An Oracle Technical White Paper

August 2013

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

SPARC SuperCluster T4-4 Platform Security Principles and Capabilities

Introduction ....................................................................................... 1

Product Security Principles ................................................................ 1

Survivability ................................................................................... 1

Defense in Depth ........................................................................... 2

Least Privilege ............................................................................... 2

Accountability ................................................................................ 2

Product Security Capabilities ............................................................. 3

Secure Isolation ............................................................................. 4

Access Control .............................................................................. 7

Cryptographic Services.................................................................. 9

Monitoring and Auditing ............................................................... 10

Quality of Service ........................................................................ 11

Security Management .................................................................. 13

General Recommendations and Considerations .............................. 15

Architectural ................................................................................ 15

Deployment ................................................................................. 16

Operational .................................................................................. 17

Conclusion ...................................................................................... 17

References ...................................................................................... 18

General White Papers and Documentation .................................. 18

Product Security Guides .............................................................. 18

Security White Papers and Documentation .................................. 18

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

1

Introduction

The Oracle SuperCluster T5-8 (Oracle SuperCluster) is a high performance, multi-purpose engineered

system designed, tested and integrated to run a wide array of enterprise applications. It is well suited to

many different tasks including database and application consolidation, running multi-tier enterprise

applications, and multi-tenant application delivery. To realize secure architectures such as these, the

Oracle SuperCluster platform enjoys a level of security synergy not often found in today’s IT

architectures. Stemming from its high degree of engineering innovation and integration, the security

posture and potential of this platform is truly greater than the sum of its individual components.

In this paper, the security principles and capabilities of the Oracle SuperCluster platform will be

discussed to highlight the comprehensive set of security controls that can be employed to meet even

the most challenging security demands. While discussed individually, it is important to understand that

each capability offers an opportunity to be layered with the others to create reinforced security

postures. Additional architectural, deployment and operational guidance will also be offered to help

organizations understand where and how their Oracle SuperCluster platform can be integrated into

their existing IT security environment.

Product Security Principles

Before discussing the individual security capabilities of the Oracle SuperCluster platform, it is

important to highlight the principles that guided the development of this engineered system. The

security principles of survivability, defense in depth, least privilege, and accountability sit at the very

heart of the Oracle SuperCluster platform’s security architecture. The platform embodies these time-

tested principles and delivers a well-integrated collection of security capabilities that help organizations

address their most pressing security requirements and concerns.

Survivability

Organizations selecting hardware and software platforms for their mission critical workloads must be

assured that the platforms can prevent or minimize the damage caused from both accidental and

malicious actions taken by internal users or external parties. The Oracle SuperCluster platform

supports the principle of survivability by:

Ensuring that the components used by platform have been designed, engineered and tested to work

well together in support of secure deployment architectures. The Oracle SuperCluster platform and

its constituent products support secure isolation, access control, cryptographic services, monitoring

and auditing, quality of service as well as secure management.

Reducing the default attack surface of its constituent products to help minimize the overall exposure

of the platform. Organizations can then customize the security posture of the Oracle SuperCluster

platform based upon their policies and needs.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

2

Protecting the platform, including its operational and management interfaces, using a complement of

open and vetted protocols and APIs capable of supporting the traditional security goals of strong

authentication and access control, confidentiality, integrity, and availability.

Defense in Depth

The Oracle SuperCluster platform employs multiple, independent, and mutually reinforcing security

controls to help organizations create a secure operating environment for their workloads and data.

Properly employed, the principle of defense in depth ensures that a layered set of defenses exist,

helping organizations continue secure operations even after a vulnerability or failure of a single security

control. The Oracle SuperCluster platform supports the principle of defense in depth by:

Offering a strong complement of protections to secure information in transit, in use, and at rest.

Security controls are available at the server, storage, network, virtualization, database, and application

layers. More importantly, each layer’s unique security controls can be integrated with the others to

enable the creation of strong, layered security architectures.

Supporting the use of well-defined and open standards, protocols and interfaces. This means that the

Oracle SuperCluster platform can also be integrated into an organization’s existing security policies,

architectures, practices and standards. Integration such as this is critical as applications and devices

do not exist in isolation, and the security of IT architectures is only as strong as its weakest

component.

Least Privilege

Ensuring that applications, services and users have access to the capabilities that they need to perform

their tasks is only one side of the least privilege coin. It is equally important to ensure that access to

unnecessary capabilities, services, and interfaces be limited. The principle of least privilege is rooted in

a very simple concept, namely – do not give away capabilities that you do not want someone to use.

The Oracle SuperCluster platform promotes the principle of least privilege by:

Ensuring that access to individual server, storage, virtualization, operating system, database and other

components can be granted based upon the role of each user and administrator. The use of role-

based and multi-factor access control models with fine-grained privileges ensures that access can be

limited to only what is needed.

Constraining applications so that their access to information, underlying resources, network

communications, and even local or remote service access is restricted based upon need. Whether

caused by an accident or malicious attack, applications too can misbehave, and without enforcement

of least privilege, those applications may be able to cause harm far beyond their intended use.

Accountability

In most cases, it is insufficient to simply prevent a security incident. It is equally important to be able

to detect the incident, report the event, and understand how it was prevented. Similarly, when an event

cannot be prevented, it is imperative that an organization be able to detect that the event occurred so

that proper responses can be taken. Organizations concerned with accountability seek to answer

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

3

questions such as “what security event occurred?,” “when did it happen?,” “where did it take place?,”

“who caused the event?,” “who was the target?,” and “what was the outcome?” The Oracle

SuperCluster platform supports the principle of accountability by:

Each of the components used within the Oracle SuperCluster platform support activity auditing and

monitoring, including the ability to record login and logout events, administrative actions, and often

other events specific to each of the products. Collecting and reviewing this kind of information is an

important part of maintaining secure operations and can help with root-cause analysis in the event of

a security incident.

