When will a solid state drive die?

Solid State Disk (SSD) drives are all the rage for dramatically increasing read performance by eliminating seek time and by enabling much higher throughput.  For example, an SSD drive can read at a throughput of over 200MB/sec compared to just 10MB for a regular disk drive.  One question that I don't hear many people talking about though is how do you tell when the SSD drive is nearing the end of it's life span?

The standard method that most IT professionals use to determine the state of a disk drive is to run a tool that reads the S.M.A.R.T. data from the disk drive.  In the case of a SSD drive, the key metric to watch is the "Reallocated Bad Sectors".  For example, I use the S.M.A.R.T utility for Mac/OSX systems.  After roughly a month of normal use, my OWC Mercury SSD drive reported that over 5,500 sectors (a.k.a. bad blocks or BB) had been relocated to the bad block relocation table.  a.k.a. the over-provisioned portion of reserved capacity of an SSD drive.  For a normal disk this would indicate that the drive is nearly dead.  In fact, my S.M.A.R.T. utility said that the drive was in a state of "FAILING".  But this is not necessarily the case for an SSD drive.

See update below for updated life span estimate.

In theory, the way that you tell if an SSD is near the end of its life span is if it has exhausted its BB reserve.  The logical next question is, how many sectors are in the reserved BB capacity of a given SSD drive?  In my case, my 240GB SSD drive has 16GB (e.g. (2^34)/(2^9) = 33,554,432 sectors).  This means that at the current rate of BB sector consumption of 5,500/month it will theoretically take over 500 years before the SSD drive reaches the end of its life span.  Somehow I don't think that the drive will last quite that long. ;-)

Hopefully as SSD drives become more prevalent in the market place S.M.A.R.T. data and corresponding utilities will be extended to show data that will assist in estimating the life span of an SSD drive.  For example, the following metrics would be very useful:

• that the drive is an SSD rather than a normal disk,
• the reserve capacity sector count,
• the current BB sectors consumed, 
• the rate of consumption, 
• and most importantly of all an accurate diagnosis 

If you want to avoid BB sector math, the simplest way to tell when your SSD drive is reaching the end of its life span is when it starts slowing down dramatically.  This usually means that the BB reserve capacity is exhausted.

That is it for this blog post.

Have a great Day!

Brad

Important Update (11/1/2010)!!!
While doing some SSD LifeSpan analysis related to the rumored Third Generation Intel SSD devices, I learned that SSD life span is governed primarily by the volume of data randomly written to a device over time.  For example, the Intel SSD X25-M G3 life span is estimated to support between 30TB to 60TB of 4K random writes.

Further, some SSD controllers such as the SanForce 1500 controller used in my OWC SSD use SMART field 231 (see also CrystalInfo Health Status information) to report the estimated life left in the drive and uses SMART attribute 241 to reveal the total number of Logical Block Addresses (LBAs) written to the device since the last boot.

Given this new information, lets re-visit how long that my SSD drive has to live.

Here is the a recent SMART report for my drive.

Notice that the Reallocated Sector Count (Bad block relocation) value of 5504 is the same as it was when I first tested the drive.  However, SMART attribute 231 says that my OWC SSD drive has a value of 77.  I suspect that this is not the percentage of life left because it has been the same number for several months.   Further, SMART attribute 241 says that the drive has had written 1791 LBAs.  

Unfortunately, until the solid state vendors unify on a common set of SMART disk properties, it is going to be hard to tell exactly how much life is left in a solid state disk drive.

Have a great day!

Brad

HowTo: Setup Oracle Enterprise Linux VirtualBox Server

In order to continue my ramp up into all things Oracle, one of the first orders of business is to setup an Oracle Enterprise Linux server for hosting VirtualBox virtual machines.   This blog post is intended to help me capture the basic steps that I used to build an OEL VB demonstration server.

1. Download Oracle Enterprise Linux (OEL) ISO image from E-Delivery and burn it to a DVD.
2. Install OEL v5 and configure for my network.

