Chapter 5: Securing Oracle

Securing Oracle is a much more difficult proposition than securing other database servers. The reason for this is quite simple ” the Oracle RDBMS is huge. What follows are some useful low-cost steps that will help to secure your Oracle environments.

Oracle Security Recommendations

This section details those actions that can be taken to secure Oracle.

Oracle TNS Listener

The TNS Listener is one of the most important components of Oracle to secure because it's probably the first component an attacker will see. This section lists a few simple steps that will improve the security of your TNS Listener.

Set a TNS Listener Password

By default the TNS Listener has no password set and can be administered remotely by anybody who can connect (as of Oracle 10g this has changed). Setting a Listener password will prevent unauthorized administration of the Listener. To set a password, edit the listener.ora file and add the following line:

 PASSWORDS_listenername = t1n5eLt0wn 

Stop and restart the Listener. Because this password is in clear text, and clear text passwords are not secure, it should be encrypted. To do this is, connect to the Listener using the Listener Control Utility ” lsnrctl:

 LSNRCTL> set current_listener 10.1.1.100 Current Listener is listener       LSNRCTL> change_password       Old password:       New password:       Reenter new password:       Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0)))       Password changed for listener       The command completed successfully       LSNRCTL> set password       Password:       The command completed successfully       LSNRCTL> save_config       Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=IPC) (KEY=EXTPROC0)))       Saved LISTENER configuration parameters.       Listener Parameter File C:\oracle\ora92\network\admin\listener.ora       Old Parameter File   C:\oracle\ora92\network\admin\listener.bak       The command completed successfully       LSNRCTL> 

This will set the password in the listener.ora file to an encrypted password.

Turn on Admin Restrictions

By turning on Admin Restrictions unauthorized administration of the Listener is prevented. With Admin Restrictions turned on certain commands cannot be called remotely, even if the Listener password is supplied. To turn on Admin Restrictions, add the following line to the listener.ora file:

 ADMIN_RESTRICTIONS_  listenername  = ON 

Stop and restart the Listener.

Turn on TCP Valid Node Checking

TCP valid node checking can be used to allow certain hosts to connect to the database server and prevent others. To turn on TCP valid node checking, edit the protocol.ora file (sqlnet.ora on older versions) as follows:

 TCP.VALIDNODE_CHECKING = YES       TCP.EXCLUDED_NODES = {List of IP addresses separated by a comma} 

or

 TCP.INVITED_NODES = {List of IP addresses separated by a comma} 

The latter, TCP.INVITED_NODES, is more secure but is more difficult to manage where there are many clients that need to connect to the database server.

Turn off XML Database

The XML Database (XDB) provides two services. One is an FTP service listening on TCP port 2100 and the other is an HTTP service listening on TCP port 8080. If XDB is not used it should be turned off. To do this, edit the initdbsid.ora or spfile dbsid .ora file and remove the line that reads similar to

 *.dispatchers='(PROTOCOL=TCP) (SERVICE=  dbsid  XDB)' 

Turn off External Procedures

External procedures allow PL/SQL procedures to call functions in operating system shared objects (libraries/DLLs). This poses a security threat and should be turned off if not required. Developers of custom PL/SQL code should try to avoid using external procedures if at all possible.

Encrypt Network Traffic

Available only in Oracle Enterprise Edition, Oracle Advanced Security should be used to encrypt traffic between clients and the database server. This can be enabled by using the Oracle Net Manager tool.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net