eMarcel.com

Oracle Database, Fusion Middleware, Linux

Securing Home Network with SOPHOS UTM IDS

Traditionally, households are connected to the internet via modems. Modern modems come with builtin basic routers and Wi-Fi access points. All we have to do is to plug them in, activate the service and enjoy a vast ocean of content available on the internet. What if the “internet” would attempt to browse our home network?

Cyber threat real-time map: cybermap.kaspersky.com

Cyber threat real-time map: cybermap.kaspersky.com

Are traditional devices strong enough to secure home network from internet threats, or protect the children from browsing unwanted content? Unfortunately not. Their role is to provide internet service at basic security level. Home networks certainly need something more than simple modem to increase level of security. Here comes the enterprise grade firewall, an Intrusion Detection System – Sophos UTM Home Edition. And guess what, it is for free!

Example of a traditional home network topology:

Traditional Home Network

Typical home network has a cable modem, provided by Internet Service Provider (ISP), which is connected directly to the internet. Even at this stage the home network might be exposed to all kinds of cyber attacks. Good example is unchanged modem’s default settings, access point names and default passwords. Remember always to change default settings and passwords of all new network appliances. 

Network Protection Statistics

Most of the modems have basic firewall and Wi-Fi access point pre-configured and are ready to work, once the modem has been connected and activated. Users simply connect wireless devices to the access point and that’s it. This is the example of very common home network setup. But do we really realise what’s going on on under the hood? Even though there are fewer attackers interesting with hacking into typical home network, there are tons of automated scripts and robots scanning vulnerable networks which could be compromised and later used for malicious purposes.

What is an Intrusion Detection System?

An IDS is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms (source: wikipedia).

Sophos UTM 9 Dashboard

Sophos UTM 9 Dashboard

In other words, IDS monitors the traffic in our home network and filters dangerous packets, allowing only safe packets to pass through the IDS. It also prevents home network against cyber attacks (Intrusion Prevention System) and filters unwanted web content such as nudity, criminal acts, drugs and so on. It also gives users awareness of what is happening in their home networks offering wide range of detailed reports.

How to deploy the IDS in home network?

As mentioned already, the IDS can be either the device or software application. It means that we could either buy one of the hardware devices, which is frankly not designed for home networks, or we could download Sophos UTM Home Edition software and install it on a spare PC. Sophos UTM software can also be installed on a virtual machine.

Example of a home network topology armed with the IDS:

Home Network with IDS System

First of all, the cable modem is being used only for one purpose – to provide the internet at maximum performance. It has all other functions disabled, such as firewall, Wi-Fi access point. The reason is simple – don’t trust mass produced devices, having very often outdated firmware, and limited features. It is also set as DMZ device. Next there is a firewall, and the IDS device (firewall runs on IDS hardware). The IDS box is equipped with two network cards. The first card (external network) is connected to the cable modem. The second card (internal network) connects to the switch. The internet packets are distributed to the local Wi-Fi access point, and other network end-point devices such as desktop computers, smart TVs, game consoles or NAS storage. The most important is, that entire network traffic is being protected and monitored by the IDS. And this is the goal, to increase the protection of the home network in a similar way as enterprises.

Sophos UTM Home Edition is available at no cost for home users. Free license protects up to 50 IP addresses. It features full Network, Web, Mail and Web Application Security with VPN functionality such as OpenVPN.

The installation software can be downloaded here. It is fully-equipped software version of the Sophos UTM appliance which can be installed on any pc class device.

Stay tuned! The next article will show an example of IDS hardware and how to install the Sophos UTM Home firewall.

 

, , , , ,

How To Build an FPV Drone – Beginners Guide

Building a quadcopter is relatively easy nowadays. Components required to build a decent quadcopter, equipped with a first person view camera (FPV), are broadly available for purchase. The average time for a hobbyist to build a “qwad”  is less than an hour! Well, let’s build a multipurpose quadcopter capable of flying freestyle, racing, and recording HD videos at the same time!

Even though it appears to be difficult, trust me it isn’t. Once you created your first qwad, you won’t have any problems with building even more advanced configurations. It is very easy to learn how to put all the things together and take your bird in the air. This post is about to provide basic information on haw to get started with the hobby,  short buying guide of “ready to fly” quads and finally some generic information about building the quadcopter equipped with FPV & HD recording camera.

Let’s roll…

Continue reading…

, , ,

Provisioning WebLogic Server in less than 1 minute using Docker

We are going to demonstrate how to provision Oracle WebLogic Server in less than 1 minute Using Docker running on Ubuntu.

