oracle security 08-oracle network security
Post on 14-Dec-2014
90 Views
Preview:
DESCRIPTION
TRANSCRIPT
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Network Security
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to do the following:
• Describe the items on the client, listener, and network security checklists
• Secure administration of the network• Restrict access by IP address• Administer the listener securely• Analyze listener log files
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Client Checklist
• Internet access to secure data requires user authentication, rather than client-computer authentication.
• The options are:– Bypass client-computer configuration and rely on
user authentication to a middle tier.– Configure the client computer:
• Authentication• Authorization
– Administer client certificates.– Educate users.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Configuring the Browser
Browsers include the following security features:• SSL encryption by using the HTTPS protocol• Certificate authorization:
– Client– Server
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Configuring the Client
Configure client computers to use Oracle Advanced Security features with Oracle Net Services:
• Native encryption • SSL authentication by using certificates
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using Certificates
Considerations when using certificates for authentication:
• Distinguished name and issuer uniquely identify the user.
• Test for expiring certificates.• Use certificate reissues to update certificate
information.• Audit certificate revocations.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Network Security: Checklist
• Use a firewall.• Restrict IP addresses.• Encrypt network traffic.• Prevent remote administration of Connection
Manager (CMAN).• Use network log files to monitor connections.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using a Firewall to Restrict Network Access
ApplicationWeb server
Databaseserver
Client computers
Firewall Firewall
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting Network IP Addresses:Valid Node Checking
Set the following SQLNET.ORA parameters:• Turn on the feature:
• Deny access from these nodes:
• Allow access from these nodes:
tcp.excluded_nodes = 192.168.10.102
tcp.invited_nodes = (192.168.10.102, 192.168.10.112)
tcp.validnode_checking = YES
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting Network IP Addresses:Guidelines
Network IP restrictions can help secure access to your server. Consider the following guidelines:
• Do not use IP restrictions as your only security. IP addresses can be spoofed.
• Use Connection Manager to limit access by node. • Limit access by protocol.• Protect dispatcher ports. IP restrictions do not
prevent connections to the dispatcher.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting Open Ports
• Limit open ports to needed applications:– Open ports are network-attack opportunities.– Know which ports are open on your computer.
• Find open ports:– Oracle product installation ports in portlist.ini– Listener ports in listener.ora– Dispatcher ports by using lsnrctl services– Other ports by using netstat
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Encrypting Network Traffic
• Guideline: Encrypt sensitive network traffic.• Tasks:
– Use HTTPS when sending sensitive data between the client computer and the server.
– Use SSL or native encryption to encrypt Oracle Net Services traffic.
• Use the TCPS protocol for TCP/IP with SSL:...(ADDRESS=(PROTOCOL=tcps)
...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Net Services Log Files
Databaseserver
CMADMINprocess
CMGWprocesssqlnet.log
listener.log
<name>_cmadm_pid.log
<name>_cmgw_pid.log
Listener
CMAN listener
<name>_pid.log
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Listener Security: Checklist
• Restrict the privileges of the listener.• Secure administration by:
– Protecting the listener with a password for remote administration
– Using SSL when administering the listener• Protect against denial-of-service attacks.• Monitor listener activity.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Restricting the Privileges of the Listener
• Restrict the privileges of a separate listener process.
• A sample configuration is:EXTPROC_LISTENER=(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
SID_LIST_EXTPROC_LISTENER=(SID_LIST=(SID_DESC=(SID_NAME=plsextproc)(ORACLE_HOME=
/u01/app/oracle/product/11.2.0/db_1)(PROGRAM=extproc)))
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Use the CREATE LIBRARYPrivilege Sparingly
• External procedures:– Are executed from a library– Run with the privileges of the listener
• By default, the listener has the write privilege to:– Database files– The memory space of the instance
• To avoid misuse of this privilege:– Use it only when needed– Limit the privileges of the listener
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Password Protect the Listener
• Establish a password for the Oracle listener to prevent unauthorized listener administration.
• From the Listener Control utility, issue the following command:
LSNRCTL> CHANGE_PASSWORDOld password: lsnrc80New password: lsnrc90Reenter new password: lsnrc90LSNRCTL> SET PASSWORDPassword:The command completed successfullyLSNRCTL> SAVE_CONFIGThe command completed successfully
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Preventing Online Administration of the Listener
• Listener configuration cannot be changed online.• To change the configuration, you must:
– Make the changes in the LISTENER.ORA file– Reload the configuration
• In the LISTENER.ORA file, enter the following:
• This configuration requires the administrator to have:– Write privileges on the LISTENER.ORA file
ADMIN_RESTRICTIONS_LISTENER=ON
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administering the Listener Using TCP/IP with SSL
• Use TCP/IP with SSL when administering over an insecure network.
• Make the TCPS protocol the first entry in the address list.
• Example (LISTENER.ORA file configured for SSL):LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcps)(HOST = singleton11g.snda.com)(PORT = 1521)))
...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
INBOUND_CONNECT_TIMEOUT
Protect the listener from denial-of-service attacks with the following network parameters:
• SQLNET.INBOUND_CONNECT_TIMEOUT• INBOUND_CONNECT_TIMEOUT_listener_name
These parameters: • Set the time allowed for a connection to complete
authentication• Log failures with source IP addresses
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Setting Listener Logging Parameters
• In the LISTENER.ORA file:– LOG_DIRECTORY_listener_name– LOG_FILE_listener_name
• With Oracle Net Manager:
• With the SET command in the Listener Control utility:– LOG_DIRECTORY– LOG_FILE
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Analyzing Listener Log Files
The listener log contains the following information:• Listener log audits:
– Client connection request– Listener Control utility commands
• Listener service registration events:– service_register– service_update– service_died
• Listener direct hand-off information
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:• Describe the items on the client, listener, and
network security checklists• Secure administration of the network• Restrict access by IP address• Administer the listener securely• Analyze listener log files
top related