Two of the products used in the Oracle SuperCluster platform deserve special mention for their

extensive ability to audit and monitor activity. The Oracle Solaris operating system and the Oracle

Database both support very fine-grained configurations when it comes to auditing. This allows

organizations to tune audit configurations in response to their standards and goals – to ensure that

critical information is captured, while at the same time, minimizing the “noise” of unnecessary or

inappropriate audit events.

The Oracle SuperCluster platform is an excellent option for organizations deploying mission critical

services as a result of its inherent ability to deliver on each of these security principles and others

including secure by default and reduced attack surface. The secure deployment architectures enabled by

its comprehensive set of security capabilities make the Oracle SuperCluster platform an ideal choice for

hosting mission-critical applications and services.

Product Security Capabilities

The Oracle SuperCluster platform is a multi-purpose engineered system that combines the computing

power of the SPARC T5 processor, the efficient virtualization capabilities of Oracle VM Server for

SPARC, the performance and scalability of the Oracle Solaris operating system, the optimized database

performance of the Oracle Database integrated with Oracle Exadata Storage Servers, and the

innovative network attached storage capabilities of Oracle’s Sun ZFS Storage Appliance. Each of these

core components is connected over a redundant InfiniBand fabric that enables low latency and high

performance network communication between all of the components. In addition, a 10-Gbps Ethernet

network is employed allowing clients to access services running Oracle SuperCluster platform. Finally,

1-Gbps Ethernet network provides the conduit through which all of the Oracle SuperCluster

components can be managed. For more high-level information on the Oracle SuperCluster

architecture, see the Oracle white paper titled ““Oracle SuperCluster T5-8: Servers, Storage,

Networking, and Software - Optimized and Ready to Run”.

The Oracle SuperCluster platform supports a variety of full and half-rack deployment options. The

diagram in Figure 1 illustrates one possible half-rack configuration.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

4

Figure 1. Example half-rack configuration of Oracle SuperCluster T5-8

It is important to have an appreciation for the security capabilities that are exposed by each of the core

components engineered into the Oracle SuperCluster architecture. To simplify the presentation of

these capabilities, they have been grouped into six distinct categories, namely: secure isolation, access

control, cryptographic services, monitoring and auditing, quality of service, and secure management.

This list is not exhaustive, but rather it is intended to highlight the security capabilities most often

employed by organizations seeking to deploy a layered security strategy.

Secure Isolation

Isolating services, users, data, communications, and storage is important for many organizations

wanting to consolidate IT infrastructure, implement shared service architectures, and deliver secure

multi-tenant services. The Oracle SuperCluster platform enables secure isolation at the workload,

network, database, and storage levels, allowing organizations the flexibility to implement various

isolation policies and strategies based upon their needs.

Workload Isolation

Oracle VM Server for SPARC is a classic Type 1 hypervisor that operates on bare metal and mediates

access to hardware resources ensuring strong isolation between individual Logical Domains (Domains)

running on the platform. Oracle VM Server for SPARC is used to create hard partitions configured as

either Oracle Database 11gR2 domains or General Purpose domains. Each General Purpose domain

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

5

has its own virtualized CPU, memory, storage, and console as well as its own instance of an operating

system. General Purpose domain can run applications supported on either the Oracle Solaris 10 or 11

operating systems (including business applications, middleware and even databases) whereas Oracle

Database 11gR2 domains must run Oracle Database 11g Release 2 on the Oracle Solaris 11 operating

system.

Oracle Solaris Zones (Zones) are supported allowing customers to further isolate applications running

under the same operating system kernel. By design, zones offer unique capabilities that effectively and

efficiently sandbox different applications running on the same operating system, protecting them from

unintentional or malicious activities happening in other zones. Despite running on the same kernel,

each zone has its own identity and enjoys security, resource, namespace, and process isolation.

Essentially, zones provide built-in virtualization with strong isolation and flexible resource controls at a

smaller CPU and memory footprint than traditional virtual machines running on Type 1 hypervisors.

While Oracle VM Server for SPARC and Oracle Solaris Zones both support application isolation

goals, organizations are encouraged to view them as complementary technologies. Oracle VM Server

for SPARC is used to isolate operating systems (into different domains) whereas Oracle Solaris Zones

are used to isolate groups of processes. While these technologies can be used independently, their value

is compounded when they are used to together to deploy application workloads securely and

efficiently.

Network Isolation

At a physical network level, client access is isolated from both device management and inter-device

communication. Client access is provided over a redundant 10-Gbps Ethernet network that ensures

reliable, high-speed access to services running on the platform. Similarly, management access is also

provided over a physically separate 1-Gbps Ethernet network, allowing organizations to create a hard

separation between their operational and management networks. Finally, inter-device communication is

achieved over a redundant InfiniBand network to create a high-performance, low-latency backplane

through which the individual devices can communicate.

To improve the isolation of network communications over the client access Ethernet network,

organizations are encouraged to leverage a strategy of physical isolation as well as the use of virtual

LANs (VLANs) in order to compartmentalize network traffic based upon their needs. Similarly, when

using InfiniBand, partitions can be used to achieve isolation comparable to VLANs on Ethernet. By

default, the Oracle SuperCluster platform is configured with a number of InfiniBand partitions to

promote isolation between database domains, network-based storage, and private clustering

interconnects. Additional partitions may be used, or existing ones may be adapted, to achieve site-

specific isolation goals. Further, the use of encrypted protocols over InfiniBand partitions and VLANs

is recommended when confidentiality and integrity of communications must be assured.