Prerequisites
To follow this tutorial, you will need Ubuntu 64-bit up and running. We will be using Ubuntu version 16.04 in our fancy VirtualBox sandbox machine. This is because Docker requires a 64-bit version of Ubuntu as well as a kernel version equal to or greater than 3.10.

1. Installing docker on Ubuntu:

#Add the GPG key for the official Docker repository to our system:
sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

#Add the Docker repository to apt sources:
sudo apt-add-repository 'deb https://apt.dockerproject.org/repo ubuntu-xenial main'
sudo apt-get update

#we make sure that we use Docker repo instead of default Ubuntu repo:
sudo apt-cache policy docker-engine

#installing Docker
$ sudo apt-get install -y docker-engine

Verifying installation and displaying information about Docker:

$ docker images -a
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest 48b5124b2768 3 months ago 1.84kB

$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.

#Other check commands
$ sudo systemctl status docker
$ docker info

2. Provisioning WebLogic Server Domain

Our docker is ready to roll so we navigate to docker hub website:

https://hub.docker.com/r/playniuniu/weblogic-domain

or simply go to https://hub.docker.com and search for “weblogic” docker images.

https://hub.docker.com/r/playniuniu/weblogic-domain we copy the following command:

docker run -d -p 8001:8001 –name=wlsadmin playniuniu/weblogic-domain:12.2.1.2 startWebLogic.sh

Run it and after a while (depends on your network speed) a brand new WebLogic Server domain is up and running:

$ docker run -d -p 8001:8001 --name=wlsadmin playniuniu/weblogic-domain:12.2.1.2 startWebLogic.sh
Unable to find image 'playniuniu/weblogic-domain:12.2.1.2' locally
12.2.1.2: Pulling from playniuniu/weblogic-domain
8d30e94188e7: Pull complete
1d43e94144e5: Pull complete
...
Status: Downloaded newer image for playniuniu/weblogic-domain:12.2.1.2

Voila! We can login to WLS Admin Console http://ubuntuhost:8001/console using credentials weblogic/welcome1 and check if managed server (AdminServer) is up.

Learn more about Docker:

 

, , , ,

Oracle Compute Cloud Service Overview – Network

Oracle Compute as part of Oracle Cloud Service, is a standards-based infrastructure service. In Network section we control the ways of how we can connect to our Oracle Cloud Services.

Oracle Compute Cloud Service architectural overview: http://docs.oracle.com/cloud/latest/stcomputecs/STCSG/img/GUID-B50A7782-9F0D-4C75-A4FB-A7A4EB8AF500-default.png

Oracle Compute Cloud Service architectural overview

Access to Oracle Compute instances is possible in several ways.

We can use a web browser to access the web console, we can access the REST API directly, or we can use the command-line interface. Secure access is provided by protocols such as SSH and RDP. We can also set up a VPN tunnel to provide secure access to instances in our Oracle Compute Cloud Service network.

Here is how to access Oracle Compute Cloud dashboard:

Accessing Oracle Compute Cloud with a web browser

Continue reading…

, , , , ,

Creating Oracle Database Cloud Service (DBaaS)

Previously we were looking at How to get 30 days Free Oracle Cloud Subscription Plan PaaS IaaS. Now let’s take a look at the Oracle Database Public Cloud Services and one of its offerings: Oracle Database Cloud Service (DBaaS).

We will create brand new 12c Database instance, enable remote access and using Oracle SQL developer we will connect from our local machine to the newly created database. Finally we will show how to monitor the database instance with OEM Database Express 12c and DBaaS Monitor.

Creating Database as a Service Instance in Oracle Database Cloud.

  1. Login to my services using the URL provided by Oracle in a welcome email:
    • https://myservices.emea.oraclecloud.com
  2. Create DB Cloud Service Instance:

We will create our demo database with a backup configuration enabled using both, Cloud Storage and Local Storage. This will allow us in the future creating Oracle SOA Cloud Service instance.

Continue reading…

, ,

How to get 30 days Free Oracle Cloud Subscription Plan PaaS IaaS

Oracle now offers the Free Oracle Cloud Promotion plan. With this promotion, we start with $300 (€260) Cloud Service credits in your Oracle Cloud Services Account. This balance can be used towards activating and using any of the metered Oracle Cloud Services in the following categories: PaaS, IaaS, Big Data and Middleware Cloud Services, which are available as Pay-as-You-Go subscriptions.

Previously we were playing with free trial subscription of Oracle Database Schema Cloud Service. This tutorial however is different! We are going to try a 30 days free subscription plan, which includes all we need to get started with Oracle Cloud: Compute, Storage, Database, Database Backup, MySQL, Java, SOA, Application Container Cloud and Developer Cloud Services.

