Monday, September 30, 2013

SSH-KEY security for Oracle Enterprise Manager

In many companies who do use Oracle products Oracle Enterprise Manager is used for managing and monitoring purposes. This is making Oracle Enterprise Manager more and more a central application used to connect to a number of systems. From some point of view this is a good thing, from other points of view this might be a less favorable thing to do. Primarily from a security point of view a number of security specialists have reasoned that if someone would be able to hack Oracle Enterprise Manager it would be an ideal stepping stone into the rest of the network from the company which is under attack.

Oracle has introduced the option to now use a public/private key pare solution when connecting from Oracle Enterprise Manager to other systems. This is still not satisfying some security officers however it is tying more into the general ssh-key authentication mechanisms used for authentication at UNIX machines used in many companies. The ssh-keys are stored within Oracle Enterprise Manager as part of a named credential. A Named Credential specifies a users' authentication information on a system. Named credentials can be a username/password pair like the operating system login credentials, or Oracle home owner credentials primarily used for performing operations such as running jobs, patching and other system management tasks.

The advantaged of using a SSH key method for login to remote servers using SSH is that this is considered much more secure then using a username/password combination.Public key authentication is one of the most secure methods to authenticate using Secure Shell. Public key authentication uses a pair of computer generated keys - one public and one private. Each key is usually between 1024 and 2048 bits in length, it is useless unless you have the corresponding private key

A guide on how to use SSH keys in OEM can be seen in the below video from Oracle:

Saturday, September 21, 2013

2013 state of cloud computing adoption

It is beyond any doubt that the cloud way of things is picking up, more and more companies to tend to look at cloud solutions in one way or another. Some might even use cloud based solutions without even knowing it and in some cases enterprises are not aware that departments are using cloud based solutions on their own account. This last part is, or at least should, be a concern for the security department. You can better channel the use of cloud solutions then staying unaware of it or block it and find out that users find other ways of still doing it however in slightly different way. 

What is interesting is to see how cloud is used and by what kind of companies. How they adopt the cloud way of thinking. Cloud is a given and it is not going away anytime soon. Now we can see how this is unraveling and is adopted in the daily way of doing things within companies. 

A good source for such information is the survey from RightScale; " RightScale surveyed technical professionals across a broad cross-section of organisations about their adoption of cloud computing." one things however we have to keep in mind when reading those figures is that the list of people who have been send this survey are (A) technically knowledgeable and (B) most likely in some form a connection with RightScale and might be more cloud orientated then the average business user. Keeping this in mind the report is still providing a good point of view on the current adoption level. 

One of the interesting things is that they show the adoption in a four level way between enterprises and small and medium businesses. For this they use the levels "POC/Experiment", "First project", "several apps" and Heavy use. This is used to show the cloud adoption within enterprises and SMB companies. What you can see from this is that the SMB market is already making much more use of cloud then the enterprises, 41% SMB usages of cloud against 17% in the enterprise section of the market. 

The levels used for the adoption are somewhat comparable with the cloud adoption model as shown below in a pyramid way of representing this. Int his model we use 5 levels instead of 4. Rightscale is not taking into account the virtualization layer which is represented as level 1 in the below pyramid. For the rest you could see "POC/Experiment" as level 2 Cloud Experimentation, "First Project" as level 3 Cloud Foundations, "Several Apps" as level 4 Cloud Exploitation and "Heavy Use" as level 5 Hyper cloud. 

As we have seen form the above information the SMB market is more willing to adopt cloud computing in a "heavy" was and the majority of the SMB companies who use cloud computing do this in a level 5 Hyper cloud way. What is interesting however is that, based upon the RightScale 2013 report, there is not much relative difference between the number of enterprises and SMB companies who use cloud. 75% of all companies do make use of cloud computing, this breaks down in 77% of the enterprises and 73% of the small and medium businesses. 

