1 / 32

Oracle Exalogic Security Best Practices and PCI Compliance

Oracle Exalogic Security Best Practices and PCI Compliance. Dirk Anderson, Managing Director, Coalfire Kelly Goetsch, Sr. Product Manager, Oracle Kuyper Hoffman, Senior Principal, Oracle. Program Agenda. Exalogic Overview PCI Primer Special Considerations for Securing Exalogic

awena
Download Presentation

Oracle Exalogic Security Best Practices and PCI Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Exalogic Security Best Practices and PCI Compliance Dirk Anderson, Managing Director, Coalfire Kelly Goetsch, Sr. Product Manager, Oracle Kuyper Hoffman, Senior Principal, Oracle

  2. Program Agenda • Exalogic Overview • PCI Primer • Special Considerations for Securing Exalogic • How to Secure Exalogic for PCI

  3. Announcing... New White Paper: Exalogic and PCI Compliance

  4. Exalogic Overview

  5. Choice Is Not Always a Good Thing Exalogic vs. the Status Quo Applications & Middleware OS Virtualization &Cloud Management Compute Networking Storage Layer

  6. Engineered Systems Database Appliance Exalytics Exadata Database Machine Exalogic Elastic Cloud Big Data Appliance • Extreme performance • High Availability • One-stop support • Expedited time to value • Easier to manage and upgrade • Lower cost of ownership

  7. What is Exalogic? Software • Oracle Linux • Exalogic Control • Manage virtual servers, virtual networks and virtual storage • Firmware/software upgrades • Exalogic Elastic Cloud • Drivers • Optimizations to Oracle Middleware • Oracle Traffic Director * • WebLogic* • JRockit* • Enterprise Manager* Hardware • Between 4-30 X3 compute nodes. Per node: • (2) Intel 2.9 GHz Xeon (8-core) processors (16 cores) • 256 GB 1600 MHz RAM • (2) 100 GB SSDs • Dual-port QDR InfiniBand HCA (PCIe) • 60 TB ZFS storage appliance • Between 2-4 InfiniBand Gateway Switches • (32) QDR InfiniBand ports • (8) 10GbE ports * Purchased separately and installed on-premises

  8. Software in Exalogic Enterprise Manager Oracle Apps Exalogic Optimized Coherence WebLogic JRockit Traffic Director Installed and patched normally Exalogic Optimized Exalogic Optimized Exalogic Optimized Native to Exalogic Oracle Linux Guest OS Installed and (optionally) patched by Oracle Oracle VM for Exalogic Exabus Exalogic Optimized Exalogic Elastic Cloud Software / Exalogic Control = Comes with Exalogic

  9. Exalogic Configurations Half Rack Quarter Rack Full Rack Eighth Rack Multi-Rack * Units are upgradable. For example, an eighth rack can be turned into a quarter rack with the addition of four compute nodes

  10. Network Architecture Exalogic X3-2 Ethernet Gateways Spine Switch ExadataExalogic 10GbE Data Center Service Network (10GbE) Compute Nodes Exabus(InfiniBand I/O Backplane) StandardOracle Database … Storage Management Switch Data Center Mgmt Network (GbE) GbE Management Network (GbE)

  11. PCI Primer

  12. Why PCI? DSW Shoe Warehouse -(4/18/2005) First time a Public Company 10Q reflected a financial loss due to a privacy violation. 1.3 Million records. Hannaford’s Grocers -(3/17/2008) First “PCI-Compliant” merchant to suffer a significant compromise. Class action law suits filed. 4.2 million records stolen. Heartland Payment Systems -(1/20/2009), alerted by Visa and MasterCard of suspicious activity. Affected more than 200 banks. Multiple lawsuits filed. 100 Million records. SONY- (April-May 2011), multiple international subsidiaries including PS3, entertainment, e-commerce store. More than 100 Millions accounts compromised at an estimated cost of over $1 Billion and months of down-time. Schnucks- (December 2012-March 2013), 2.4 Million cards compromised, sued by their insurer to avoid paying the breach costs. Harbor Freight Tools - (July 2013) ???

  13. PCI Standards • PCI-DSS - Payment Card Industry Data Security Standard • PA-DSS - Payment Application Data Security Standard • PTS – Pin Transaction Security • P2PE – Point-to-point Encryption https://www.pcisecuritystandards.org/

  14. The PCI-DSS • PCI DSS 2.0 has 188 individual controls/compliance tests • Applies to: • All merchants • 3rd parties with whom the merchants share cardholder data • 3rd parties with access to, or the ability to impact the security of the merchant’s card- holder environment

  15. Key Considerations of PCI-DSS • Scope: What are the systems and applications that are in scope for our PCI DSS validation? • PCI DSS Segmentation: What does it mean and how can it be used to reduce our PCI DSS scope? • Third Party Providers: Which organizations support our cardholder data environment (CDE)? How will they affect our PCI DSS validation efforts?

