11g New Features - Security

Kerberos Cross Realm Support: This feature updates the Oracle Kerberos implementation to support cross realm authentication. Now a Kerberos principal in one realm can provide authentication to a principal in another realm. The benefit of this feature is that it makes Kerberos a more viable alternative for customers seeking strong authentication without the overhead of managing certificates and public key infrastructure (PKI). SYSDBA Strong Authentication: All connections to the database can now use strong authentication, including those made as SYSDBA and SYSOPER. Oracle has supported strong authentication through PKI, Kerberos, and Radius since Oracle8i for all connections to the database except those connections made as SYSDBA or SYSOPER. This feature completes Oracle support for strong authentication by extending the strong authentication feature to connections as SYSDBA and SYSOPER. Tablespace Encryption: Tablespace encryption is an enhancement to the Oracle Advanced Security Transparent Data Encryption solution. Using tablespace encryption, customers can encrypt an entire tablespace, encrypting all data within the tablespace. When the database accesses the tablespace, the relevant data blocks are transparently decrypted for the application. Secure by Default - Audit By Default : This feature automatically configures the database for auditing and turns on auditing for specific events such as database connections. Oracle has turned on some auditing settings by default to help customers better track connections to the database. Built-in Password Complexity Checker: This feature builds into the database the password complexity routine that is documented in the Oracle Database Security Guide. This built-in functionality can be easily turned on to guarantee that complex passwords are used when setting or resetting a password Fine-Grained Access Control on Network Call-outs from the Database: The packages UTL_TCP, UTL_INADDR, UTL_HTTP, UTL_SMTP, and UTL_MAIL allow Oracle users to make network callouts from the database using raw TCP or using higher level protocols built on raw TCP. Until now, when the granularity of a privilege is simply execute on each package, there has been no way to allow a user access to just a list of specified internet hosts. The new package DBMS_NETWORK_ACL_ADMIN allows fine-grained control using ACLs implemented by XML DB. This feature enables the DBA to carefully control which internet hosts Oracle users can access using the supplied PL/SQL packages. Cheers Vigneswaran