importantly, each layer’s unique security controls can be integrated with the others to
enable the creation of strong, layered security architectures.
Supporting the use of well-defined and open standards, protocols and interfaces. This means that the
Oracle SuperCluster platform can also be integrated into an organization’s existing security policies,
architectures, practices and standards. Integration such as this is critical as applications and devices
do not exist in isolation, and the security of IT architectures is only as strong as its weakest
component.
Least Privilege
Ensuring that applications, services and users have access to the capabilities that they need to perform
their tasks is only one side of the least privilege coin. It is equally important to ensure that access to
unnecessary capabilities, services, and interfaces be limited. The principle of least privilege is rooted in
a very simple concept, namely – do not give away capabilities that you do not want someone to use.
The Oracle SuperCluster platform promotes the principle of least privilege by:
Ensuring that access to individual server, storage, virtualization, operating system, database and other
components can be granted based upon the role of each user and administrator. The use of role-
based and multi-factor access control models with fine-grained privileges ensures that access can be
limited to only what is needed.
Constraining applications so that their access to information, underlying resources, network
communications, and even local or remote service access is restricted based upon need. Whether
caused by an accident or malicious attack, applications too can misbehave, and without enforcement
of least privilege, those applications may be able to cause harm far beyond their intended use.
Accountability
In most cases, it is insufficient to simply prevent a security incident. It is equally important to be able
to detect the incident, report the event, and understand how it was prevented. Similarly, when an event
cannot be prevented, it is imperative that an organization be able to detect that the event occurred so
that proper responses can be taken. Organizations concerned with accountability seek to answer
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
3
questions such as “what security event occurred?,” “when did it happen?,” “where did it take place?,”
“who caused the event?,” “who was the target?,” and “what was the outcome?” The Oracle
SuperCluster platform supports the principle of accountability by:
Each of the components used within the Oracle SuperCluster platform support activity auditing and
monitoring, including the ability to record login and logout events, administrative actions, and often
other events specific to each of the products. Collecting and reviewing this kind of information is an
important part of maintaining secure operations and can help with root-cause analysis in the event of
a security incident.
Two of the products used in the Oracle SuperCluster platform deserve special mention for their
extensive ability to audit and monitor activity. The Oracle Solaris operating system and the Oracle
Database both support very fine-grained configurations when it comes to auditing. This allows
organizations to tune audit configurations in response to their standards and goals – to ensure that
critical information is captured, while at the same time, minimizing the “noise” of unnecessary or
inappropriate audit events.
The Oracle SuperCluster platform is an excellent option for organizations deploying mission critical
services as a result of its inherent ability to deliver on each of these security principles and others
including secure by default and reduced attack surface. The secure deployment architectures enabled by
its comprehensive set of security capabilities make the Oracle SuperCluster platform an ideal choice for
hosting mission-critical applications and services.
Product Security Capabilities
The Oracle SuperCluster platform is a multi-purpose engineered system that combines the computing
power of the SPARC T5 processor, the efficient virtualization capabilities of Oracle VM Server for
SPARC, the performance and scalability of the Oracle Solaris operating system, the optimized database
performance of the Oracle Database integrated with Oracle Exadata Storage Servers, and the
innovative network attached storage capabilities of Oracle’s Sun ZFS Storage Appliance. Each of these
core components is connected over a redundant InfiniBand fabric that enables low latency and high
performance network communication between all of the components. In addition, a 10-Gbps Ethernet
network is employed allowing clients to access services running Oracle SuperCluster platform. Finally,
1-Gbps Ethernet network provides the conduit through which all of the Oracle SuperCluster
components can be managed. For more high-level information on the Oracle SuperCluster
architecture, see the Oracle white paper titled ““Oracle SuperCluster T5-8: Servers, Storage,
Networking, and Software - Optimized and Ready to Run”.
The Oracle SuperCluster platform supports a variety of full and half-rack deployment options. The
diagram in Figure 1 illustrates one possible half-rack configuration.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
4
Figure 1. Example half-rack configuration of Oracle SuperCluster T5-8
It is important to have an appreciation for the security capabilities that are exposed by each of the core
components engineered into the Oracle SuperCluster architecture. To simplify the presentation of
these capabilities, they have been grouped into six distinct categories, namely: secure isolation, access
control, cryptographic services, monitoring and auditing, quality of service, and secure management.
This list is not exhaustive, but rather it is intended to highlight the security capabilities most often
employed by organizations seeking to deploy a layered security strategy.
Secure Isolation
Isolating services, users, data, communications, and storage is important for many organizations
wanting to consolidate IT infrastructure, implement shared service architectures, and deliver secure
multi-tenant services. The Oracle SuperCluster platform enables secure isolation at the workload,
network, database, and storage levels, allowing organizations the flexibility to implement various
isolation policies and strategies based upon their needs.
Workload Isolation
Oracle VM Server for SPARC is a classic Type 1 hypervisor that operates on bare metal and mediates
access to hardware resources ensuring strong isolation between individual Logical Domains (Domains)
running on the platform. Oracle VM Server for SPARC is used to create hard partitions configured as
either Oracle Database 11gR2 domains or General Purpose domains. Each General Purpose domain
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
5
has its own virtualized CPU, memory, storage, and console as well as its own instance of an operating
system. General Purpose domain can run applications supported on either the Oracle Solaris 10 or 11
operating systems (including business applications, middleware and even databases) whereas Oracle
Database 11gR2 domains must run Oracle Database 11g Release 2 on the Oracle Solaris 11 operating
system.