Both Oracle VM Server for SPARC and the Oracle Solaris 11 operating system support the notion of

virtual switches and network interfaces that can be configured to provide network access to both

domains and zones. In the case of Oracle VM Server for SPARC, access to network access is mediated

by the hypervisor. Similarly, for the Oracle Solaris operating system, the use of exclusive network

stacks and integrated virtual network switching, enforced by the operating system kernel, ensures that

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

6

access to networks is in compliance with policy. For example, this ensures that services running in one

Oracle Solaris zone are not able to snoop on the network traffic flowing in and out of other zones. In

either case, the degree to which domains and zones have access to shared networks is a matter of

configuration. Further, both physical and virtual network elements can be linked with existing Ethernet

VLANs and IP over InfiniBand partitions integrating these physical and virtual worlds into a holistic

network architecture.

Database Isolation

There are a variety of ways that database isolation can be achieved. Physical separation is generally

viewed as one of the best methods and can be achieved by dedicating a single physical system to run an

Oracle Database 11gR2 domain. Hypervisor-mediated isolation using Oracle VM Server for SPARC is

a great option when database workloads must securely share physical resources with other workloads

running on the same physical platform.

Another isolation strategy involves the operation of multiple database instances within the same

operating system image. Multi-instance database isolation is achieved through a combination of

database and operating system-level controls, including dedicated credentials (e.g., users, groups, roles,

etc.), dedicated table spaces, as well as resource controls.

The Oracle Database Vault option includes a mandatory access control model to enforce isolation

using logical realms within a single database. Logical realms form a protective boundary around

existing application tables by blocking administrative accounts form having ad-hoc access to

application data. Similarly, Oracle Database Vault command rules enable policy-based controls that

limit who, when, where, and how the database and application data is accessed, creating a trusted path

to application data. Oracle Database Vault factors can be employed to further restrict access based

upon time of access, source IP address, and other criteria.

The Oracle Virtual Private Database capability enables the creation of policies that enforce fine-grained

access to database tables and views at the row and column levels. Oracle Virtual Private Database

provides security portability because policies are associated with database objects and are automatically

applied no matter how the data is accessed. Oracle Virtual Private Database can therefore be used to

provide isolation at the database tablespace level.

Finally, the Oracle Label Security option is used to classify data and mediate access to that data based

upon its classification. Organizations can define classification strategies that best support their needs,

whether hierarchical or disjoint. This capability allows information stored at different classification

levels to be isolated at the row-level within a single table space.

Storage Isolation

The Oracle Exadata Storage Servers are isolated from the rest of the architecture through the use of

InfiniBand partitioning. By default, these cells are assigned to a partition that is only accessible by

Oracle Database 11gR2 domains. The storage managed by the Oracle Exadata Storage Servers can be

further sub-divided using Oracle’s Automated Storage Management (ASM) facility to create individual

realms that each can have their own security policies.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

7

The Sun ZFS Storage Appliance leverages a similar strategy by using InfiniBand partitions to isolate the

domains and zones with which it is able to communicate. By default, the Sun ZFS Storage Appliance is

placed into its own InfiniBand partition, separate from the Oracle Exadata Storage Servers. The use of

ZFS pools, datasets, and volumes allows organizations to further carve up storage into more granular

units that can have their own security policies.

Access Control

Controlling access to systems, services, and information is paramount for most customers.

Organizations need to be able to define flexible access policies to ensure that their users and

administrators have the right levels of access available to them at the right time. To protect application

data, workloads and the underlying infrastructure on which it all runs, the Oracle SuperCluster offers

comprehensive yet flexible access control capabilities for both users and administrators.

Workload Access Control

The Oracle Solaris operating system includes a variety of methods to authenticate users accessing

system services. While traditional user name and password pairs are still widely used, stronger methods

of authentication can be easily integrated using the Oracle Solaris pluggable authentication modules

(PAM) architecture, allowing the use of LDAP, Kerberos, and public key authentication. The

framework can further be extended to enable the use of smart cards, secure tokens, and other devices,

enabling Oracle Solaris to integrate into an organization’s existing identity and access management

architecture.

Oracle Solaris supports a comprehensive role-based access control (RBAC) facility allowing

organizations the flexibility of delegating user and administrative access based upon need. Eliminating

the notion of an all-powerful super-user, the RBAC capability in Oracle Solaris enables separation of

duty and supports the notion of administrative roles, authorizations, fine-grained privileges and rights

profiles that collectively are used to assign rights to users and administrators. RBAC is integrated with

other core Oracle Solaris services including the Oracle Solaris Service Management Framework (SMF)

and Oracle Solaris Zones to provide a consistent architecture to support all operating system level

access control needs.

Further, Oracle VM Server for SPARC leverages the RBAC capability in Oracle Solaris as a foundation

for its access control architecture, allowing organizations to manage, control, and audit operating

system and virtualization management access from a centralized authority.

Network Access Control

Beyond simple network-level isolation, fine-grained access control policies can be instituted at the

device level. All of the devices in the Oracle SuperCluster platform include the ability to limit network

access to services either using architectural methods (e.g., network isolation) or using packet filtering

and/or access control lists to limit communication to, from and between physical and virtual devices as

well as to the services exposed by the platform.

The Oracle Solaris operating systems support a "secure by default" posture where no network services

except Secure Shell are enabled to accept in-bound network traffic. Other enabled network services

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

8

listen internally for requests within the Oracle Solaris operating system (or zone). This ensures that all

network services are disabled by default or are set to listen for local system communications only.

Organizations are free to customize this configuration based upon their requirements.

When using Ethernet or IP over InfiniBand, the Oracle Solaris operating system supports network and

transport layer (stateful) packet filtering using the Oracle Solaris IP Filter feature. IP Filter offers a

wide array of host-based network capabilities including stateful packet filtering, network address

translation, and port address translation.

