SlideShare a Scribd company logo

Oracle security 08-oracle network security

Zhaoyang Wang, profile picture
Zhaoyang Wang

The document discusses securing Oracle Network services. It provides checklists and procedures for securing clients, the network, and the listener. It recommends configuring clients and browsers with authentication and encryption. It also recommends restricting network access through firewalls and IP address validation. For the listener, it suggests restricting privileges, password protecting administration, and monitoring logs to analyze activity and potential attacks. The goal is to describe how to securely administer the network and listener to restrict access and analyze logs for security.

Technology
1 of 24
Downloaded 52 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Network Security
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to do the following: • Describe the items on the client, listener, and network security checklists • Secure administration of the network • Restrict access by IP address • Administer the listener securely • Analyze listener log files
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Client Checklist • Internet access to secure data requires user authentication, rather than client-computer authentication. • The options are: – Bypass client-computer configuration and rely on user authentication to a middle tier. – Configure the client computer: • Authentication • Authorization – Administer client certificates. – Educate users.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Configuring the Browser Browsers include the following security features: • SSL encryption by using the HTTPS protocol • Certificate authorization: – Client – Server
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Configuring the Client Configure client computers to use Oracle Advanced Security features with Oracle Net Services: • Native encryption • SSL authentication by using certificates
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using Certificates Considerations when using certificates for authentication: • Distinguished name and issuer uniquely identify the user. • Test for expiring certificates. • Use certificate reissues to update certificate information. • Audit certificate revocations.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Network Security: Checklist • Use a firewall. • Restrict IP addresses. • Encrypt network traffic. • Prevent remote administration of Connection Manager (CMAN). • Use network log files to monitor connections.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using a Firewall to Restrict Network Access Application Web server Database server Client computers Firewall Firewall
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting Network IP Addresses: Valid Node Checking Set the following SQLNET.ORA parameters: • Turn on the feature: • Deny access from these nodes: • Allow access from these nodes: tcp.excluded_nodes = 192.168.10.102 tcp.invited_nodes = (192.168.10.102, 192.168.10.112) tcp.validnode_checking = YES
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting Network IP Addresses: Guidelines Network IP restrictions can help secure access to your server. Consider the following guidelines: • Do not use IP restrictions as your only security. IP addresses can be spoofed. • Use Connection Manager to limit access by node. • Limit access by protocol. • Protect dispatcher ports. IP restrictions do not prevent connections to the dispatcher.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting Open Ports • Limit open ports to needed applications: – Open ports are network-attack opportunities. – Know which ports are open on your computer. • Find open ports: – Oracle product installation ports in portlist.ini – Listener ports in listener.ora – Dispatcher ports by using lsnrctl services – Other ports by using netstat
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Encrypting Network Traffic • Guideline: Encrypt sensitive network traffic. • Tasks: – Use HTTPS when sending sensitive data between the client computer and the server. – Use SSL or native encryption to encrypt Oracle Net Services traffic. • Use the TCPS protocol for TCP/IP with SSL: ... (ADDRESS= (PROTOCOL=tcps) ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Net Services Log Files Database server CMADMIN process CMGW processsqlnet.log listener.log <name>_cmadm_pid.log <name>_cmgw_pid.log Listener CMAN listener <name>_pid.log
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Listener Security: Checklist • Restrict the privileges of the listener. • Secure administration by: – Protecting the listener with a password for remote administration – Using SSL when administering the listener • Protect against denial-of-service attacks. • Monitor listener activity.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Restricting the Privileges of the Listener • Restrict the privileges of a separate listener process. • A sample configuration is: EXTPROC_LISTENER= (DESCRIPTION= (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))) SID_LIST_EXTPROC_LISTENER= (SID_LIST= (SID_DESC= (SID_NAME=plsextproc) (ORACLE_HOME= /u01/app/oracle/product/11.2.0/db_1) (PROGRAM=extproc)))
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Use the CREATE LIBRARY Privilege Sparingly • External procedures: – Are executed from a library – Run with the privileges of the listener • By default, the listener has the write privilege to: – Database files – The memory space of the instance • To avoid misuse of this privilege: – Use it only when needed – Limit the privileges of the listener
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Password Protect the Listener • Establish a password for the Oracle listener to prevent unauthorized listener administration. • From the Listener Control utility, issue the following command: LSNRCTL> CHANGE_PASSWORD Old password: lsnrc80 New password: lsnrc90 Reenter new password: lsnrc90 LSNRCTL> SET PASSWORD Password: The command completed successfully LSNRCTL> SAVE_CONFIG The command completed successfully
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Preventing Online Administration of the Listener • Listener configuration cannot be changed online. • To change the configuration, you must: – Make the changes in the LISTENER.ORA file – Reload the configuration • In the LISTENER.ORA file, enter the following: • This configuration requires the administrator to have: – Write privileges on the LISTENER.ORA file ADMIN_RESTRICTIONS_LISTENER=ON
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Administering the Listener Using TCP/IP with SSL • Use TCP/IP with SSL when administering over an insecure network. • Make the TCPS protocol the first entry in the address list. • Example (LISTENER.ORA file configured for SSL): LISTENER= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL=tcps) (HOST = singleton11g.snda.com) (PORT = 1521))) ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com INBOUND_CONNECT_TIMEOUT Protect the listener from denial-of-service attacks with the following network parameters: • SQLNET.INBOUND_CONNECT_TIMEOUT • INBOUND_CONNECT_TIMEOUT_listener_name These parameters: • Set the time allowed for a connection to complete authentication • Log failures with source IP addresses
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Setting Listener Logging Parameters • In the LISTENER.ORA file: – LOG_DIRECTORY_listener_name – LOG_FILE_listener_name • With Oracle Net Manager: • With the SET command in the Listener Control utility: – LOG_DIRECTORY – LOG_FILE
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Analyzing Listener Log Files The listener log contains the following information: • Listener log audits: – Client connection request – Listener Control utility commands • Listener service registration events: – service_register – service_update – service_died • Listener direct hand-off information
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the items on the client, listener, and network security checklists • Secure administration of the network • Restrict access by IP address • Administer the listener securely • Analyze listener log files
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