Oracle Solaris Zones (Zones) are supported allowing customers to further isolate applications running
under the same operating system kernel. By design, zones offer unique capabilities that effectively and
efficiently sandbox different applications running on the same operating system, protecting them from
unintentional or malicious activities happening in other zones. Despite running on the same kernel,
each zone has its own identity and enjoys security, resource, namespace, and process isolation.
Essentially, zones provide built-in virtualization with strong isolation and flexible resource controls at a
smaller CPU and memory footprint than traditional virtual machines running on Type 1 hypervisors.
While Oracle VM Server for SPARC and Oracle Solaris Zones both support application isolation
goals, organizations are encouraged to view them as complementary technologies. Oracle VM Server
for SPARC is used to isolate operating systems (into different domains) whereas Oracle Solaris Zones
are used to isolate groups of processes. While these technologies can be used independently, their value
is compounded when they are used to together to deploy application workloads securely and
efficiently.
Network Isolation
At a physical network level, client access is isolated from both device management and inter-device
communication. Client access is provided over a redundant 10-Gbps Ethernet network that ensures
reliable, high-speed access to services running on the platform. Similarly, management access is also
provided over a physically separate 1-Gbps Ethernet network, allowing organizations to create a hard
separation between their operational and management networks. Finally, inter-device communication is
achieved over a redundant InfiniBand network to create a high-performance, low-latency backplane
through which the individual devices can communicate.
To improve the isolation of network communications over the client access Ethernet network,
organizations are encouraged to leverage a strategy of physical isolation as well as the use of virtual
LANs (VLANs) in order to compartmentalize network traffic based upon their needs. Similarly, when
using InfiniBand, partitions can be used to achieve isolation comparable to VLANs on Ethernet. By
default, the Oracle SuperCluster platform is configured with a number of InfiniBand partitions to
promote isolation between database domains, network-based storage, and private clustering
interconnects. Additional partitions may be used, or existing ones may be adapted, to achieve site-
specific isolation goals. Further, the use of encrypted protocols over InfiniBand partitions and VLANs
is recommended when confidentiality and integrity of communications must be assured.
Both Oracle VM Server for SPARC and the Oracle Solaris 11 operating system support the notion of
virtual switches and network interfaces that can be configured to provide network access to both
domains and zones. In the case of Oracle VM Server for SPARC, access to network access is mediated
by the hypervisor. Similarly, for the Oracle Solaris operating system, the use of exclusive network
stacks and integrated virtual network switching, enforced by the operating system kernel, ensures that
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
6
access to networks is in compliance with policy. For example, this ensures that services running in one
Oracle Solaris zone are not able to snoop on the network traffic flowing in and out of other zones. In
either case, the degree to which domains and zones have access to shared networks is a matter of
configuration. Further, both physical and virtual network elements can be linked with existing Ethernet
VLANs and IP over InfiniBand partitions integrating these physical and virtual worlds into a holistic
network architecture.
Database Isolation
There are a variety of ways that database isolation can be achieved. Physical separation is generally
viewed as one of the best methods and can be achieved by dedicating a single physical system to run an
Oracle Database 11gR2 domain. Hypervisor-mediated isolation using Oracle VM Server for SPARC is
a great option when database workloads must securely share physical resources with other workloads
running on the same physical platform.
Another isolation strategy involves the operation of multiple database instances within the same
operating system image. Multi-instance database isolation is achieved through a combination of
database and operating system-level controls, including dedicated credentials (e.g., users, groups, roles,
etc.), dedicated table spaces, as well as resource controls.
The Oracle Database Vault option includes a mandatory access control model to enforce isolation
using logical realms within a single database. Logical realms form a protective boundary around
existing application tables by blocking administrative accounts form having ad-hoc access to
application data. Similarly, Oracle Database Vault command rules enable policy-based controls that
limit who, when, where, and how the database and application data is accessed, creating a trusted path
to application data. Oracle Database Vault factors can be employed to further restrict access based
upon time of access, source IP address, and other criteria.
The Oracle Virtual Private Database capability enables the creation of policies that enforce fine-grained
access to database tables and views at the row and column levels. Oracle Virtual Private Database
provides security portability because policies are associated with database objects and are automatically
applied no matter how the data is accessed. Oracle Virtual Private Database can therefore be used to
provide isolation at the database tablespace level.
Finally, the Oracle Label Security option is used to classify data and mediate access to that data based
upon its classification. Organizations can define classification strategies that best support their needs,
whether hierarchical or disjoint. This capability allows information stored at different classification
levels to be isolated at the row-level within a single table space.