Database Access Control

At the operating system level, it is important to use different accounts to ensure job role separation for

database instances and storage administrators, including those supporting Automatic Storage

Management (ASM) functions. Within the Oracle Database, users can be assigned specific privileges

and roles to ensure only users have access to only those data objects to which they are authorized. This

keeps data from being shared across databases or among schemas unless explicitly permitted.

In addition to the password-based authentication available in the Oracle Database, the Oracle

Advanced Security option enables organizations to implement strong authentication using public key

credentials or by leveraging existing RADIUS or Kerberos infrastructure. Further, using Oracle

Enterprise User Security, the database can also be integrated with existing LDAP repositories for

authentication and authorization. Collectively, these capabilities can be used to provide higher

assurance of the identity of users connecting to the database.

Oracle Database Vault can be used to manage administrative and privileged user access, controlling

how, when and where application data can be accessed. Oracle Database Vault protects against misuse

of stolen login credentials, application bypass, and unauthorized changes to applications and data,

including attempts to make copies of application data. Oracle Database Vault is transparent to most

applications and day-to-day tasks, and can support multi-factor authorization policies, allowing for

secure enforcement of policy without disrupting business operations.

Separation of duties is also critical at every layer of the architecture to reduce the risk of collusive

behavior and prevent inadvertent errors. Oracle Database Vault has the ability to enforce separation of

duties to ensure that account management, security administration, resource management, and other

functions are granted only to those users authorized to have those privileges.

Storage Access Control

To minimize the attack surface, the Oracle Exadata Storage Servers and the Sun ZFS Storage

Appliance do not support administration or customization outside of their management interfaces.

There are no users defined on these systems, and it is expected that these devices will be viewed as

fixed-function appliances that have been optimized and hardened for their specific purpose.

Oracle Automatic Storage Management, available on the Oracle Exadata Storage Servers, supports

three access control modes – open security, ASM-scoped security, and database-scoped security. Open

security, as the name suggests, allows any database to access any of the disks managed by ASM. ASM-

scoped security, on the other hand, allows multiple databases assigned to one or more ASM clusters to

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

9

share specific disks. Database-scoped security, the most fine-grained level of access control, ensures

that only specific databases are able to access specific disks. While organizations are encouraged to

select the most appropriate model for their situation, it should be noted that it is not recommended to

mix ASM-scoped and database-scoped security in the same ASM environment.

In addition to its overall access control mode, ASM also supports the assignment of access controls at

the disk group and file level as well to ensure that access to content stored on disk is only available to

authorized users. Of course, for organizations concerned about the confidentiality of stored database

content, database (table space or column-level) encryption should be considered.

The Sun ZFS Storage Appliance supports a wide array of access control policies that can be applied at

the dataset and volume level for individual users and groups. Further, when storage is shared by the

Sun ZFS Storage Appliance, additional access controls implemented by the sharing protocol (e.g.,

NFS) can also be applied to further limit access to authorized systems, services and users.

Cryptographic Services

The requirement to protect and validate information at rest, in transit, and in use often is grounded

upon the use of cryptographic services. From encryption and decryption to digital fingerprint and

certificate validation, cryptography is one of the most widely deployed security controls in modern IT

organizations. The Oracle SuperCluster includes a wealth of capabilities to deliver complete, efficient

and high performance end-to-end cryptography.

Workload Cryptographic Services

The Oracle SPARC T5 processor has been designed with integrated on-chip cryptographic acceleration

to enable strong cryptographic services without sacrificing performance. The SPARC T5 processor can

accelerate the performance of 16 industry-standard cryptographic algorithms in addition to the secure

generation of random numbers. These capabilities can be delivered to operating systems running

directly on SPARC T5 processors or passed through individual domains created using Oracle VM

Server for SPARC.

The Oracle Solaris operating system, by default, takes advantage of the SPARC T5 (directly or virtually

through Oracle VM Server for SPARC) for highly efficient cryptographic operations processed

through the Oracle Solaris Cryptographic Framework. This shared framework is a gathering point for

services providing or using cryptography in the Oracle Solaris operating system. Using the Oracle

Solaris Cryptographic Framework, users, applications and services can be assured that they are not only

using the most optimized algorithms, but they will also seamlessly leverage hardware cryptographic

acceleration as well as hardware security modules (when used). Oracle Solaris supports a full

complement of cryptographic services including Secure Shell, IPsec/IKE, Kerberos, and ZFS

encryption. It also includes integrations that allow applications using OpenSSL or Java to use this

common framework, including any available cryptographic acceleration.

Network Cryptographic Services

While InfiniBand partitioning is supported by the Oracle Solaris operating system for network

isolation, the confidentiality and integrity of communications over an InfiniBand partition should be

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

10

protected using a cryptographically secure protocol. For example, Secure Shell provides secure

administrative access to systems and ILOMs, IPsec/IKE (using IP over InfiniBand) can protect

communications between domains or zones, and SSL/TLS can enable secure communications

between applications and other services.

Oracle Solaris includes a kernel-based SSL (KSSL) service that provides a highly optimized SSL proxy

for applications running on the platform. KSSL can be used to SSL-enable applications lacking that

functionality or as a replacement for functionality within the application that may not be able to yield

the same performance benefits. As with everything in Oracle Solaris, KSSL is able to automatically

leverage the underlying hardware-assisted cryptographic capabilities of the SPARC T5 processor.

Database Cryptographic Services

The Oracle Advanced Security option encrypts information in the database using its transparent data

encryption (TDE) functionality. TDE supports both the encryption of application table spaces as well

as the encryption of individual columns within a table. Data that is stored in temporary table spaces as

well as redo logs is encrypted as well. Even when the database is backed up, the data remains encrypted

on destination media, protecting information at rest no matter where it is physically stored.