3. Enable yum use of the public Oracle repository by adding the following to /etc/yum.conf

[el5_u5_base]

name=Enterprise Linux $releasever U5 - $basearch - base

baseurl=http://public-yum.oracle.com/repo/EnterpriseLinux/EL5/5/base/$basearch/

gpgcheck=1

enabled=1

[el5_addons]

name=Enterprise Linux $releasever - $basearch - addons

baseurl=http://public-yum.oracle.com/repo/EnterpriseLinux/EL5/addons/$basearch/

gpgcheck=1

enabled=1

[el5_oracle_addons]

name=Enterprise Linux $releasever - $basearch - oracle addons

baseurl=http://public-yum.oracle.com/repo/EnterpriseLinux/EL5/oracle_addons/$basearch/

gpgcheck=1

enabled=1

4. Install OEL PGP Key with the following.
     rpm --import http://public-yum.oracle.com/RPM-GPG-KEY-oracle-el5

5. Install requisite package for VirtualBox with the following.
     yum install SDL.i386 kernel-headers.i386 kernel-PAE-devel.i686 gcc.i386

6. Download VirtualBox install image for OEL5 from VirtualBox.org.

7. Install the downloaded VirtualBox image with the following.
     rpm -i VirtualBox*.rpm

8. Setup with the vb kernel driver by running the following.
     /etc/init.d/vboxdrv setup

9. [Optional] Remove gcc and requisite packages with the following.
     yum remove glibc-devel.i386 glibc-headers.i386 libgomp.i386 gcc.i386
10. [Optional] Disable SELinux by setting SELINUX=disabled in /etc/selinux/config.

11. [Optional] Disable the following un-necessary services.
     chkconfig --level 0123456 bluetooth off

     chkconfig --level 0123456 cups off

     chkconfig --level 0123456 gpm off

     chkconfig --level 0123456 hidd off

     chkconfig --level 0123456 hplip off

     chkconfig --level 0123456 isdn off

     chkconfig --level 0123456 nfslock off
     chkconfig --level 0123456 nfstat off

     chkconfig --level 0123456 pcscd off

     chkconfig --level 0123456 portmap off
     chkconfig --level 0123456 rcpgssd off

     chkconfig --level 0123456 restorecond off

     chkconfig --level 0123456 rhnsd off

     chkconfig --level 0123456 rpcgssd off

     chkconfig --level 0123456 rpcidmapd off

     chkconfig --level 0123456 sendmail off

     chkconfig --level 0123456 xfs off
12. Reboot with "init 6"

At this point the server is ready to be used as a VirtualBox server.  You can use the graphical display (e.g. VirtualBox) or the command line interface to add and manage your VirtualBox virtual machines.

Enjoy!

Brad

PS: As always, the sample scripts provided are for reference and are not supported in any way.

SQL Injection Defense Strategies

I had the great pleasure to participate in one of the first classes on the Oracle Database Firewall.  Oracle Database Firewall is a new product that came to Oracle through their acquisition of Secerno.  Oracle Database Firewall is a high capacity and highly accurate firewall software appliance for databases.

Firewall Protection
Oracle Database Firewall's primary role is to apply a level of protection and control to databases that may not be possible with the native features of the databases being protected.  Examples of protection include the following:

• Prevent SQL Injection attacks that come through vulnerable web or application servers.  
• Enable account lockout after some number of successive failed login attempts.
• Enable role based access control.
• Discover a users entitlements.
• Protect against unauthorized use by privileged and non-privileged users both from over the network as well as locally.
• Alert on suspicious or abnormal SQL activity.

Intrusion Detection
Some customers may choose to use Oracle Database Firewall as an intrusion detection device.  In this mode of operation, Oracle Database Firewall captures and analyzes all SQL traffic to a database by obtaining a copy of the raw network data from a network spanning port (a.k.a. network tap).  In intrusion detection mode, Oracle Database Firewall detects and alerts on undesirable SQL activity.

Performance Acceleration
Another benefit of Oracle Database Firewall is that it summarizes the types of SQL operations that are applied to your databases.  From this summarization, you can identify poorly constructed SQL statements that could be optimized for much better application performance.  On the protect and defend side, you could also identify valid but inappropriate SQL load as well.  In this latter case, you could use the alert function to inform the application owner to please stop abusing the database.  Or, if necessary, you could just block those abusive queries from getting to the database all together.