Storage Isolation
The Oracle Exadata Storage Servers are isolated from the rest of the architecture through the use of
InfiniBand partitioning. By default, these cells are assigned to a partition that is only accessible by
Oracle Database 11gR2 domains. The storage managed by the Oracle Exadata Storage Servers can be
further sub-divided using Oracle’s Automated Storage Management (ASM) facility to create individual
realms that each can have their own security policies.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
7
The Sun ZFS Storage Appliance leverages a similar strategy by using InfiniBand partitions to isolate the
domains and zones with which it is able to communicate. By default, the Sun ZFS Storage Appliance is
placed into its own InfiniBand partition, separate from the Oracle Exadata Storage Servers. The use of
ZFS pools, datasets, and volumes allows organizations to further carve up storage into more granular
units that can have their own security policies.
Access Control
Controlling access to systems, services, and information is paramount for most customers.
Organizations need to be able to define flexible access policies to ensure that their users and
administrators have the right levels of access available to them at the right time. To protect application
data, workloads and the underlying infrastructure on which it all runs, the Oracle SuperCluster offers
comprehensive yet flexible access control capabilities for both users and administrators.
Workload Access Control
The Oracle Solaris operating system includes a variety of methods to authenticate users accessing
system services. While traditional user name and password pairs are still widely used, stronger methods
of authentication can be easily integrated using the Oracle Solaris pluggable authentication modules
(PAM) architecture, allowing the use of LDAP, Kerberos, and public key authentication. The
framework can further be extended to enable the use of smart cards, secure tokens, and other devices,
enabling Oracle Solaris to integrate into an organization’s existing identity and access management
architecture.
Oracle Solaris supports a comprehensive role-based access control (RBAC) facility allowing
organizations the flexibility of delegating user and administrative access based upon need. Eliminating
the notion of an all-powerful super-user, the RBAC capability in Oracle Solaris enables separation of
duty and supports the notion of administrative roles, authorizations, fine-grained privileges and rights
profiles that collectively are used to assign rights to users and administrators. RBAC is integrated with
other core Oracle Solaris services including the Oracle Solaris Service Management Framework (SMF)
and Oracle Solaris Zones to provide a consistent architecture to support all operating system level
access control needs.
Further, Oracle VM Server for SPARC leverages the RBAC capability in Oracle Solaris as a foundation
for its access control architecture, allowing organizations to manage, control, and audit operating
system and virtualization management access from a centralized authority.
Network Access Control
Beyond simple network-level isolation, fine-grained access control policies can be instituted at the
device level. All of the devices in the Oracle SuperCluster platform include the ability to limit network
access to services either using architectural methods (e.g., network isolation) or using packet filtering
and/or access control lists to limit communication to, from and between physical and virtual devices as
well as to the services exposed by the platform.
The Oracle Solaris operating systems support a "secure by default" posture where no network services
except Secure Shell are enabled to accept in-bound network traffic. Other enabled network services
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
8
listen internally for requests within the Oracle Solaris operating system (or zone). This ensures that all
network services are disabled by default or are set to listen for local system communications only.
Organizations are free to customize this configuration based upon their requirements.
When using Ethernet or IP over InfiniBand, the Oracle Solaris operating system supports network and
transport layer (stateful) packet filtering using the Oracle Solaris IP Filter feature. IP Filter offers a
wide array of host-based network capabilities including stateful packet filtering, network address
translation, and port address translation.
Database Access Control
At the operating system level, it is important to use different accounts to ensure job role separation for
database instances and storage administrators, including those supporting Automatic Storage
Management (ASM) functions. Within the Oracle Database, users can be assigned specific privileges
and roles to ensure only users have access to only those data objects to which they are authorized. This
keeps data from being shared across databases or among schemas unless explicitly permitted.
In addition to the password-based authentication available in the Oracle Database, the Oracle
Advanced Security option enables organizations to implement strong authentication using public key
credentials or by leveraging existing RADIUS or Kerberos infrastructure. Further, using Oracle
Enterprise User Security, the database can also be integrated with existing LDAP repositories for
authentication and authorization. Collectively, these capabilities can be used to provide higher
assurance of the identity of users connecting to the database.
Oracle Database Vault can be used to manage administrative and privileged user access, controlling
how, when and where application data can be accessed. Oracle Database Vault protects against misuse
of stolen login credentials, application bypass, and unauthorized changes to applications and data,
including attempts to make copies of application data. Oracle Database Vault is transparent to most
applications and day-to-day tasks, and can support multi-factor authorization policies, allowing for
secure enforcement of policy without disrupting business operations.
Separation of duties is also critical at every layer of the architecture to reduce the risk of collusive
behavior and prevent inadvertent errors. Oracle Database Vault has the ability to enforce separation of
duties to ensure that account management, security administration, resource management, and other
functions are granted only to those users authorized to have those privileges.
Storage Access Control
To minimize the attack surface, the Oracle Exadata Storage Servers and the Sun ZFS Storage
Appliance do not support administration or customization outside of their management interfaces.
There are no users defined on these systems, and it is expected that these devices will be viewed as
fixed-function appliances that have been optimized and hardened for their specific purpose.
Oracle Automatic Storage Management, available on the Oracle Exadata Storage Servers, supports
three access control modes – open security, ASM-scoped security, and database-scoped security. Open
security, as the name suggests, allows any database to access any of the disks managed by ASM. ASM-
scoped security, on the other hand, allows multiple databases assigned to one or more ASM clusters to
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
9
share specific disks. Database-scoped security, the most fine-grained level of access control, ensures
that only specific databases are able to access specific disks. While organizations are encouraged to
select the most appropriate model for their situation, it should be noted that it is not recommended to
mix ASM-scoped and database-scoped security in the same ASM environment.
