oracle security 08-oracle network security

云和恩墨成就所托 by 王朝阳 18516271611 [email protected]

Oracle Network Security

mailto:[email protected]


Objectives

After completing this lesson, you should be able to do the following:

• Describe the items on the client, listener, and network security checklists

• Secure administration of the network• Restrict access by IP address• Administer the listener securely• Analyze listener log files



Client Checklist

• Internet access to secure data requires user authentication, rather than client-computer authentication.

• The options are:– Bypass client-computer configuration and rely on

user authentication to a middle tier.– Configure the client computer:

• Authentication• Authorization

– Administer client certificates.– Educate users.



Configuring the Browser

Browsers include the following security features:• SSL encryption by using the HTTPS protocol• Certificate authorization:

– Client– Server



Configuring the Client

Configure client computers to use Oracle Advanced Security features with Oracle Net Services:

• Native encryption • SSL authentication by using certificates



Using Certificates

Considerations when using certificates for authentication:

• Distinguished name and issuer uniquely identify the user.

• Test for expiring certificates.• Use certificate reissues to update certificate

information.• Audit certificate revocations.



Network Security: Checklist

• Use a firewall.• Restrict IP addresses.• Encrypt network traffic.• Prevent remote administration of Connection

Manager (CMAN).• Use network log files to monitor connections.



Using a Firewall to Restrict Network Access

ApplicationWeb server

Databaseserver

Client computers

Firewall Firewall



Restricting Network IP Addresses:Valid Node Checking

Set the following SQLNET.ORA parameters:• Turn on the feature:

• Deny access from these nodes:

• Allow access from these nodes:

tcp.excluded_nodes = 192.168.10.102

tcp.invited_nodes = (192.168.10.102, 192.168.10.112)

tcp.validnode_checking = YES



Restricting Network IP Addresses:Guidelines

Network IP restrictions can help secure access to your server. Consider the following guidelines:

• Do not use IP restrictions as your only security. IP addresses can be spoofed.

• Use Connection Manager to limit access by node. • Limit access by protocol.• Protect dispatcher ports. IP restrictions do not

prevent connections to the dispatcher.



Restricting Open Ports

• Limit open ports to needed applications:– Open ports are network-attack opportunities.– Know which ports are open on your computer.

• Find open ports:– Oracle product installation ports in portlist.ini– Listener ports in listener.ora– Dispatcher ports by using lsnrctl services– Other ports by using netstat



Encrypting Network Traffic

• Guideline: Encrypt sensitive network traffic.• Tasks:

– Use HTTPS when sending sensitive data between the client computer and the server.

– Use SSL or native encryption to encrypt Oracle Net Services traffic.

• Use the TCPS protocol for TCP/IP with SSL:...(ADDRESS=(PROTOCOL=tcps)

...



Oracle Net Services Log Files

Databaseserver

CMADMINprocess

CMGWprocesssqlnet.log

listener.log

<name>_cmadm_pid.log

<name>_cmgw_pid.log

Listener

CMAN listener

<name>_pid.log



Listener Security: Checklist

• Restrict the privileges of the listener.• Secure administration by:

– Protecting the listener with a password for remote administration

– Using SSL when administering the listener• Protect against denial-of-service attacks.• Monitor listener activity.



Restricting the Privileges of the Listener

• Restrict the privileges of a separate listener process.

• A sample configuration is:EXTPROC_LISTENER=(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))

SID_LIST_EXTPROC_LISTENER=(SID_LIST=(SID_DESC=(SID_NAME=plsextproc)(ORACLE_HOME=

/u01/app/oracle/product/11.2.0/db_1)(PROGRAM=extproc)))



Use the CREATE LIBRARYPrivilege Sparingly

• External procedures:– Are executed from a library– Run with the privileges of the listener

• By default, the listener has the write privilege to:– Database files– The memory space of the instance

• To avoid misuse of this privilege:– Use it only when needed– Limit the privileges of the listener



Password Protect the Listener

• Establish a password for the Oracle listener to prevent unauthorized listener administration.

• From the Listener Control utility, issue the following command:

LSNRCTL> CHANGE_PASSWORDOld password: lsnrc80New password: lsnrc90Reenter new password: lsnrc90LSNRCTL> SET PASSWORDPassword:The command completed successfullyLSNRCTL> SAVE_CONFIGThe command completed successfully



Preventing Online Administration of the Listener

• Listener configuration cannot be changed online.• To change the configuration, you must:

– Make the changes in the LISTENER.ORA file– Reload the configuration

• In the LISTENER.ORA file, enter the following:

• This configuration requires the administrator to have:– Write privileges on the LISTENER.ORA file

ADMIN_RESTRICTIONS_LISTENER=ON



Administering the Listener Using TCP/IP with SSL

• Use TCP/IP with SSL when administering over an insecure network.

• Make the TCPS protocol the first entry in the address list.

• Example (LISTENER.ORA file configured for SSL):LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcps)(HOST = singleton11g.snda.com)(PORT = 1521)))

...



INBOUND_CONNECT_TIMEOUT

Protect the listener from denial-of-service attacks with the following network parameters:

• SQLNET.INBOUND_CONNECT_TIMEOUT• INBOUND_CONNECT_TIMEOUT_listener_name

These parameters: • Set the time allowed for a connection to complete

authentication• Log failures with source IP addresses



Setting Listener Logging Parameters

• In the LISTENER.ORA file:– LOG_DIRECTORY_listener_name– LOG_FILE_listener_name

• With Oracle Net Manager:

• With the SET command in the Listener Control utility:– LOG_DIRECTORY– LOG_FILE



Analyzing Listener Log Files

The listener log contains the following information:• Listener log audits:

– Client connection request– Listener Control utility commands

• Listener service registration events:– service_register– service_update– service_died

• Listener direct hand-off information



Summary

In this lesson, you should have learned how to:• Describe the items on the client, listener, and

network security checklists• Secure administration of the network• Restrict access by IP address• Administer the listener securely• Analyze listener log files



Q&A


oracle security 08-oracle network security

Technology