The Oracle Advanced Security option (including TDE) is able to take advantage of the cryptographic

acceleration capabilities of the SPARC T5 processor. This allows organizations to protect to their

information without having to incur the significant performance penalties typically associated with

software-only encryption methods.

The Oracle Advanced Security option can also be used to encrypt SQL*Net and JDBC traffic using

either native encryption or SSL to protect information while flowing over a network. Both

administrative and application connections can be protected using this mechanism to ensure that data

in motion can be protected. The SSL implementation supports the standard set of authentication

methods including anonymous (Diffie-Hellman), server-only authentication using X.509 certificates,

and mutual (client-server) authentication with X.509.

Monitoring and Auditing

Whether for compliance reporting or incident response, monitoring and auditing is a critical function

that organizations must use to gain increased visibility into their IT environment. The degree to which

monitoring and auditing is employed is often based upon the risk or criticality of the environment

being protected. The Oracle SuperCluster platform has been designed to offer comprehensive

monitoring and auditing functionality at the compute, network, database, and storage layers ensuring

that a wealth of information can be made available to organizations in support of their audit and

compliance requirements.

Workload Monitoring and Auditing

The Oracle Solaris operating system has a very comprehensive auditing facility that can monitor

administrative actions, command-line invocations, and even individual kernel-level system calls. This

facility is highly configurable, offering a global, per-zone and even per-user auditing policies. When

configured to use Oracle Solaris Zones, audit records for each zone can be stored in the global zone to

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

11

protect them from tampering. Further, Oracle Solaris auditing supports the ability to send audit

records to remote collection points using the system log (syslog) facility. Additionally, many

commercial intrusion detection and prevention services can consume Oracle Solaris audit records as an

additional input for their analysis and reporting.

Oracle VM Server for SPARC leverages the native Oracle Solaris auditing facility to record actions and

events associated with virtualization events and domain administration. Similar to how Oracle VM

Server for SPARC uses the Oracle Solaris RBAC facility for centralized access management, Oracle

Solaris auditing is used to provide a centralized approach to audit record generation, management, and

reporting.

Database Monitoring and Auditing

The Oracle Database supports the notion of fine-grained auditing that allows organizations to establish

policies that more selectively determine when audit records are generated. This helps organizations to

sharpen their focus on more interesting database activities and reduce the clutter that is often

associated with audit activities.

Oracle Audit Vault and Database Firewall centralizes the management of database audit settings and

automates the consolidation of audit data into a secure repository. Oracle Audit Vault and Database

Firewall includes built-in reporting to monitor a wide range of activities including privileged user

activity and changes to database structures. The reports generated by Audit Vault enable visibility into

various application and administrative database activities and provide detailed information to support

accountability of actions.

Oracle Audit Vault and Database Firewall also enables the proactive detection and alerting of activities

that may be indicative of attempts of unauthorized access or abuse of system privileges. These alerts

can include both system and user-defined events and conditions, such as the creation of privileged user

accounts or the modification of tables containing sensitive information.

The Oracle Audit Vault and Database Firewall Remote Monitor can reside on an Oracle Database

11gR2 domain to provide real-time database security monitoring by interrogating database connections

to detect to malicious traffic including application bypass, unauthorized activity, SQL injection and

other threats. Using a highly accurate SQL grammar-based approach, Oracle Database Firewall can

help organizations to quickly identify suspicious database activity.

Quality of Service

There are many ways in which applications can be attacked that are not focused simply on breaching a

boundary or subverting access control policy. In fact, the availability of applications and information is

often viewed as an IT security concern. The Oracle SuperCluster platform provides a number of

capabilities that are intended to help detect and prevent resource exhaustion attacks, denial of service

and accidental or intentional faults that can impact the availability of services and data.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

12

Workload Quality of Service

Oracle VM Server for SPARC supports the dynamic reconfiguration of virtual CPUs, memory, and

physical I/O devices. This allows an organization to quickly respond to changes in demand, shifting

resources to where they are needed. Further, by defining resource policies for each domain,

organizations can ensure that activity in one domain will not starve other domains of their needed

resources.

Similarly, the Oracle Solaris operating system has an array of dynamic resource controls that can be

employed globally as well as at a zone, project, task or process level. Similar to Oracle VM Server for

SPARC, resource controls can be used to limit the consumption of CPUs, memory, core file size, as

well as limit the amount of processes, file descriptors, and many other parameters. Depending on the

actual configuration and needs of the organization, one or more of these parameters can be defined to

help ensure that applications and services running in the Oracle Solaris operating system, including in

zones, only consume their fair share of resources and do not adversely impact other services running

on the system. In addition, the Oracle Solaris 11 operating system supports the ability to also define

bandwidth limits that apply to data link devices (such as virtual NICs) as well as to user-defined traffic

flows, enabling organizations to apply limits to network traffic based upon pre-defined packet

attributes.

For applications running in General Purpose domains, Oracle Solaris Cluster is often used to

implement fail-over or clustering for individual zones or domains. Oracle Solaris Cluster can help

organizations reach their survivability goals by ensuring that mission-critical services are monitored and

restarted upon a failure. Based upon an organization’s defined policy, a failed service can be restarted

locally or on another node in the cluster.

Network Quality of Service

Each component of the Oracle SuperCluster platform is configured to have multiple InfiniBand

network interfaces. Further, the platform includes redundant InfiniBand switches allowing each

component to be connected to each switch. Each component’s InfiniBand interfaces are bonded

together to form a single virtual interface allowing the component to continue operation even if a

single interface or switch fails.