  16. Special Considerations for Securing Exalogic

  17. Trust Levels & Segmentation Sensitive Data Public Data Customer 1 Customer 2 Customer 3 Virtual Environment Virtual Environment Mixed-Mode Multi-Tenancy

  18. Managing the Metal VM 2 VM 1 VM 2 VM 1 Software Hypervisor Hypervisor Server O/S Hardware Hardware Type 1 Hypervisor (“Bare Metal”, “Native”) Type 2 Hypervisor (“Hosted”)

  19. Other Security Considerations • Separation of Duties • Can you adequately define roles across a virtualized/cloud environment? • Configuration Management • Clouds are built from hardware, software, and virtual components? • Virtual Images • How to you manage consistency of deployment of hosted machines, especially when you’re dynamically adjusting capacity?

  20. Other Security Challenges • Vulnerability Scanning • What is the “standard” for scans? Do they have to be authenticated? How are vulnerabilities ranked? How do you scan dormant virtual machines? Do we have appropriate vulnerabilities for cloud components in the scanning databases? Do risk rankings apply equally to the cloud? • Penetration Testing • What is the “standard” for penetration testing? White box, black box, grey box? What level of credentials? What do internal penetration tests require? What is an “acceptable” penetration test? How do you test virtual segmentation?

  21. How to Secure Exalogic for PCI

  22. Exalogic Security Principles Separation of identities, roles and responsibilities • “Superuser” with all admin privileges • Manages the physical (hardware) system • Monitoring, Patching, Creating Public Networks, Maintenance • Creates cloud admin and cloud user entities H/W Operations & System Admin in IT Org Exalogic System Admin

  23. Exalogic Security Principles Separation of identities, roles and responsibilities • “Superuser” with all admin privileges • Manages the physical (hardware) system • Monitoring, Patching, Creating Public Networks, Maintenance • Creates cloud admin and cloud user entities H/W Operations & System Admin in IT Org Exalogic System Admin Virtualization Admin in IT Org • Manages hardware resources as virtual assets • Assets managed include vCPUs, memory, storage, public/private networks • Creates accounts (quotas) and assigns cloud users to accounts Exalogic Cloud Admin

  24. Exalogic Security Principles Separation of identities, roles and responsibilities • “Superuser” with all admin privileges • Manages the physical (hardware) system • Monitoring, Patching, Creating Public Networks, Maintenance • Creates cloud admin and cloud user entities H/W Operations & System Admin in IT Org Exalogic System Admin Virtualization Admin in IT Org • Manages hardware resources as virtual assets • Assets managed include vCPUs, memory, storage, public/private networks • Creates accounts (quotas) and assigns cloud users to accounts Exalogic Cloud Admin Enterprise Apps Admin eg HR, Financial, DevOps, etc • Creates guest vServers • Assigns appropriate memory, vCPUs, public/private networks, vDisks • Deploys (or faciliates the deployment of) apps on the guest vServers Exalogic Cloud User

  25. Exalogic Security Principles Infiniband as an isolation layer • Infiniband • IP over IB • Allows porting of unmodified applications • Each IPoIB network maps to 1 IP subnet • These subnets use a private IP address space (specifically, the subnets are not externally routable) • Infiniband partitions • Explicit security construct that controls communication between endpoints • Each IPoIB network maps to a unique IB partition

  26. Exalogic Security Principles Infiniband Partition Keys • Each node or VM is assigned at least one Partition Key (pkey) • Packets received by each Host Channel Adapter are checked for their pkey and are silently dropped if the node is not a member of the appropriate partition • Enforcement occurs at the HCA level via Queue Pairs (QPs) • Switch port (which should be administered by a different role, eg Hardware Sys Admin) must agree on key assignment, thus unauthorized nodes cannot illegaly join the partition • Packet sniffing, Man in the Middle attacks, etc by rogue nodes or VMs are defeated by this partitioning

  27. Exalogic Security Principles Infiniband Partition Keys • Limited vs full membership • A full member can communicate with both full and limited members of a partition • A limited member can only communicate with a full member • This provides the ability to have sharing of common resources (eg secure data store) in a secure, unidirectional manner, allowing sensitive data to flow into but not out of a secure store • Traditional software based firewall can still be implemented as a VM with membership of 2 Partitions • All packets must flow through the FW to reach across partitions

  28. Exalogic Security Principles Image Management • Golden Master • Clone an existing VM • Apply and test patches in isolation • Perform safe penetration testing • Ensure compliance and consistency • Snapshot and “freeze dry” the new image • Publish as a Golden Master • All new VMs are launched from the freshly minted master

  29. Graphic Section Divider Questions

More Related