In addition to its overall access control mode, ASM also supports the assignment of access controls at
the disk group and file level as well to ensure that access to content stored on disk is only available to
authorized users. Of course, for organizations concerned about the confidentiality of stored database
content, database (table space or column-level) encryption should be considered.
The Sun ZFS Storage Appliance supports a wide array of access control policies that can be applied at
the dataset and volume level for individual users and groups. Further, when storage is shared by the
Sun ZFS Storage Appliance, additional access controls implemented by the sharing protocol (e.g.,
NFS) can also be applied to further limit access to authorized systems, services and users.
Cryptographic Services
The requirement to protect and validate information at rest, in transit, and in use often is grounded
upon the use of cryptographic services. From encryption and decryption to digital fingerprint and
certificate validation, cryptography is one of the most widely deployed security controls in modern IT
organizations. The Oracle SuperCluster includes a wealth of capabilities to deliver complete, efficient
and high performance end-to-end cryptography.
Workload Cryptographic Services
The Oracle SPARC T5 processor has been designed with integrated on-chip cryptographic acceleration
to enable strong cryptographic services without sacrificing performance. The SPARC T5 processor can
accelerate the performance of 16 industry-standard cryptographic algorithms in addition to the secure
generation of random numbers. These capabilities can be delivered to operating systems running
directly on SPARC T5 processors or passed through individual domains created using Oracle VM
Server for SPARC.
The Oracle Solaris operating system, by default, takes advantage of the SPARC T5 (directly or virtually
through Oracle VM Server for SPARC) for highly efficient cryptographic operations processed
through the Oracle Solaris Cryptographic Framework. This shared framework is a gathering point for
services providing or using cryptography in the Oracle Solaris operating system. Using the Oracle
Solaris Cryptographic Framework, users, applications and services can be assured that they are not only
using the most optimized algorithms, but they will also seamlessly leverage hardware cryptographic
acceleration as well as hardware security modules (when used). Oracle Solaris supports a full
complement of cryptographic services including Secure Shell, IPsec/IKE, Kerberos, and ZFS
encryption. It also includes integrations that allow applications using OpenSSL or Java to use this
common framework, including any available cryptographic acceleration.
Network Cryptographic Services
While InfiniBand partitioning is supported by the Oracle Solaris operating system for network
isolation, the confidentiality and integrity of communications over an InfiniBand partition should be
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
10
protected using a cryptographically secure protocol. For example, Secure Shell provides secure
administrative access to systems and ILOMs, IPsec/IKE (using IP over InfiniBand) can protect
communications between domains or zones, and SSL/TLS can enable secure communications
between applications and other services.
Oracle Solaris includes a kernel-based SSL (KSSL) service that provides a highly optimized SSL proxy
for applications running on the platform. KSSL can be used to SSL-enable applications lacking that
functionality or as a replacement for functionality within the application that may not be able to yield
the same performance benefits. As with everything in Oracle Solaris, KSSL is able to automatically
leverage the underlying hardware-assisted cryptographic capabilities of the SPARC T5 processor.
Database Cryptographic Services
The Oracle Advanced Security option encrypts information in the database using its transparent data
encryption (TDE) functionality. TDE supports both the encryption of application table spaces as well
as the encryption of individual columns within a table. Data that is stored in temporary table spaces as
well as redo logs is encrypted as well. Even when the database is backed up, the data remains encrypted
on destination media, protecting information at rest no matter where it is physically stored.
The Oracle Advanced Security option (including TDE) is able to take advantage of the cryptographic
acceleration capabilities of the SPARC T5 processor. This allows organizations to protect to their
information without having to incur the significant performance penalties typically associated with
software-only encryption methods.
The Oracle Advanced Security option can also be used to encrypt SQL*Net and JDBC traffic using
either native encryption or SSL to protect information while flowing over a network. Both
administrative and application connections can be protected using this mechanism to ensure that data
in motion can be protected. The SSL implementation supports the standard set of authentication
methods including anonymous (Diffie-Hellman), server-only authentication using X.509 certificates,
and mutual (client-server) authentication with X.509.
Monitoring and Auditing
Whether for compliance reporting or incident response, monitoring and auditing is a critical function
that organizations must use to gain increased visibility into their IT environment. The degree to which
monitoring and auditing is employed is often based upon the risk or criticality of the environment
being protected. The Oracle SuperCluster platform has been designed to offer comprehensive
monitoring and auditing functionality at the compute, network, database, and storage layers ensuring
that a wealth of information can be made available to organizations in support of their audit and
compliance requirements.
Workload Monitoring and Auditing
The Oracle Solaris operating system has a very comprehensive auditing facility that can monitor
administrative actions, command-line invocations, and even individual kernel-level system calls. This
facility is highly configurable, offering a global, per-zone and even per-user auditing policies. When
configured to use Oracle Solaris Zones, audit records for each zone can be stored in the global zone to
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
11
protect them from tampering. Further, Oracle Solaris auditing supports the ability to send audit
records to remote collection points using the system log (syslog) facility. Additionally, many
commercial intrusion detection and prevention services can consume Oracle Solaris audit records as an
additional input for their analysis and reporting.
