Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
Security,
Policies and Tips - Part 9
Use Secure
Application Roles to Verify IP Address
For example in the previous article, you had validated that
the user came from the middle tier “FREDSERVER”, you could go on to validate
that the IP address was what you thought it should be.
Typically IP addresses are not a reliable way to validate a
user, because IP addresses can be falsified.
So the primary check should never be on an IP address, but certainly
secondary checks would be advantageous.
So in this case you want to make sure that a certain user
session was created by proxy for a middle-tier user, connecting from a specific
IP address. The middle tier first
authenticates itself to the database before creating a lightweight session. The database first ensures that the middle
tier has the privilege to create a session on behalf of the user.
Now the secure application role (fred_admin) is set
depending on the outcome of the associated package fred.padmin. Firstly the package will check that it is
coming from the correct proxy server. If
this check passes, then it will check in addition if it is from the expected IP
address. The SYS_CONTEXT(‘userenv’,’ip_address’)
can be queried to determine this. If the
proxy middle-tier server, and the IP address are correct, then the package will
issue the SET ROLE command, otherwise not.
As you can see, this will offer a secondary or additional
layer of security for the application.
This setup will make it that much more difficult for malicious users to
access the application and perform inappropriate operations in the application.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating
program below to potentially create a long-term residual or annuity type income
enhancer for yourself.
|
Traffic Wave - Free Report: The report
will give you all the information you need to start making a nice long-term
residual income stream for yourself.
|
No comments:
Post a Comment