Wednesday, November 3, 2010

Cloud Computing

This page captures the brief view of cloud services

Following are some commonly used terms:
Cloud Computing (wikipedia)
Broadly, servers, virtualisation software, networking and storage are required to form cloud. Following components form a complete cloud:
· Scalable, powerful and cheap servers
· Integrated, virtualised, and hugely scalable storage
· Virtualised 10GbE network switching infrastructure
· Fibre Channel over Ethernet capability to link servers and storage across Ethernet
· Disaster recovery capabilities
· Service-quality tracking and control
· Management of a virtualised data centre
Cloud architecture was used by Web 2.0 but due to changing economies more enterprises are adopting it due to its pay-per-usage model. Virtualization enables cloud to offer more services than cloud could do without
virtualization, e.g. PaaS.
Private Cloud
Smaller cloud than a conventional one. It is cloud like IT systems within a firewall offering similar services, but
to a closed internal network. A private cloud can be expanded to contain resources from within an enterprize (on premise) as well as from external cloud (off premise).
Public Cloud
Cloud available to anyone over the internet. Examples are, Amazon Elastic Compute Cloud (EC2), IBM's Blue Cloud, Sun Cloud, Google AppEngine and Windows Azure Services Platform.
Service Provider
Entity providing cloud services to others.
Entity consuming a cloud service.
Cloud Services
There are various cloud services:
Infrastructure as a Service (IaaS) (wikipedia)
Service user gets infrastructure to run application without spending on hardware (saving CapEx),
e.g. a configured VM.
Platform as a Service (PaaS) (wikipedia)
Service user gets platform to develop/run applications on cloud without spending on cloud infrastructure, e.g. Azure, Google AppEngine,
Software as a Service (SaaS) (wikipedia)
Service user gets a software to use without spending on software license and hardware, e.g. eXpresso, Google Apps
Storage as a Service (STaaS)
Service user gets storage to use without spending on storage hardware, e.g. Synaptic, Mozy,, also T-systems, BT, etc offer storage services for enterprizes.
NOTE: Synaptic service is offered by AT&T, a telco. It makes perfect sense for a telco to offer such a service because they already have network to deliver the service. So, they can offer better value for money for the subscribers.

New Security Features in Oracle 11g

Finding User Accounts That Have Default Passwords

When you create a database in Oracle Database 11g Release 1 (11.1), most of its default accounts are locked with the passwords expired. If you have upgraded from an earlier release of Oracle Database, you may have user accounts that have default passwords. These are default accounts that are created when you create a database, such as the HR, OE, and SCOTT accounts.
For greater security, change the passwords for these accounts. Using a default password that is commonly known can make your database vulnerable to attacks by intruders. To find both locked and unlocked accounts that use default passwords, log onto SQL*Plus using the SYSDBAprivilege and then query the DBA_USERS_WITH_DEFPWD data dictionary view.
For example to find both the names of accounts that have default passwords and the status of the account:

Enter password: password  

SELECT d.username, u.account_status 


WHERE d.username = u.username ORDER BY 2,1;  

--------- --------------------------- 
Then change the passwords for any accounts that the DBA_USERS_WITH_DEFPWD view lists. Oracle recommends that you do not assign these accounts passwords that they may have had in previous releases of Oracle Database.
Automatically Locking a User Account After a Failed Login
Oracle Database can lock a user's account after a specified number of consecutive failed log-in attempts. You can set the PASSWORD_LOCK_TIME user's profile parameter to configure the account to unlock automatically after a specified time interval or to require database administrator intervention to be unlocked. The database administrator also can lock accounts manually, so that they must be unlocked explicitly by the database administrator.
You can specify the permissible number of failed login attempts by using the CREATE PROFILE statement. You can also specify the amount of time accounts remain locked.

Password Case Sensitivity

In previous releases of Oracle Database, passwords were not case sensitive. If you import user accounts from a previous release, for example, Release 10g, into the current database release, the case-insensitive passwords in these accounts remain case insensitive until the user changes his or her password. If the account was granted SYSDBA or SYSOPER privilege, it is imported to the password file.When a password from a user account from the previous release is changed, it then becomes case sensitive.

You can find users who have case sensitive or case insensitive passwords by querying the DBA_USERS view. The PASSWORD_VERSIONS column in this view indicates the release in which the password was created. For example:

USERNAME                       PASSWORD_VERSIONS
------------------------------ -----------------
JONES                          10G 11G
ADAMS                          10G 11G
CLARK                          10G 11G
PRESTON                        11G
BLAKE                          10G
The passwords for accounts jonesadams, and clark were originally created in Release 10g and then reset in Release 11g. Their passwords, assuming case sensitivity has been enabled, are now case sensitive, as is the password for preston. However, the account for blake is still using the Release 10g standard, so it is case insensitive. Ask him to reset his password so that it will be case sensitive, and therefore more secure.

Ensuring Against Password Security Threats by Using the SHA-1 Hashing Algorithm

The SHA-1 cryptographic hashing algorithm protects against password-based security threats by including support for mixed case characters, special characters, and multibyte characters in passwords. In addition, the SHA-1 hashing algorithm adds a salt to the password when it is hashed, which provides additional protection. This enables your users to create far more complex passwords, and therefore, makes it more difficult for an intruder to gain access to these passwords. Oracle recommends that you use the SHA-1 hashing algorithm.
Many password cracking tools rely on access to the Oracle Database data dictionary. The tool must first obtain the hash values of the password by using an administrator account or by gaining direct access to the hash values that are stored on media such as backup tapes or disk drives containing database files. (For this reason, it is a good idea to encrypt backup media that contains database files.) The cracking tools then use clear text password combinations to create the new hash, match the new hash with the existing hash, and thus obtain an existing password.
You optionally can configure Oracle Database to run in exclusive mode for Release 11 or later. When you enable exclusive mode, then Oracle Database uses the new SHA-1 hashing algorithm exclusively. Oracle Database 11g exclusive mode is compatible with Oracle Database 10g and later products that use OCI-based drivers, including SQL*Plus, ODBC, Oracle .NET, Oracle Forms, and various third-party Oracle Database adapters. However, be aware that exclusive mode for Release 11g is not compatible with JDBC type-4 (thin) versions earlier than Oracle Database 11g or Oracle Database Client interface (OCI)-based drivers earlier than Oracle Database 10g. After you configure exclusive mode, Oracle recommends that you remove the old password hash values from the data dictionary.
Follow these steps:
  1. Change all old passwords to include mixed case and special characters.
  2. Verify that the passwords in test scripts or batch jobs are consistent in their use of mixed case and special characters.
  3. Enable exclusive mode.
    1. Create a back up copy of the sqlnet.ora parameter file, by default located in the $ORACLE_HOME/network/admin directory on UNIX operating systems and the %ORACLE_HOME%\network\admin directory on Microsoft Windows operating systems.
    2. Ensure that the sqlnet.ora file has the following line:
    3. Save and exit the sqlnet.ora file.
    4. If necessary, restart the listener. At a command prompt, enter the following commands:
      lsnrctl STOP listener_name
      lsnrctl START listener_name
      listener_name is the name of the listener defined in the listener.ora file. You do not need to identify the listener if you are using the default listener, named LISTENER.