Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
Security, Checklists, Recommendations - Part
5
Networking Security
Checklists
You can improve your security by going through checklists
for your Client, Listener, and Network.
Using SSL is essential for enhanced security.
SSL Checklist
SSL stands for Secure Sockets Layer. It is a protocol which creates a secure
connection between a client and the server to which the information is
sent. SSL works with a cryptographic
system that uses two keys to encrypt the data.
The first key is a private or secret key, known to the recipient of the
message, and the second is is a public key known to everyone.
Generally if a URL begins with “https”, then it requires a
SSL connection. A valid SSL Certificate
gives you assurance that information you will share on this site, will be sent
in an encrypted format. The SSL
certificate contains information on the domain name, the domain owner, and the
physical location, as well as the validity dates of the certificate.
Good security practice maximizes protection and minimizes
the disclosures or holes that can threaten security. You need to keep in mind a few points in
order to make the most of SSL
1.
Ensure that
configuration files for clients and listeners use the correct port for
SSL. You can run HTTPS on any port, but
the standard is to use port 443. An
HTTPS-compliant browser will look at this port by default, unless it is
specified in the URL. https://secure.test_server.co.za:4446/ If a firewall is in
use, then it must also use the same ports for SSL communication.
2.
“tcps” must be
specified as the protocol in the ADDRESS parameter in the tnsnames.ora
file. An identical specification must
also appear in the listener.ora file.
3.
SSL mode must be
consistent on both ends of the communication.
One-way, which can specify either the client or the server must be
authenticated. Two-way, which specifies
that both sides must be authenticated, or “no authentication”.
4.
The server must
support the client cipher suites and the certificate key algorithm in use
5.
Don’t remove the
encryption from your RSA private key inside your server.key file. You will need a pass phrase to read and parse
this file.
Client Checklist
It is difficult to authenticate client computers over the
internet. Because of this user
authentication is used. Doing this
avoids false IP addresses, hacked operating systems, suspect applications, and
stolen system identities.
You can improve the security of client connections in the
following ways:
·
Using SSL
communication. This makes eavesdropping
more difficult, and enables the use of certificates for authentication.
·
Set up certificate
authentication for clients and servers.
Listener Checklist
You can limit the potential for malicious interference by
securing the listener.
·
Restrict the
privileges of the listener, so that it can’t read or write files. This will prevent external procedures spawned
by the listener from reading and writing files.
·
Secure the listener
o
Protect the listener
with a password
o
Prevent online
administration
o
Use SSL when
administering the listener
o
Remove the external
procedure configuration from the listener.ora file, unless you need to use it.
·
Monitor the listener
activity
Network Checklist
The following practices can improve network security:
1.
Restrict physical
access to the network. Make it difficult
to attach devices to the network, or interfering with the network, or creating
communications with the network.
2.
Network access points
must be protected from unauthorized access.
Bridges and routers should be protected, as well as network related
software on computers.
3.
Encrypt data to make
its transfer over the internet secure
4.
Use Firewalls. This
can prevent outsider access to your organizations intranet.
·
Keep the database
server behind a firewall.
·
The firewall should be
placed outside of the networks that the firewall is protecting
·
Configure the firewall
to accept only those protocols and applications, or client server connections
that are considered safe
·
Oracle Connection
Manager, can be used to multiplex multiple client network sessions through a
single network connection to the database.
Connection manager can filter on source, destination, and host name. In this way you can only accept connections
from physically secure terminals or from application web servers with known IP
addresses.
5.
Don’t poke holes in
the firewall. Do not leave the default
Oracle listener port 1521 open. Hackers
could exploit this vulnerability, which could be aggravated if the listener is
not password protected.
6.
Prevent Unauthorized
administration of the Oracle listener.
Protect the listener with a secure password.
7.
Monitor network IP
addresses using Oracle Net, to allow or deny access to Oracle server processes
from network clients with specified IP addresses. Set parameters in the protocol.ora (migrated
to the sqlnet.ora file in later releases) file to specify IP addresses that are allowed to access the Oracle
listener. This action can prevent Denial
of Service attacks.
8.
Encrypt network
traffic. You can use Oracle Advanced
Security to encrypt network traffic between clients, databases, and application
servers.
9.
Hard the Host on which Oracle resides. This can be achieved by disabling all the
unnecessary operating system services, such as FTP, TFTP, TELNET etc. After disabling the service, close both the
associated UDP and TCP ports.
Consider the route that the data travels through the
system, and assess the potential threats that are present. Once you have found potential weaknesses,
then you should take the steps to minimize the threats. Monitor and audit, to determine if the threat
levels have increased, or if there has been successful penetration.
Franz Devantier,
Need a database health check,
or a security audit?
devantierf@gmail.com
Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating
program below to potentially create a long-term residual or annuity type income
enhancer for yourself.
|
Traffic Wave - Free Report: The report will
give you all the information you need to start making a nice long-term residual
income stream for yourself.
|
No comments:
Post a Comment