Oracle VM Server for SPARC leverages the native Oracle Solaris auditing facility to record actions and
events associated with virtualization events and domain administration. Similar to how Oracle VM
Server for SPARC uses the Oracle Solaris RBAC facility for centralized access management, Oracle
Solaris auditing is used to provide a centralized approach to audit record generation, management, and
reporting.
Database Monitoring and Auditing
The Oracle Database supports the notion of fine-grained auditing that allows organizations to establish
policies that more selectively determine when audit records are generated. This helps organizations to
sharpen their focus on more interesting database activities and reduce the clutter that is often
associated with audit activities.
Oracle Audit Vault and Database Firewall centralizes the management of database audit settings and
automates the consolidation of audit data into a secure repository. Oracle Audit Vault and Database
Firewall includes built-in reporting to monitor a wide range of activities including privileged user
activity and changes to database structures. The reports generated by Audit Vault enable visibility into
various application and administrative database activities and provide detailed information to support
accountability of actions.
Oracle Audit Vault and Database Firewall also enables the proactive detection and alerting of activities
that may be indicative of attempts of unauthorized access or abuse of system privileges. These alerts
can include both system and user-defined events and conditions, such as the creation of privileged user
accounts or the modification of tables containing sensitive information.
The Oracle Audit Vault and Database Firewall Remote Monitor can reside on an Oracle Database
11gR2 domain to provide real-time database security monitoring by interrogating database connections
to detect to malicious traffic including application bypass, unauthorized activity, SQL injection and
other threats. Using a highly accurate SQL grammar-based approach, Oracle Database Firewall can
help organizations to quickly identify suspicious database activity.
Quality of Service
There are many ways in which applications can be attacked that are not focused simply on breaching a
boundary or subverting access control policy. In fact, the availability of applications and information is
often viewed as an IT security concern. The Oracle SuperCluster platform provides a number of
capabilities that are intended to help detect and prevent resource exhaustion attacks, denial of service
and accidental or intentional faults that can impact the availability of services and data.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
12
Workload Quality of Service
Oracle VM Server for SPARC supports the dynamic reconfiguration of virtual CPUs, memory, and
physical I/O devices. This allows an organization to quickly respond to changes in demand, shifting
resources to where they are needed. Further, by defining resource policies for each domain,
organizations can ensure that activity in one domain will not starve other domains of their needed
resources.
Similarly, the Oracle Solaris operating system has an array of dynamic resource controls that can be
employed globally as well as at a zone, project, task or process level. Similar to Oracle VM Server for
SPARC, resource controls can be used to limit the consumption of CPUs, memory, core file size, as
well as limit the amount of processes, file descriptors, and many other parameters. Depending on the
actual configuration and needs of the organization, one or more of these parameters can be defined to
help ensure that applications and services running in the Oracle Solaris operating system, including in
zones, only consume their fair share of resources and do not adversely impact other services running
on the system. In addition, the Oracle Solaris 11 operating system supports the ability to also define
bandwidth limits that apply to data link devices (such as virtual NICs) as well as to user-defined traffic
flows, enabling organizations to apply limits to network traffic based upon pre-defined packet
attributes.
For applications running in General Purpose domains, Oracle Solaris Cluster is often used to
implement fail-over or clustering for individual zones or domains. Oracle Solaris Cluster can help
organizations reach their survivability goals by ensuring that mission-critical services are monitored and
restarted upon a failure. Based upon an organization’s defined policy, a failed service can be restarted
locally or on another node in the cluster.
Network Quality of Service
Each component of the Oracle SuperCluster platform is configured to have multiple InfiniBand
network interfaces. Further, the platform includes redundant InfiniBand switches allowing each
component to be connected to each switch. Each component’s InfiniBand interfaces are bonded
together to form a single virtual interface allowing the component to continue operation even if a
single interface or switch fails.
Similarly, each SPARC T5-8 node in the Oracle SuperCluster platform includes multiple 10-Gbps
Ethernet interfaces connected to the client access network and multiple 1-Gbps Ethernet interfaces for
management communications. These nodes can leverage Oracle Solaris IP Multipathing (IPMP) and
IEEE 802.3ad Link Aggregation for Ethernet redundancy, helping to ensure continuous network
connectivity even if a single Ethernet interface or switch fails.
The Oracle Solaris 11 operating system also supports a variety of network-level resource controls that
allow organizations to define bandwidth limits at various data link levels, including virtual and physical
NICs, link aggregations, IP over InfiniBand. These limits can be applied to all, or just a subset of,
traffic flowing through those elements. This allows organizations to categorize and prioritize their
network traffic to ensure that higher priority traffic is favored over less important traffic flows.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
13
Database Quality of Service
Oracle Real Application Clusters (Oracle RAC) can be used to create a clustered database with a shared
cache architecture that overcomes some of the traditional limitations of shared nothing models. As a
result, Oracle RAC can be used to enable highly scalable and available database architectures.