Continue reading…

, , ,

Oracle Database Cloud Service free trial account

Oracle Cloud is offering a free of charge 30 days trial subscriptions to Oracle’s Platform (PaaS) and Infrastructure (IaaS) Cloud Services. One of the services is Oracle Database Cloud Service.

Users can find two ways to discover Oracle Cloud. One way is to get 30 days trial subscription to Platform & Infrastructure services.  Second way is to register for Application (SaaS) and Data (DaaS) quick tours which offers very nice interactive application demos, videos and e-books.

oraclesalescloudquicktour

Oracle Sales Cloud Quick Tour

One of the Platform & Infrastructure services is Oracle Database in the Cloud providing several deployment choices such us single schemas, dedicated pluggable databases, virtualized databases and more. Our focus for today is to activate 30 days subscription to Oracle Database Schema Cloud Service and application express (APEX). Continue reading…

, , , , , ,

Data Redaction in Oracle Database 12c flaws or security gaps?

I’ve been working on proof of concept project for Data Redaction in Oracle Database 12c. Hard to say but POC has proven that data redaction has couple of flaws or according to Oracle “constraints”. Therefore before we could continue with implementation we would have to find solutions to below findings. Any feedback from the readers would be much appreciated.

Test scenario: Database user schema is “APEX_ZION”. A table “DEMO_CUSTOMERS” has data redaction enabled on CUST_POSTAL_CODE column, masking data using randomly generated characters. Here is how to enable data redaction. Another user schema “TEST_USER” has granted SELECT privileges on DEMO_CUSTOMERS table. The goal is to mask sensitive data for test_user only. So when we login to a database as “APEX_ZION” and we run an SQL query we can see true data:

SQL> SELECT CUST_POSTAL_CODE FROM APEX_ZION.DEMO_CUSTOMERS;

CUST_POSTAL_CODE
----------------
20166     
30320     
02128     
60666     
11371     
63145     
06096     

 7 rows selected

Next we run the same SQL query as “test_user” and we can see masked data only:

SQL> SELECT CUST_POSTAL_CODE FROM APEX_ZION.DEMO_CUSTOMERS;

CUST_POSTAL_CODE
----------------
]2x#( 
_UJX/ 
\Bzy# 
z:*Qr 
L`!<I 
oBE&5 
N"2G] 

 7 rows selected 

So far so good. Here comes the funny part…

Continue reading…

, , , ,

Oracle Data Redaction in Oracle Database 12c

Data Redaction provides a way to define masking policies for an application. Oracle Data Redaction provides functionality to mask (redact) data that is returned from user SELECT queries. The masking takes place in real time. The difference between Oracle Data Masking and Data Redaction is that Data Redaction doesn’t alter underlying data in the database; it redacts the data only when it is being displayed. Data Redaction can be applied conditionally, based on different factors such as user, application identifiers, or client IP addresses. Data Redaction is available in Oracle Database 12c and now also in 11g Release 2, patch set 11.2.0.4. Data Redaction is licensed as part of Oracle Advanced Security.

EDIT: Be aware of Oracle’s data redaction “constraints”. Read David Litchfield’s white paper “Oracle Data Redaction is Broken” here (PDF). I checked all three described methods in my labs in September 2016 and using “RETURNING INTO” and “XMLQUERY()” methods appears to be fixed. However one gap still persist in a Database 12c version 12.1.0.2 – “an iterative inference attack”. It is still possible to be executed disclosing redacted data even to a regular test_user schema!

Below TEST 3 result based on David’s white paper example:

select cc from APEX_ZION.REDACTIONTEST;
CC 
-------
XXXXXXXXXXXXXXXX

--an iterative inference attack
exec p_undoredaction;
PL/SQL procedure successfully completed.
CC: 4111222233334444

data _redaction_concept

Data redaction doesn’t prevent application logic, operations like inserting, updating or deleting data  are perfectly consistent with original data. If the application user creates a view on redacted table, the view will also contain the redacted data.

Continue reading…

, , ,

Configure SSL in WebLogic Server Domain

Quick guide on how to implement SSL in WebLogic Server domain. Custom Identity and Custom Trust with self-signed certificate.

First, let’s create custom directory to store self-signed certificate, custom keystore and custom trust store files:

mkdir -p /u01/app/oracle/config/domains/wls12c_domain/security/SSL

Modify input variables according to your requirements and run below script on WebLogic Server host. This script will automate entire procedure and does the following:

  • create keystore
  • create self-signed certificate
  • export the server certificate
  • create Trust Store

Continue reading…

, , , , ,

Previous Posts

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close