Oracle security 08-oracle network security

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Network Security

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to do the following: • Describe the items on the client, listener, and network security checklists • Secure administration of the network • Restrict access by IP address • Administer the listener securely • Analyze listener log files

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Client Checklist • Internet access to secure data requires user authentication, rather than client-computer authentication. • The options are: – Bypass client-computer configuration and rely on user authentication to a middle tier. – Configure the client computer: • Authentication • Authorization – Administer client certificates. – Educate users.

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Configuring the Browser Browsers include the following security features: • SSL encryption by using the HTTPS protocol • Certificate authorization: – Client – Server

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Configuring the Client Configure client computers to use Oracle Advanced Security features with Oracle Net Services: • Native encryption • SSL authentication by using certificates

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using Certificates Considerations when using certificates for authentication: • Distinguished name and issuer uniquely identify the user. • Test for expiring certificates. • Use certificate reissues to update certificate information. • Audit certificate revocations.

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Network Security: Checklist • Use a firewall. • Restrict IP addresses. • Encrypt network traffic. • Prevent remote administration of Connection Manager (CMAN). • Use network log files to monitor connections.

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using a Firewall to Restrict Network Access Application Web server Database server Client computers Firewall Firewall

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting Network IP Addresses: Valid Node Checking Set the following SQLNET.ORA parameters: • Turn on the feature: • Deny access from these nodes: • Allow access from these nodes: tcp.excluded_nodes = 192.168.10.102 tcp.invited_nodes = (192.168.10.102, 192.168.10.112) tcp.validnode_checking = YES

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting Network IP Addresses: Guidelines Network IP restrictions can help secure access to your server. Consider the following guidelines: • Do not use IP restrictions as your only security. IP addresses can be spoofed. • Use Connection Manager to limit access by node. • Limit access by protocol. • Protect dispatcher ports. IP restrictions do not prevent connections to the dispatcher.

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting Open Ports • Limit open ports to needed applications: – Open ports are network-attack opportunities. – Know which ports are open on your computer. • Find open ports: – Oracle product installation ports in portlist.ini – Listener ports in listener.ora – Dispatcher ports by using lsnrctl services – Other ports by using netstat

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encrypting Network Traffic • Guideline: Encrypt sensitive network traffic. • Tasks: – Use HTTPS when sending sensitive data between the client computer and the server. – Use SSL or native encryption to encrypt Oracle Net Services traffic. • Use the TCPS protocol for TCP/IP with SSL: ... (ADDRESS= (PROTOCOL=tcps) ...

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Net Services Log Files Database server CMADMIN process CMGW processsqlnet.log listener.log <name>_cmadm_pid.log <name>_cmgw_pid.log Listener CMAN listener <name>_pid.log

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Listener Security: Checklist • Restrict the privileges of the listener. • Secure administration by: – Protecting the listener with a password for remote administration – Using SSL when administering the listener • Protect against denial-of-service attacks. • Monitor listener activity.

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting the Privileges of the Listener • Restrict the privileges of a separate listener process. • A sample configuration is: EXTPROC_LISTENER= (DESCRIPTION= (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))) SID_LIST_EXTPROC_LISTENER= (SID_LIST= (SID_DESC= (SID_NAME=plsextproc) (ORACLE_HOME= /u01/app/oracle/product/11.2.0/db_1) (PROGRAM=extproc)))

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Use the CREATE LIBRARY Privilege Sparingly • External procedures: – Are executed from a library – Run with the privileges of the listener • By default, the listener has the write privilege to: – Database files – The memory space of the instance • To avoid misuse of this privilege: – Use it only when needed – Limit the privileges of the listener

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Password Protect the Listener • Establish a password for the Oracle listener to prevent unauthorized listener administration. • From the Listener Control utility, issue the following command: LSNRCTL> CHANGE_PASSWORD Old password: lsnrc80 New password: lsnrc90 Reenter new password: lsnrc90 LSNRCTL> SET PASSWORD Password: The command completed successfully LSNRCTL> SAVE_CONFIG The command completed successfully

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Preventing Online Administration of the Listener • Listener configuration cannot be changed online. • To change the configuration, you must: – Make the changes in the LISTENER.ORA file – Reload the configuration • In the LISTENER.ORA file, enter the following: • This configuration requires the administrator to have: – Write privileges on the LISTENER.ORA file ADMIN_RESTRICTIONS_LISTENER=ON

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Administering the Listener Using TCP/IP with SSL • Use TCP/IP with SSL when administering over an insecure network. • Make the TCPS protocol the first entry in the address list. • Example (LISTENER.ORA file configured for SSL): LISTENER= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL=tcps) (HOST = singleton11g.snda.com) (PORT = 1521))) ...

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com INBOUND_CONNECT_TIMEOUT Protect the listener from denial-of-service attacks with the following network parameters: • SQLNET.INBOUND_CONNECT_TIMEOUT • INBOUND_CONNECT_TIMEOUT_listener_name These parameters: • Set the time allowed for a connection to complete authentication • Log failures with source IP addresses

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Setting Listener Logging Parameters • In the LISTENER.ORA file: – LOG_DIRECTORY_listener_name – LOG_FILE_listener_name • With Oracle Net Manager: • With the SET command in the Listener Control utility: – LOG_DIRECTORY – LOG_FILE

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Analyzing Listener Log Files The listener log contains the following information: • Listener log audits: – Client connection request – Listener Control utility commands • Listener service registration events: – service_register – service_update – service_died • Listener direct hand-off information

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the items on the client, listener, and network security checklists • Secure administration of the network • Restrict access by IP address • Administer the listener securely • Analyze listener log files

云和恩墨成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

Oracle security 08-oracle network security

More Related Content

What's hot

Viewers also liked

Similar to Oracle security 08-oracle network security

More from Zhaoyang Wang

Recently uploaded

Oracle security 08-oracle network security