Oracle Database Quality of Service Management (QoS Management) is an automated, policy-based
solution that monitors the workload requests of an entire system. QoS Management correlates accurate
run-time performance and resource metrics, analyzes the data to identify bottlenecks, and produces
recommended resource adjustments to maintain performance objectives under dynamic load
conditions.
In addition, the Oracle Database includes a variety of tools to enable multiple databases to operate
under the same operating system. Oracle Database Resource Manager (DBRM) and Instance Caging,
for example, support the ability to dynamically control access to CPU resources using fine-grained
methods to ensure that workloads running in the database have access to their fair share of compute
resources. Further, DBRM also can control the degree of parallelism, the number of action sessions,
and other shared resources to protect one database from monopolizing resources needed in shared
database architectures.
Storage Quality of Service
To ensure reliable, high performance access to databases stored on Oracle Exadata Storage Servers,
Oracle Automated Storage Management offers a variety of storage mirroring options for ASM Disk
Groups, including: normal redundancy (two-way mirroring), high redundancy (three-way mirroring)
and external redundancy (no mirroring). Typically, organizations will use external redundancy when
their storage is already being mirrored or otherwise protected at the hardware level. In addition to
mirroring, ASM supports the notion of Failure Groups that can be used to ensure that mirrored
storage is placed on different Oracle Exadata Storage Servers.
The I/O Resource Manager (IORM) is available as part of the Oracle Exadata Storage Server and is
used to manage inter- and intra-database I/O resources. This allows not only different databases with
different performance requirements to share a common Oracle Exadata Storage Server pool, but even
multiple workloads within the same database can have their own resource policies. This flexible
architecture allows organizations to ensure that critical workloads and databases are not I/O
constrained when operating on a consolidated architecture.
Security Management
Having collections of security controls and capabilities is necessary to properly secure individual
applications and services. However, it is equally important to have comprehensive management
capabilities that assist organizations in sustaining the security of their deployed services and systems.
The Oracle SuperCluster leverages the security management capabilities of a variety of products
including Oracle Integrated Lights Out Manager, Oracle Enterprise Manager Ops Center, Oracle
Enterprise Manager, and Oracle’s Identity Management Suite.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
14
Integrated Lights Out Manager (ILOM)
Oracle Integrated Lights Out Manager (ILOM) is the service processor embedded in the Oracle
SuperCluster’s compute and storage servers. It is used to perform out of band management activities.
Oracle Integrated Lights Out Manager offers a variety of secure mechanisms allowing organizations
to perform secure lights out management of their compute and storage servers, including web-based
access protected by SSL, command-line access using Secure Shell, as well as IPMI v2.0 and
SNMPv3.
Oracle ILOM supports separation of duty requirements using a role-based access control model.
Individual users are assigned to specific roles that limit the functions that can be performed. In this
manner, organizations can decide which users need full administrative access versus those that may
simply need the ability to audit ILOM settings (read-only access), access remote host consoles, or
control host power.
To ensure accountability, the Oracle ILOM records all logins and configuration changes. Each audit
log entry notes the user performing the action as well as a timestamp. This allows organizations to
detect unauthorized activity or changes as well as attribute those actions back to specific users.
Oracle Enterprise Manager Ops Center
Part of the Oracle Enterprise Manager suite, Oracle Enterprise Manager Ops Center is a converged
hardware management solution that provides a single administrative interface for servers, operating
systems, firmware, virtual machines, zones, storage, and network fabrics. Oracle Enterprise Manager
Ops Center is installed by default on the Oracle SuperCluster platform.
From a security perspective, Oracle Enterprise Manager Ops Center can be used to assign
administrative access to collections of physical and virtual systems, monitor administrator activity,
detect faults as well as configure and manage alerts. Further, Oracle Enterprise Manager Ops Center
supports a variety of reports that allow organizations to compare their systems against known
configuration baselines, patch levels, and security vulnerabilities.
Oracle Enterprise Manager
Oracle Enterprise Manager suite is a comprehensive and integrated cloud management solution that
focuses on lifecycle management of applications, middleware, and databases, as well as physical and
virtual infrastructure (using Oracle Enterprise Manager Ops Center).
In the context of Oracle SuperCluster, it is important to highlight that the application, middleware
and database management functionality supports detailed monitoring, event notification, patch and
change management, as well as continuous configuration and compliance management and
reporting.
In particular, Oracle Enterprise Manager allows organizations to centrally maintain security
configuration settings as well as access control and auditing policies for groups of databases. Access
to these functions can be limited to authorized individuals ensuring that management access
supports compliance mandates for separation of duty, least privilege and accountability.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
15
The Oracle Enterprise Manager platform also supports strong authentication using a variety of
methods, fine-grained access controls, and comprehensive auditing, ensuring that event the
management of the Oracle SuperCluster environment can be accomplished in a secure manner.
Oracle Identity Management Suite
Oracle Identity Management suite manages the end-to-end lifecycle of user identities and accounts
across an organization. The Oracle Identity Management suite includes support for single-sign on,
web-based access control, web services security, identity administration, strong authentication, as well
as identity and access governance.
In the context of Oracle SuperCluster, Oracle Identity Management can be used as a single point for
managing identity and access to not only applications and services running on the Oracle SuperCluster
platform, but also for the underlying infrastructure and services used to manage it.
