Oracle security 08-oracle network security

1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Network Security

2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to do
the following:
• Describe the items on the client, listener, and
network security checklists
• Secure administration of the network
• Restrict access by IP address
• Administer the listener securely
• Analyze listener log files

3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Client Checklist
• Internet access to secure data requires user
authentication, rather than client-computer
authentication.
• The options are:
– Bypass client-computer configuration and rely on
user authentication to a middle tier.
– Configure the client computer:
• Authentication
• Authorization
– Administer client certificates.
– Educate users.

4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Configuring the Browser
Browsers include the following security features:
• SSL encryption by using the HTTPS protocol
• Certificate authorization:
– Client
– Server

5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Configuring the Client
Configure client computers to use Oracle Advanced
Security features with Oracle Net Services:
• Native encryption
• SSL authentication by using certificates

6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using Certificates
Considerations when using certificates for
authentication:
• Distinguished name and issuer uniquely identify
the user.
• Test for expiring certificates.
• Use certificate reissues to update certificate
information.
• Audit certificate revocations.

7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Network Security: Checklist
• Use a firewall.
• Restrict IP addresses.
• Encrypt network traffic.
• Prevent remote administration of Connection
Manager (CMAN).
• Use network log files to monitor connections.

8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using a Firewall to Restrict
Network Access
Application
Web server
Database
server
Client
computers
Firewall Firewall

9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting Network IP Addresses:
Valid Node Checking
Set the following SQLNET.ORA parameters:
• Turn on the feature:
• Deny access from these nodes:
• Allow access from these nodes:
tcp.excluded_nodes = 192.168.10.102
tcp.invited_nodes =
(192.168.10.102, 192.168.10.112)
tcp.validnode_checking = YES

10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting Network IP Addresses:
Guidelines
Network IP restrictions can help secure access to your
server. Consider the following guidelines:
• Do not use IP restrictions as your only security. IP
addresses can be spoofed.
• Use Connection Manager to limit access by node.
• Limit access by protocol.
• Protect dispatcher ports. IP restrictions do not
prevent connections to the dispatcher.

11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting Open Ports
• Limit open ports to needed applications:
– Open ports are network-attack opportunities.
– Know which ports are open on your computer.
• Find open ports:
– Oracle product installation ports in portlist.ini
– Listener ports in listener.ora
– Dispatcher ports by using lsnrctl services
– Other ports by using netstat

12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encrypting Network Traffic
• Guideline: Encrypt sensitive network traffic.
• Tasks:
– Use HTTPS when sending sensitive data between
the client computer and the server.
– Use SSL or native encryption to encrypt Oracle Net
Services traffic.
• Use the TCPS protocol for TCP/IP with SSL:
...
(ADDRESS=
(PROTOCOL=tcps)
...

13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Net Services Log Files
Database
server
CMADMIN
process
CMGW
processsqlnet.log
listener.log
<name>_cmadm_pid.log
<name>_cmgw_pid.log
Listener
CMAN
listener
<name>_pid.log

14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Listener Security: Checklist
• Restrict the privileges of the listener.
• Secure administration by:
– Protecting the listener with a password for remote
administration
– Using SSL when administering the listener
• Protect against denial-of-service attacks.
• Monitor listener activity.

15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting the Privileges of the Listener
• Restrict the privileges of a separate listener
process.
• A sample configuration is:
EXTPROC_LISTENER=
(DESCRIPTION=
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
SID_LIST_EXTPROC_LISTENER=
(SID_LIST=
(SID_DESC=
(SID_NAME=plsextproc)
(ORACLE_HOME=
/u01/app/oracle/product/11.2.0/db_1)
(PROGRAM=extproc)))

16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Use the CREATE LIBRARY
Privilege Sparingly
• External procedures:
– Are executed from a library
– Run with the privileges of the listener
• By default, the listener has the write privilege to:
– Database files
– The memory space of the instance
• To avoid misuse of this privilege:
– Use it only when needed
– Limit the privileges of the listener

17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Password Protect the Listener
• Establish a password for the Oracle listener to
prevent unauthorized listener administration.
• From the Listener Control utility, issue the
following command:
LSNRCTL> CHANGE_PASSWORD
Old password: lsnrc80
New password: lsnrc90
Reenter new password: lsnrc90
LSNRCTL> SET PASSWORD
Password:
The command completed successfully
LSNRCTL> SAVE_CONFIG
The command completed successfully

18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Preventing Online Administration
of the Listener
• Listener configuration cannot be changed online.
• To change the configuration, you must:
– Make the changes in the LISTENER.ORA file
– Reload the configuration
• In the LISTENER.ORA file, enter the following:
• This configuration requires the administrator to
have:
– Write privileges on the LISTENER.ORA file
ADMIN_RESTRICTIONS_LISTENER=ON

19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administering the Listener Using
TCP/IP with SSL
• Use TCP/IP with SSL when administering over an
insecure network.
• Make the TCPS protocol the first entry in the
address list.
• Example (LISTENER.ORA file configured for SSL):
LISTENER=
(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=
(PROTOCOL=tcps)
(HOST = singleton11g.snda.com)
(PORT = 1521)))
...

20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
INBOUND_CONNECT_TIMEOUT
Protect the listener from denial-of-service attacks with
the following network parameters:
• SQLNET.INBOUND_CONNECT_TIMEOUT
• INBOUND_CONNECT_TIMEOUT_listener_name
These parameters:
• Set the time allowed for a connection to complete
authentication
• Log failures with source IP addresses

21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Setting Listener Logging Parameters
• In the LISTENER.ORA file:
– LOG_DIRECTORY_listener_name
– LOG_FILE_listener_name
• With Oracle Net Manager:
• With the SET command in the Listener Control
utility:
– LOG_DIRECTORY
– LOG_FILE

22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Analyzing Listener Log Files
The listener log contains the following information:
• Listener log audits:
– Client connection request
– Listener Control utility commands
• Listener service registration events:
– service_register
– service_update
– service_died
• Listener direct hand-off information

23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Describe the items on the client, listener, and
network security checklists
• Secure administration of the network
• Restrict access by IP address
• Administer the listener securely
• Analyze listener log files

24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A