This would hold that the percent of enterprises using the cloud is higher however that they less advanced in the level of adoption of the cloud computing platform. Small and medium business are lacking behind a little however when they start adopting the cloud they tend to go in much more aggressive and move very quickly into a higher rate of adoption. 

One of the reasons for this could potentially be that cloud computing is picking up at the moment and needs to find its place. We are still in the "client server" area of computing and where enterprises tend to move slower and have in general more and complex systems then small and medium businesses it takes longer to move to the "cloud and mobile" area. Next to this small and medium businesses tend to have a less complex chain of command and decisions can be made more quicker and without the sometimes complex bureaucracy of large enterprises.  

This means, small and medium businesses are more agile and can move quicker into new technologies then enterprises. An additional complexity for adoption is that the amount of money involved for an enterprise is in general much higher then that for a SMB company due to the scale and complexity of the applications used. 

What we however see is that large enterprises are very much willing to adopt cloud computing however it takes longer to implement this solution. However, the market for enterprise cloud computing is opening and should be a focus point for all companies who do sell cloud solutions in one form or another. 

Wednesday, September 18, 2013

Oracle application and database firewall

To protect the database from attempts to hack it in a number of ways commonly a network firewall is implemented to ensure attackers cannot connect to the system running the database on ports other then intended and not from computers that should not be able to connect to the database. This way, as is the traditional and common way, is protecting the database in quite a good fashion however is not protecting it against all risks. If a server who is eligible to connect to the database is compromised an attacker could use this as a stepping stone to execute queries against the database or cause other havoc. 

For this reason Oracle has created the the Oracle database firewall. When you deploy and Oracle database firewall  your application server is no longer talking directly to your database however to the firewall. Based upon a whitelist or blacklist principle certain statements are allowed to be send to the database. Statements that are not allowed are dropped. having such a solution in place is adding an extra layer of security to your design. An diagram showing such an implementation is shown below. 

A less known fact about the Oracle database firewall is however that it can be integrated with other security products from other vendors. F5 for example is providing a solution with the BIG-IP ASM (Application Security Manager) which is is an application layer firewall specially designed to recognise attacks on an application layer level. In most common attacks for systems where you would deploy an Oracle database firewall you will have an application layer which might only be protected by a network firewall. In a solution where you also deploy a application layer firewall you will gain an extra level of security. 

The BIG-IP ASM solution is able to detect and block an attack on the application layer and next to this forward this information also to the Oracle database firewall. This has a number of advantages. First of all the attack context is communicated with the Oracle database firewall together with information about the source-IP from the attacker and other information. Based upon the attack context the Oracle database firewall can be tightened in general and/or also on the specific IP from the attacker. 

An additional benefit, which is in my opinion a huge benefit, is that you will be able to collect the information and logs of both the F5 firewall and the Oracle database firewall in a consolidated way.  In many cases a security apartment needs to track down what happened and needs to be able to report on this and should have a trail of evidence. When multiple points of security and a multiple number of locations for logs are in place it can be very hard to track down the entire attack path and provide a consistent and correct report. Having the ability to do this from a single console is providing much more options to track and secure your vital and confidential data. When looking into securing a Oracle based solution is well worth to think about an implementation as shown above. 

Saturday, September 07, 2013

Debug PHP with Oracle DTrace

Most common users and most developers who every now and then develop an application will not be using Dtrace. however, people involved in building and debugging applications that run under Linux or Solaris and people who are responsible for tuning and optimizing performance of mission critical systems will most likely be using Dtrace or at least they should start understanding it and possibly start using it. Dtrace is a dynamic tracing framework developed by Sun Microsystems for troubleshooting kernel and application issues in real time.

Dtrace gives you the option to truley see what your application is doing and how your operating system kernel is handling stuff. A real view of what is happening can be very good when you are  diving deep into debugging applications and issues with your servers.