Oracle Key Manager
Oracle Key Manager is a comprehensive key management system (KMS) designed to simplify the
management and monitoring of encryption keys used to protect information at rest. Oracle Key
Manager supports enterprise-class environments with a highly scalable and available architecture that
can manage thousands of devices and millions of keys. It operates on a hardened operating
environment, enforces strong access control and role separation for key management and monitoring
operations, and optionally supports the secure storage of keys in Oracle’s Sun Crypto Accelerator 6000
PCIe Card, a FIPS 140-2 rated hardware secure module.
In the context of Oracle SuperCluster, the Oracle Key Manager can authorize, secure and manage
access to encryption keys used by Oracle StorageTek encrypting tape drives, Oracle Databases
encrypted using Transparent Data Encryption as well as encrypted ZFS file systems available on the
Oracle Solaris 11 operating system.
General Recommendations and Considerations
The Oracle SuperCluster platform includes an impressive collection of layered security controls that
can be tailored to meet an organization’s specific policies and requirements. It is important that
organizations understand how to best utilize these capabilities as well as integrate them into their
existing IT security architecture. Further, organizations are reminded that effective IT security must
integrate people, process, and technology aligned by policy and vetted using solid risk management and
governance practices. In this section, general recommendations and considerations will be offered to
guide organizations in architectural, deployment and operational dimensions.
Architectural
The following architecture best practices are recommended:
Organizations should leverage a unified approach to identity and access management by integrating
the Oracle SuperCluster platform components as well as its deployed services with an organization’s
existing identity and access management architecture. The Oracle Solaris operating system and
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
16
Oracle Database in particular support a wide array of open and standard protocols that allow those
products to be more easily integrated with existing identity and access management deployments.
Organizations should consider the use of intrusion prevention systems to monitor network traffic
flowing to and from the Oracle SuperCluster platform. Such systems will enable the identification of
suspicious communications, potential attack patterns, as well as unauthorized access attempts.
Organizations looking for increased visibility within the Oracle SuperCluster platform are
encouraged to consider the use of host-based intrusion detection and prevention systems. By
leveraging the fine-grained auditing capabilities of the Oracle Solaris operating system and Oracle
Database, host-based systems will have a greater likelihood of detecting inappropriate actions and
unauthorized activity.
Similarly, organizations are also encouraged to consider the use of application and network-layer
firewalls that can protect information flowing to and from the Oracle SuperCluster platform. Often
filtering network ports serves as the first line of defense in preventing unauthorized access to
systems and services. Just as with host-based intrusion detection services, organizations looking to
realize more fine-grained control of communications between components of the Oracle
SuperCluster platform are encouraged to consider both network-level segmentation using Ethernet
VLANs or InfiniBand Partitions as well as host-based firewalls to enforce inbound and outbound
network policy at the host level.
Lastly, organizations should consider the use of centralized audit and log repositories to aggregate
their security-relevant information for improved correlation, analysis and reporting. Most modern
security event and incident management systems support a wide array of protocols that can be used
for data gathering from network devices, operating systems, databases and applications. By collecting
and storing this information in a centralized (and protected) location, organizations can also improve
the quality and effectiveness of their security incident and forensic response processes. The
information that is needed for this kind of analysis will be safely stored away from systems and
applications that may have been compromised. It should be noted that for this kind of approach to
be most effective, organizations should also leverage the network time protocol service to ensure
that time is aligned across devices, systems, and software.
Deployment
The following deployment best practices are recommended:
Organizations are encouraged to utilize protocols that support strong authentication and encryption
of network communications. This protects the confidentiality and integrity of communications and is
important when communicating with services deployed on the Oracle SuperCluster platform as well
as when managing the platform using its administrative interfaces. Organizations should configure
administrative and operational services to use encryption protocols and key lengths that align with
their organizational policies. Cryptographic services provided by the Oracle SuperCluster platform
will also benefit from hardware acceleration, which improves not just security but also overall
performance.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
17
While many of the products integrated into the Oracle SuperCluster platform are configured by
default for secure deployment, organizations often have their own security configuration hardening
standards. Oracle produces security guidance for its products, and content relevant to the Oracle
SuperCluster platform is included in the references section at the end of this document. It is
important for organizations to review this information before attempting to change the security
configuration of Oracle SuperCluster components. In particular, it is important to identify where
existing organizational standards can be improved as well as where supportability issues may limit
what changes can be made to a given component.
Several of the products included in the Oracle SuperCluster platform are shipped with default
administrative passwords. Organizations are strongly encouraged to change these default passwords
as soon as possible to values known only to authorized administrators.
Operational
The following operational best practices are recommended:
While it is relatively straightforward to configure the Oracle SuperCluster platform for use in a
secure deployment, it is important that organizations understand that security must be maintained
throughout the life cycle of the platform and its deployed services. As such, organizations are
encouraged to utilize tools that will help detect unauthorized changes, configuration drift, as well as
security patches that have yet to be applied. The Oracle Enterprise Manager suite of tools offers
organizations an integrated solution for managing such operational issues from the hardware
through any deployed applications and services.
