17.2 Advanced Networking Option
Security the protection of data is one of the primary concerns of any business. This book focuses on how the standard features of Oracle can be used to control access within the database and thus improve the security position of your business.
But what happens outside of the database? Is the data safe on a network (LAN), an intranet, a MAN, a WAN, or the World Wide Web? Probably not. In the military security community, a popular and commonly told story concerns the detection of keystrokes from teletypes. Many years ago, an evaluation team went to a popular electronic parts store and, for only a few dollars, bought a handful of electronics components . When properly assembled , these components became a crude but effective receiver that could be tuned to the frequency radiated by the teletype keyboard. This was an excellent example of the interception of data as it was being entered even before it had a chance to be encrypted. The story ends with the team visiting the "secure" facility with a full copy of the supposedly classified message that had been transmitted only moments earlier.
17.2.1 About Sniffers and Snoopers
A similar situation exists today. Data is not usually encrypted between the workstation and the database. Almost everyone has now heard of the terms sniffer and snooper . These terms pertain to hardware and software that can be located close to, but not necessarily physically attached to, the network. You could use sniffers or snoopers to intercept network packets. With sniffer or snooper technology, an interloper can: intercept, read, modify, or substitute data as it travels through the network. Most dangerously, the interception of data can include usernames and passwords.
17.2.2 How ANO Works
Oracle provides several products that help you protect the confidentiality and integrity of your data. These products can also help you authenticate users. The base product is called the Advanced Networking Option (ANO); ANO is an option that must be purchased separately from the default RDBMS software bundle.
ANO first appeared with Oracle7 and incorporated features of several previous products, primarily:
Secure Network Services
Neither of these products is now available.
ANO is used in conjunction with SQL*Net for Oracle7 or Net8 for Oracle8, and provides all the functionality of those products in addition to data encryption. Several encryption algorithm options are currently supported (some of these are described in greater detail in Chapter 15):
- RC4 40
A 40-bit encryption algorithm from RSA Data Security, Inc.
- RC4 56
A 56-bit encryption algorithm from RSA Data Security, Inc.
- RC4 128
A 128-bit encryption algorithm from RSA Data Security, Inc.
- DES 40
A 40-bit encryption algorithm based on the Data Encryption Standard, which uses a security key that is randomly generated for each session
- DES 56
A 56-bit encryption algorithm based on the Data Encryption Standard, which uses a security key that is randomly generated for each session
Over time, these options will probably change. The number that follows the encryption type indicates how many bits the algorithm will support. Smaller numbers like 40-bit encryption will pose less of a challenge for an eavesdropper to break to enable him or her to see the information being transported. Although the ANO is available in other countries , slightly different encryption capabilities are delivered outside the United States due to U.S. Government export restrictions on strong cryptography.
For single sign-on support, you can use a third-party single sign-on server such as Kerberos or SESAME, or you can use the Oracle Security Server (described in Chapter 15), which is included with the default Oracle8 bundle. ANO works with both standard Oracle and Trusted Oracle.
When considering the use of any encryption methodology, keep in mind that encryption is another process that has to be completed in the communications process. Each packet you send must be encrypted by your software, and each packet received must be decrypted both from the client side and the server side. As a result, there will almost always be some performance degradation. You can expect a potential range of performance degradation of between 5 and 20 percent depending on the complexity of the operations you are performing.