Similarly, each SPARC T5-8 node in the Oracle SuperCluster platform includes multiple 10-Gbps

Ethernet interfaces connected to the client access network and multiple 1-Gbps Ethernet interfaces for

management communications. These nodes can leverage Oracle Solaris IP Multipathing (IPMP) and

IEEE 802.3ad Link Aggregation for Ethernet redundancy, helping to ensure continuous network

connectivity even if a single Ethernet interface or switch fails.

The Oracle Solaris 11 operating system also supports a variety of network-level resource controls that

allow organizations to define bandwidth limits at various data link levels, including virtual and physical

NICs, link aggregations, IP over InfiniBand. These limits can be applied to all, or just a subset of,

traffic flowing through those elements. This allows organizations to categorize and prioritize their

network traffic to ensure that higher priority traffic is favored over less important traffic flows.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

13

Database Quality of Service

Oracle Real Application Clusters (Oracle RAC) can be used to create a clustered database with a shared

cache architecture that overcomes some of the traditional limitations of shared nothing models. As a

result, Oracle RAC can be used to enable highly scalable and available database architectures.

Oracle Database Quality of Service Management (QoS Management) is an automated, policy-based

solution that monitors the workload requests of an entire system. QoS Management correlates accurate

run-time performance and resource metrics, analyzes the data to identify bottlenecks, and produces

recommended resource adjustments to maintain performance objectives under dynamic load

conditions.

In addition, the Oracle Database includes a variety of tools to enable multiple databases to operate

under the same operating system. Oracle Database Resource Manager (DBRM) and Instance Caging,

for example, support the ability to dynamically control access to CPU resources using fine-grained

methods to ensure that workloads running in the database have access to their fair share of compute

resources. Further, DBRM also can control the degree of parallelism, the number of action sessions,

and other shared resources to protect one database from monopolizing resources needed in shared

database architectures.

Storage Quality of Service

To ensure reliable, high performance access to databases stored on Oracle Exadata Storage Servers,

Oracle Automated Storage Management offers a variety of storage mirroring options for ASM Disk

Groups, including: normal redundancy (two-way mirroring), high redundancy (three-way mirroring)

and external redundancy (no mirroring). Typically, organizations will use external redundancy when

their storage is already being mirrored or otherwise protected at the hardware level. In addition to

mirroring, ASM supports the notion of Failure Groups that can be used to ensure that mirrored

storage is placed on different Oracle Exadata Storage Servers.

The I/O Resource Manager (IORM) is available as part of the Oracle Exadata Storage Server and is

used to manage inter- and intra-database I/O resources. This allows not only different databases with

different performance requirements to share a common Oracle Exadata Storage Server pool, but even

multiple workloads within the same database can have their own resource policies. This flexible

architecture allows organizations to ensure that critical workloads and databases are not I/O

constrained when operating on a consolidated architecture.

Security Management

Having collections of security controls and capabilities is necessary to properly secure individual

applications and services. However, it is equally important to have comprehensive management

capabilities that assist organizations in sustaining the security of their deployed services and systems.

The Oracle SuperCluster leverages the security management capabilities of a variety of products

including Oracle Integrated Lights Out Manager, Oracle Enterprise Manager Ops Center, Oracle

Enterprise Manager, and Oracle’s Identity Management Suite.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

14

Integrated Lights Out Manager (ILOM)

Oracle Integrated Lights Out Manager (ILOM) is the service processor embedded in the Oracle

SuperCluster’s compute and storage servers. It is used to perform out of band management activities.

Oracle Integrated Lights Out Manager offers a variety of secure mechanisms allowing organizations

to perform secure lights out management of their compute and storage servers, including web-based

access protected by SSL, command-line access using Secure Shell, as well as IPMI v2.0 and

SNMPv3.

Oracle ILOM supports separation of duty requirements using a role-based access control model.

Individual users are assigned to specific roles that limit the functions that can be performed. In this

manner, organizations can decide which users need full administrative access versus those that may

simply need the ability to audit ILOM settings (read-only access), access remote host consoles, or

control host power.

To ensure accountability, the Oracle ILOM records all logins and configuration changes. Each audit

log entry notes the user performing the action as well as a timestamp. This allows organizations to

detect unauthorized activity or changes as well as attribute those actions back to specific users.

Oracle Enterprise Manager Ops Center

Part of the Oracle Enterprise Manager suite, Oracle Enterprise Manager Ops Center is a converged

hardware management solution that provides a single administrative interface for servers, operating

systems, firmware, virtual machines, zones, storage, and network fabrics. Oracle Enterprise Manager

Ops Center is installed by default on the Oracle SuperCluster platform.

From a security perspective, Oracle Enterprise Manager Ops Center can be used to assign

administrative access to collections of physical and virtual systems, monitor administrator activity,

detect faults as well as configure and manage alerts. Further, Oracle Enterprise Manager Ops Center

supports a variety of reports that allow organizations to compare their systems against known

configuration baselines, patch levels, and security vulnerabilities.

Oracle Enterprise Manager

Oracle Enterprise Manager suite is a comprehensive and integrated cloud management solution that

focuses on lifecycle management of applications, middleware, and databases, as well as physical and

virtual infrastructure (using Oracle Enterprise Manager Ops Center).

In the context of Oracle SuperCluster, it is important to highlight that the application, middleware

and database management functionality supports detailed monitoring, event notification, patch and

change management, as well as continuous configuration and compliance management and

reporting.

In particular, Oracle Enterprise Manager allows organizations to centrally maintain security

configuration settings as well as access control and auditing policies for groups of databases. Access

to these functions can be limited to authorized individuals ensuring that management access

supports compliance mandates for separation of duty, least privilege and accountability.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

15

The Oracle Enterprise Manager platform also supports strong authentication using a variety of

methods, fine-grained access controls, and comprehensive auditing, ensuring that event the

management of the Oracle SuperCluster environment can be accomplished in a secure manner.