Further, organizations are encouraged to regularly evaluate the users and administrators with access
to the Oracle SuperCluster platform and its deployed services to verify if the levels of access and
privilege are appropriate. Over time, without review, the level of access granted to individuals tends
to increase without bound. It is recommended that access rights (for both operational and
administrative access) be reviewed to ensure that each user’s level of access is aligned to their roles
and responsibilities.
Conclusion
Collectively, the extensive set of security controls and capabilities available on the Oracle SuperCluster
platform provides a well-rounded security foundation upon which organizations can deploy their
services. More importantly, however, is the balance that has been achieved between the tight
integration of its components and the level of configuration and operational flexibility that allows
organizations to customize the security posture of the Oracle SuperCluster platform based upon their
policies and requirements. This reinforced yet flexible security architecture makes this engineered
system an ideal platform for organizations consolidating applications and databases, operating multi-
tier enterprise applications, or delivering multi-tenant application services.
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
18
References
General White Papers and Documentation
“Oracle SuperCluster T5-8: Servers, Storage, Networking and Software – Optimized and Ready to Run”:
http://www.oracle.com/us/products/servers-storage/servers/sparc/supercluster/supercluster-t5-8/ssc-t5-8-wp-1964621.pdf
Product Security Guides
Oracle Integrated Lights Out Manager Security Guide
http://docs.oracle.com/cd/E24707_01/pdf/E24526.pdf
Oracle Sun Datacenter InfiniBand Switch 36 Hardware Security Guide
http://docs.oracle.com/cd/E19197-01/E26701/E26701.pdf
Oracle SPARC T5 Series Servers Security Guide http://docs.oracle.com/cd/E35199_01/pdf/E29503.pdf
Secure Deployment of Oracle VM Server for SPARC
http://www.oracle.com/technetwork/articles/systems-hardware-architecture/secure-ovm-sparc-
deployment-294062.pdf
Oracle Solaris 10 Operating System Security Guidelines
http://docs.oracle.com/cd/E23823_01/pdf/E23335.pdf
Oracle Solaris 11 Operating System Security Guidelines
http://docs.oracle.com/cd/E23824_01/pdf/819-3195.pdf
Oracle Database 11g Release 2 Security Guide
http://www.oracle.com/pls/db112/to_pdf?pathname=server.112/e10575.pdf
Security White Papers and Documentation
Oracle VM Server for SPARC
Increasing Application Availability by Using the Oracle VM Server for SPARC Live Migration
Feature: An Oracle Database Example
http://www.oracle.com/technetwork/server-storage/vm/ovm-sparc-livemigration-1522412.pdf
Oracle Solaris 11 Operating System
Oracle Solaris 11 Network Virtualization and Network Resource Management
http://www.oracle.com/technetwork/server-storage/solaris11/documentation/o11-137-s11-net-
virt-mgmt-525114.pdf
Effective Resource Management Using Oracle Solaris Resource Manager
http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-055-solaris-rm-
419384.pdf
Oracle SuperCluster T5-8 Platform Security Principles and Capabilities
19
Oracle Database 11g
Oracle Defense in Depth Guide
http://www.oracle.com/technetwork/database/security/sol-home-086269.html
Cost Effective Security and Compliance with Oracle Database 11g Release 2
http://www.oracle.com/technetwork/database/security/owp-security-database-11gr2-134651.pdf
Oracle Advanced Security with Oracle Database 11gR2
http://www.oracle.com/technetwork/database/owp-security-advanced-security-11gr-133411.pdf
Oracle Advanced Security Transparent Data Encryption Best Practices
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-
130696.pdf
Oracle Database Vault with Oracle Database 11gR2
http://www.oracle.com/technetwork/database/security/owp-security-database-vault-11gr2-1-
131473.pdf
DBA Administrative Best Practices with Oracle Database Vault
http://www.oracle.com/technetwork/database/security/twp-databasevault-dba-bestpractices-
199882.pdf
Oracle Label Security with Oracle Database 11gR2
http://www.oracle.com/technetwork/database/security/owp-security-label-security-11gr2-
133601.pdf
Effective Resource Management Using Oracle Database Resource Manager
http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-056-oracledb-rm-
419380.pdf
Oracle Middleware
“High Performance Security for Oracle WebLogic Applications using SPARC T5 and SPARC M5 servers”: http://www.oracle.com/technetwork/articles/systems-hardware-architecture/security-weblogic-t-series-168447.pdf
“Securing E-Business Suite Applications using Oracle Solaris 11 on SPARC T5 and SPARC M5 servers”:
http://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documentation/o13-044-t5-ebssecurity-1964593.pdf
High Performance Security for Oracle WebLogic Applications Using Oracle SPARC T-Series
Servers
http://www.oracle.com/technetwork/articles/systems-hardware-architecture/security-weblogic-t-
series-168447.pdf
High Performance Security for SOA and XML Web Services Using Oracle SPARC T-Series Servers
http://www.oracle.com/technetwork/articles/systems-hardware-architecture/hi-perf-soa-xml-svcs-
172821.pdf
Oracle SuperCluster T5-8 Platform Security
Principles and Capabilities
August 2013
Author: Glenn Brunette, Ramesh Nagappan,
Joel Weise
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark licensed through X/Open
Company, Ltd. 0112