SQL Injection Protection
I mentioned SQL Injection earlier but I wanted to come back to it because it is a very real and pervasive threat to every company or organization with an internal or external web site.  For the layman, SQL injection is an indirect way of saying a very poorly designed web or  desktop application.  SQL injection results from applications not sanitizing EVERY form field or input variable that is used as part of an SQL query against a database.

A common use case of SQL injection relative to web applications is the web site's login page.  When you enter your login user id and password, those two fields are used to construct an SQL statement that is submitted to a database to verify that you are a valid user.  If these fields are not properly sanitized, they can through SQL injection be used to incrementally reveal database information.  Given enough time and persistence, a diligent hacker can through vulnerable applications get just about any information out of the database that they want.  Vulnerable information could include user ids, passwords, home addresses, credit card numbers, social security numbers, account numbers, ... and the list goes on.

Oracle Database Firewall protects databases from SQL injection attacks by accurately identifying and allowing through valid SQL and rejecting (or if preferred just alerting) on the rest.

Internal Breach Protection

Notice in the previous section that I said internal web sites and applications.  One observation that I have made from working with many customers over the last 15+ years is that internal web sites aren't necessarily held to the same high standard of security as external web sites.  Consequently, internal sites can be more vulnerable to most companies than their Internet facing web sites.  Recent publications such as Verizon's 2010 Data Breach Report confirm that nearly half of data breaches still come from internal sources.  You can also see from the Softpedia SQL Injection news page that SQL injection based data breaches are not isolated to small firms.  The likes of NASA, Symantec, Intel, The Wall Street Journal, and even United States Military are among the list of impacted organizations found on Softpedia's page.

Database Security Arsenal
There is a saying that there are no silver bullets in the security business.  That simply means that there isn't a single solution that solves all security challenges.  However, Oracle Database Firewall represents an enormous leap forward in the defense of database security.  Oracle's Database Security portfolio also includes network encryption and on disk encryption (Advanced Security Option), separation of duty (Database Vault), centralized auditing (Audit Vault), Data Masking and more.


If you have applications that talk to a database over a network, consider adding Oracle Database Firewall to your defense strategy.

To click here to learn more about Oracle Database Firewall or here to learn more about the entire Oracle Database Security portfolio.

Have a great day!

Brad

PS: As a disclaimer, I am an employee of Oracle. However, I would have written this blog post even if I wasn't an Oracle employee because security is everyone's problem.

Download ODSEE at Oracle E-Delivery

Oracle Directory Enterprise Server Edition (ODSEE) 11gR1 is now available on the Oracle Technology Network.  ODSEE 11gR1 will make its way to the E-Delivery in the next week or so.  Previous versions of DSEE are currently available on Oracle's E-Delivery download site.  The path to the bits through E-Delivery may not be obvious to everyone.  In order to streamline the process, I wrote up the following on how to download the installation bits.

How to Download ODSEE 11gR1
The bits via E-Delivery should be available in a week or so.  In the interim, you can download them from the Oracle Technology Network.  But when they become available on E-Delivery, the following steps are what you will follow to download via E-Delivery.
1. Go to edelivery.oracle.com.
2. Select language and click "Continue".
2. Fill out the form and click "Continue".
3. Select "Oracle Fusion Middleware" Product Pack, select Platform and click on "Go".
4. Select respective "Oracle Fusion Middleware ... Media Pack", scroll to the bottom of the page and click "Continue".
5. Find Directory Server Enterprise Edition and click on the corresponding "Download" button.

How to Download DSEE 7.0 or 6.3

1. Go to edelivery.oracle.com.

2. Select language and click "Continue".

2. Fill out the form and click "Continue".

3. Select "Sun Products" Product Pack, select Platform and click on "Go".

4. Select respective "Sun Products Media Pack for ...", scroll to the bottom of the page and click "Continue".

5. Find desired Directory Server Enterprise Edition version and click on the corresponding "Download" button.

How to Download DSEE 5.2

Call Oracle Support at 1-800-633-0738 and open a support request.  Once the support request has been created, request a copy of the DSEE 5.2 installation bits for the desired platform.  Support will make the bits temporarily available for you to download.

Have a great day!

Brad