Securing Oracle is a much more difficult proposition than securing other database servers. The reason for this is quite simple ” the Oracle RDBMS is huge. What follows are some useful low-cost steps that will help to secure your Oracle environments.
This section details those actions that can be taken to secure Oracle.
The TNS Listener is one of the most important components of Oracle to secure because it's probably the first component an attacker will see. This section lists a few simple steps that will improve the security of your TNS Listener.
By default the TNS Listener has no password set and can be administered remotely by anybody who can connect (as of Oracle 10g this has changed). Setting a Listener password will prevent unauthorized administration of the Listener. To set a password, edit the listener.ora file and add the following line:
PASSWORDS_listenername = t1n5eLt0wn
Stop and restart the Listener. Because this password is in clear text, and clear text passwords are not secure, it should be encrypted. To do this is, connect to the Listener using the Listener Control Utility ” lsnrctl:
LSNRCTL> set current_listener 10.1.1.100 Current Listener is listener LSNRCTL> change_password Old password: New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0))) Password changed for listener The command completed successfully LSNRCTL> set password Password: The command completed successfully LSNRCTL> save_config Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY=EXTPROC0))) Saved LISTENER configuration parameters. Listener Parameter File C:\oracle\ora92\network\admin\listener.ora Old Parameter File C:\oracle\ora92\network\admin\listener.bak The command completed successfully LSNRCTL>
This will set the password in the listener.ora file to an encrypted password.
By turning on Admin Restrictions unauthorized administration of the Listener is prevented. With Admin Restrictions turned on certain commands cannot be called remotely, even if the Listener password is supplied. To turn on Admin Restrictions, add the following line to the listener.ora file:
ADMIN_RESTRICTIONS_ listenername = ON
Stop and restart the Listener.
TCP valid node checking can be used to allow certain hosts to connect to the database server and prevent others. To turn on TCP valid node checking, edit the protocol.ora file (sqlnet.ora on older versions) as follows:
TCP.VALIDNODE_CHECKING = YES TCP.EXCLUDED_NODES = {List of IP addresses separated by a comma}
or
TCP.INVITED_NODES = {List of IP addresses separated by a comma}
The latter, TCP.INVITED_NODES, is more secure but is more difficult to manage where there are many clients that need to connect to the database server.
The XML Database (XDB) provides two services. One is an FTP service listening on TCP port 2100 and the other is an HTTP service listening on TCP port 8080. If XDB is not used it should be turned off. To do this, edit the initdbsid.ora or spfile dbsid .ora file and remove the line that reads similar to
*.dispatchers='(PROTOCOL=TCP) (SERVICE= dbsid XDB)'
External procedures allow PL/SQL procedures to call functions in operating system shared objects (libraries/DLLs). This poses a security threat and should be turned off if not required. Developers of custom PL/SQL code should try to avoid using external procedures if at all possible.
Available only in Oracle Enterprise Edition, Oracle Advanced Security should be used to encrypt traffic between clients and the database server. This can be enabled by using the Oracle Net Manager tool.