Oracle Identity Management Suite

Oracle Identity Management suite manages the end-to-end lifecycle of user identities and accounts

across an organization. The Oracle Identity Management suite includes support for single-sign on,

web-based access control, web services security, identity administration, strong authentication, as well

as identity and access governance.

In the context of Oracle SuperCluster, Oracle Identity Management can be used as a single point for

managing identity and access to not only applications and services running on the Oracle SuperCluster

platform, but also for the underlying infrastructure and services used to manage it.

Oracle Key Manager

Oracle Key Manager is a comprehensive key management system (KMS) designed to simplify the

management and monitoring of encryption keys used to protect information at rest. Oracle Key

Manager supports enterprise-class environments with a highly scalable and available architecture that

can manage thousands of devices and millions of keys. It operates on a hardened operating

environment, enforces strong access control and role separation for key management and monitoring

operations, and optionally supports the secure storage of keys in Oracle’s Sun Crypto Accelerator 6000

PCIe Card, a FIPS 140-2 rated hardware secure module.

In the context of Oracle SuperCluster, the Oracle Key Manager can authorize, secure and manage

access to encryption keys used by Oracle StorageTek encrypting tape drives, Oracle Databases

encrypted using Transparent Data Encryption as well as encrypted ZFS file systems available on the

Oracle Solaris 11 operating system.

General Recommendations and Considerations

The Oracle SuperCluster platform includes an impressive collection of layered security controls that

can be tailored to meet an organization’s specific policies and requirements. It is important that

organizations understand how to best utilize these capabilities as well as integrate them into their

existing IT security architecture. Further, organizations are reminded that effective IT security must

integrate people, process, and technology aligned by policy and vetted using solid risk management and

governance practices. In this section, general recommendations and considerations will be offered to

guide organizations in architectural, deployment and operational dimensions.

Architectural

The following architecture best practices are recommended:

Organizations should leverage a unified approach to identity and access management by integrating

the Oracle SuperCluster platform components as well as its deployed services with an organization’s

existing identity and access management architecture. The Oracle Solaris operating system and

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

16

Oracle Database in particular support a wide array of open and standard protocols that allow those

products to be more easily integrated with existing identity and access management deployments.

Organizations should consider the use of intrusion prevention systems to monitor network traffic

flowing to and from the Oracle SuperCluster platform. Such systems will enable the identification of

suspicious communications, potential attack patterns, as well as unauthorized access attempts.

Organizations looking for increased visibility within the Oracle SuperCluster platform are

encouraged to consider the use of host-based intrusion detection and prevention systems. By

leveraging the fine-grained auditing capabilities of the Oracle Solaris operating system and Oracle

Database, host-based systems will have a greater likelihood of detecting inappropriate actions and

unauthorized activity.

Similarly, organizations are also encouraged to consider the use of application and network-layer

firewalls that can protect information flowing to and from the Oracle SuperCluster platform. Often

filtering network ports serves as the first line of defense in preventing unauthorized access to

systems and services. Just as with host-based intrusion detection services, organizations looking to

realize more fine-grained control of communications between components of the Oracle

SuperCluster platform are encouraged to consider both network-level segmentation using Ethernet

VLANs or InfiniBand Partitions as well as host-based firewalls to enforce inbound and outbound

network policy at the host level.

Lastly, organizations should consider the use of centralized audit and log repositories to aggregate

their security-relevant information for improved correlation, analysis and reporting. Most modern

security event and incident management systems support a wide array of protocols that can be used

for data gathering from network devices, operating systems, databases and applications. By collecting

and storing this information in a centralized (and protected) location, organizations can also improve

the quality and effectiveness of their security incident and forensic response processes. The

information that is needed for this kind of analysis will be safely stored away from systems and

applications that may have been compromised. It should be noted that for this kind of approach to

be most effective, organizations should also leverage the network time protocol service to ensure

that time is aligned across devices, systems, and software.

Deployment

The following deployment best practices are recommended:

Organizations are encouraged to utilize protocols that support strong authentication and encryption

of network communications. This protects the confidentiality and integrity of communications and is

important when communicating with services deployed on the Oracle SuperCluster platform as well

as when managing the platform using its administrative interfaces. Organizations should configure

administrative and operational services to use encryption protocols and key lengths that align with

their organizational policies. Cryptographic services provided by the Oracle SuperCluster platform

will also benefit from hardware acceleration, which improves not just security but also overall

performance.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

17

While many of the products integrated into the Oracle SuperCluster platform are configured by

default for secure deployment, organizations often have their own security configuration hardening

standards. Oracle produces security guidance for its products, and content relevant to the Oracle

SuperCluster platform is included in the references section at the end of this document. It is

important for organizations to review this information before attempting to change the security

configuration of Oracle SuperCluster components. In particular, it is important to identify where

existing organizational standards can be improved as well as where supportability issues may limit

what changes can be made to a given component.

Several of the products included in the Oracle SuperCluster platform are shipped with default

administrative passwords. Organizations are strongly encouraged to change these default passwords

as soon as possible to values known only to authorized administrators.

Operational

The following operational best practices are recommended:

While it is relatively straightforward to configure the Oracle SuperCluster platform for use in a

secure deployment, it is important that organizations understand that security must be maintained

throughout the life cycle of the platform and its deployed services. As such, organizations are

encouraged to utilize tools that will help detect unauthorized changes, configuration drift, as well as

security patches that have yet to be applied. The Oracle Enterprise Manager suite of tools offers

organizations an integrated solution for managing such operational issues from the hardware

through any deployed applications and services.