In the past Dtrace has primarily be used for "server" based applications and not si much for scripting languages. A not well know fact is that Dtrace is also a part of the PHP language. David Soria Parra has merged the Dtrace functions into PHP from PHP version 5.4 and onwards. The original way of using PECL to incorporate Dtrace into PHP.

If you are serious about building PHP applications and serious about finding bottlenecks in your code and the way your PHP code is interacting with your kernel you should look into Dtrace for PHP. Chritoper Jones wrote an article back in 2012 named "Adding DTrace Probes to PHP extensions" and recently wrote an article named "DTrace with PHP update" which are both good starting points. You can find both on the Oracle website in the PHP and Oracle blog from Christopher Jones.

Wednesday, September 04, 2013

Oracle Enterprise Manager for database 12c

The database has been the center of the Oracle corporation for as long as the company exists and will most likely be the core of the company for upcoming years. We see that Oracle is building more and more applications and with the merger with Sun Microsystems they are now also investing in Hardware. Within the vision from Oracle is most an end-to-end Oracle architecture and they do have most of the components now to achieve this. However, the database is still one of the core parts of the company. Oracle has strengthen the database position within the product portfolio with the release of the Oracle database 12C release which is developed for multi-tenancy and cloud computing.

Within the vision from Oracle is also that they manage the complete lifecycle of applications (and databases) and that during the full lifecycle this is managed and monitored from the Oracle Enterprise Manager application which is the center of the Oracle manageability strategy.

In the below video you can see how Oracle Enterprise Manager 12C is tying in to the Oracle database 12C product and will enable administrators to monitor and manage databases during the entire lifecycle.

The third IT wave

According to Pat Gelsinger, the CEO of VMWare we are in the third generation of IT. This was one of his statement during a recent talk. According to Pat the current wave or generation is the Mobile-Cloud Era which we are currently entering. In a way he is indeed correct and we have had the Mainframe Era, the Client-Server Era and now the Mobile-Cloud Era.

According to Pat the Mobile-Cloud Era is driven by Mobile, Cloud, Social and Big-data. We are currently only seeing the beginning of this however in the near and upcoming future this will become the default way of developing applications and running your infrastructure just like companies now primarily run there applications in a client-server fashion and in the way they where running the applications in a mainframe way before that.

Below is one of the slides used during the presentation;

Interesting is that he also noted that the new IT Mantra of this era will be / should be ÏT-as-a-Service". The mantra "IT-as-a-Service" is adding to the growing influence of the business on IT and the declining pure IT decisions. Business users and departments do get more and more involved into decisions with regards to IT and will play more and more a prominent role within IT projects and decision making. This also, autocratically, holds that the role of the CIO within a company will stay as important as it is now however it will be less "powerful" as he/she will not have the final say in IT matters as it will be heavily influenced by the other board members.

Accoording to a recent Harvey Nash study "USA 2013 CIO Survey" the role of the CIO in the new Era will be more collaborative, business-facing and multi-skilled function is shifting the dynamics of the modern-day executive table.

named high CPU usage under Ubuntu resolved

When running Ubuntu you might encounter a strange behaviour where the named process, which is part of BIND, is taking up a large amount of CPU. In my case this was more then 120% due to the fact it was using more then a single core. Normally named would take only a very small amount of the CPU cycles available so this can be seen as strange behaviour. Reason for this behaviour turned out to be a wrongly set permission on the /var/cache/bind directory.

Due to some reason the default Ubuntu distribution is shipping with only root permissions on /var/cache/bind while named is running as the user bind. The named process is trying to write to the /var/cache/bind directory however fails due to the fact that this can only be done by the root user. This in turn results in retries which take a lot of your CPU away from other processes.

To resolve this, one of, the solution is to reset the permissions on /var/cache/bind which can be done with the commands below;

chown root:bind /var/cache/bind
chmod g+w /var/cache/bind

After this you will have to stop and start bind which can be done with the below command.

service bind9 restart

This should result in a lot less CPU usage from the named process.