Further, organizations are encouraged to regularly evaluate the users and administrators with access

to the Oracle SuperCluster platform and its deployed services to verify if the levels of access and

privilege are appropriate. Over time, without review, the level of access granted to individuals tends

to increase without bound. It is recommended that access rights (for both operational and

administrative access) be reviewed to ensure that each user’s level of access is aligned to their roles

and responsibilities.

Conclusion

Collectively, the extensive set of security controls and capabilities available on the Oracle SuperCluster

platform provides a well-rounded security foundation upon which organizations can deploy their

services. More importantly, however, is the balance that has been achieved between the tight

integration of its components and the level of configuration and operational flexibility that allows

organizations to customize the security posture of the Oracle SuperCluster platform based upon their

policies and requirements. This reinforced yet flexible security architecture makes this engineered

system an ideal platform for organizations consolidating applications and databases, operating multi-

tier enterprise applications, or delivering multi-tenant application services.

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

18

References

General White Papers and Documentation

“Oracle SuperCluster T5-8: Servers, Storage, Networking and Software – Optimized and Ready to Run”:

http://www.oracle.com/us/products/servers-storage/servers/sparc/supercluster/supercluster-t5-8/ssc-t5-8-wp-1964621.pdf

Product Security Guides

Oracle Integrated Lights Out Manager Security Guide

http://docs.oracle.com/cd/E24707_01/pdf/E24526.pdf

Oracle Sun Datacenter InfiniBand Switch 36 Hardware Security Guide

http://docs.oracle.com/cd/E19197-01/E26701/E26701.pdf

Oracle SPARC T5 Series Servers Security Guide http://docs.oracle.com/cd/E35199_01/pdf/E29503.pdf

Secure Deployment of Oracle VM Server for SPARC

http://www.oracle.com/technetwork/articles/systems-hardware-architecture/secure-ovm-sparc-

deployment-294062.pdf

Oracle Solaris 10 Operating System Security Guidelines

http://docs.oracle.com/cd/E23823_01/pdf/E23335.pdf

Oracle Solaris 11 Operating System Security Guidelines

http://docs.oracle.com/cd/E23824_01/pdf/819-3195.pdf

Oracle Database 11g Release 2 Security Guide

http://www.oracle.com/pls/db112/to_pdf?pathname=server.112/e10575.pdf

Security White Papers and Documentation

Oracle VM Server for SPARC

Increasing Application Availability by Using the Oracle VM Server for SPARC Live Migration

Feature: An Oracle Database Example

http://www.oracle.com/technetwork/server-storage/vm/ovm-sparc-livemigration-1522412.pdf

Oracle Solaris 11 Operating System

Oracle Solaris 11 Network Virtualization and Network Resource Management

http://www.oracle.com/technetwork/server-storage/solaris11/documentation/o11-137-s11-net-

virt-mgmt-525114.pdf

Effective Resource Management Using Oracle Solaris Resource Manager

http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-055-solaris-rm-

419384.pdf

Oracle SuperCluster T5-8 Platform Security Principles and Capabilities

19

Oracle Database 11g

Oracle Defense in Depth Guide

http://www.oracle.com/technetwork/database/security/sol-home-086269.html

Cost Effective Security and Compliance with Oracle Database 11g Release 2

http://www.oracle.com/technetwork/database/security/owp-security-database-11gr2-134651.pdf

Oracle Advanced Security with Oracle Database 11gR2

http://www.oracle.com/technetwork/database/owp-security-advanced-security-11gr-133411.pdf

Oracle Advanced Security Transparent Data Encryption Best Practices

http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-

130696.pdf

Oracle Database Vault with Oracle Database 11gR2

http://www.oracle.com/technetwork/database/security/owp-security-database-vault-11gr2-1-

131473.pdf

DBA Administrative Best Practices with Oracle Database Vault

http://www.oracle.com/technetwork/database/security/twp-databasevault-dba-bestpractices-

199882.pdf

Oracle Label Security with Oracle Database 11gR2

http://www.oracle.com/technetwork/database/security/owp-security-label-security-11gr2-

133601.pdf

Effective Resource Management Using Oracle Database Resource Manager

http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-056-oracledb-rm-

419380.pdf

Oracle Middleware

“High Performance Security for Oracle WebLogic Applications using SPARC T5 and SPARC M5 servers”: http://www.oracle.com/technetwork/articles/systems-hardware-architecture/security-weblogic-t-series-168447.pdf

“Securing E-Business Suite Applications using Oracle Solaris 11 on SPARC T5 and SPARC M5 servers”:

http://www.oracle.com/technetwork/server-storage/sun-sparc-enterprise/documentation/o13-044-t5-ebssecurity-1964593.pdf

High Performance Security for Oracle WebLogic Applications Using Oracle SPARC T-Series

Servers

http://www.oracle.com/technetwork/articles/systems-hardware-architecture/security-weblogic-t-

series-168447.pdf

High Performance Security for SOA and XML Web Services Using Oracle SPARC T-Series Servers

http://www.oracle.com/technetwork/articles/systems-hardware-architecture/hi-perf-soa-xml-svcs-

172821.pdf

Oracle SuperCluster T5-8 Platform Security

Principles and Capabilities

August 2013

Author: Glenn Brunette, Ramesh Nagappan,

Joel Weise

Oracle Corporation

World Headquarters

500 Oracle Parkway

Redwood Shores, CA 94065

U.S.A.

Worldwide Inquiries:

Phone: +1.650.506.7000

Fax: +1.650.506.7200

oracle.com

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the

contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other

warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or

fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are

formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any

means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and

are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are

trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark licensed through X/Open

Company, Ltd. 0112