More Related Content

PDF
Oracle security 02-administering user security
Zhaoyang Wang
 
PPT
SQL Server Security - Attack
webhostingguy
 
PDF
Oracle Security Presentation
Francisco Alvarez
 
PDF
Presentation database security enhancements with oracle
xKinAnx
 
PPTX
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
 
DOC
Oracle Audit vault
uzzal basak
 
PDF
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
PPTX
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Oracle security 02-administering user security
Zhaoyang Wang
 
SQL Server Security - Attack
webhostingguy
 
Oracle Security Presentation
Francisco Alvarez
 
Presentation database security enhancements with oracle
xKinAnx
 
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
 
Oracle Audit vault
uzzal basak
 
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 

What's hot (20)

PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
PPTX
SqlSa94
Gabriel Villa
 
PPTX
Securing Hadoop with OSSEC
Vic Hargrave
 
PPTX
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
OracleTrainings
 
PDF
Web Server Hardening
n|u - The Open Security Community
 
PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PDF
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
PPTX
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
PPTX
What's New in AlienVault v3.0?
AlienVault
 
PDF
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
PPTX
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
PDF
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
PPTX
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
DOCX
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Alberto Rivai
 
PPTX
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PPTX
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
PPT
Securing Windows web servers
Information Technology
 
PPT
Creating Secure Applications
guest879f38
 
PPT
Security Issues in OpenStack
oldbam
 
PDF
Memory forensics cheat sheet
Martin Cabrera
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
SqlSa94
Gabriel Villa
 
Securing Hadoop with OSSEC
Vic Hargrave
 
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
OracleTrainings
 
Web Server Hardening
n|u - The Open Security Community
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
What's New in AlienVault v3.0?
AlienVault
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Alberto Rivai
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
Securing Windows web servers
Information Technology
 
Creating Secure Applications
guest879f38
 
Security Issues in OpenStack
oldbam
 
Memory forensics cheat sheet
Martin Cabrera
 
Ad

Viewers also liked (7)

PPTX
Osobní bezpečnost na internetu
DCIT, a.s.
 
PPT
Auditing security of Oracle DB (Karel Miko)
DCIT, a.s.
 
PDF
Oracle db subprograms
Simon Huang
 
PDF
Secure Technical Implementation Guide for databases by Martin Obst
Carsten Muetzlitz
 
PPT
Oracle Berkeley Db 11g R2
Prem Kumar
 
PDF
1 z0 052
Wasim Ahmed
 
PDF
Oracle Compute Cloud Service快速实践
Zhaoyang Wang
 
Osobní bezpečnost na internetu
DCIT, a.s.
 
Auditing security of Oracle DB (Karel Miko)
DCIT, a.s.
 
Oracle db subprograms
Simon Huang
 
Secure Technical Implementation Guide for databases by Martin Obst
Carsten Muetzlitz
 
Oracle Berkeley Db 11g R2
Prem Kumar
 
1 z0 052
Wasim Ahmed
 
Oracle Compute Cloud Service快速实践
Zhaoyang Wang
 
Ad

Similar to Oracle security 08-oracle network security (20)

PPTX
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
PDF
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
PPT
ASCC-site-report-123456430523fwje0fjewew
DngHong855117
 
PDF
Keep Them out of the Database
Martin Berger
 
DOCX
Cman
Mohsen B
 
PPT
Less05 Network
vivaankumar
 
PPT
Novell® iChain® 2.3
webhostingguy
 
PDF
Vtu network security(10 ec832) unit 5 notes.
Jayanth Dwijesh H P
 
PDF
Oracle 19c Network Security & Sniffing Test Scenario
Alireza Kamrani
 
PDF
Database security best_practices
Tarik Essawi
 
PPTX
Data communication Part 11
Alex Fernandez
 
PPTX
Remote Access Security
syrinxtech
 
PDF
Ssl tls-beginners-guide
JosephLamineDIALLO
 
PDF
Secure PostgreSQL deployment
Command Prompt., Inc
 
PDF
How to Gain Visibility into Encrypted Threats
Shain Singh
 
PDF
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
PPTX
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 
PPTX
Internet security
Tapan Khilar
 
PPT
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Sylvain Maret
 
PDF
Implementing Application Security
Information Technology
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
ASCC-site-report-123456430523fwje0fjewew
DngHong855117
 
Keep Them out of the Database
Martin Berger
 
Cman
Mohsen B
 
Less05 Network
vivaankumar
 
Novell® iChain® 2.3
webhostingguy
 
Vtu network security(10 ec832) unit 5 notes.
Jayanth Dwijesh H P
 
Oracle 19c Network Security & Sniffing Test Scenario
Alireza Kamrani
 
Database security best_practices
Tarik Essawi
 
Data communication Part 11
Alex Fernandez
 
Remote Access Security
syrinxtech
 
Ssl tls-beginners-guide
JosephLamineDIALLO
 
Secure PostgreSQL deployment
Command Prompt., Inc
 
How to Gain Visibility into Encrypted Threats
Shain Singh
 
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 
Internet security
Tapan Khilar
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Sylvain Maret
 
Implementing Application Security
Information Technology
 

More from Zhaoyang Wang (20)

PDF
海通证券金融云思考与实践(数据技术嘉年华2017)
Zhaoyang Wang
 
PDF
云管理平台助力海通金融云建设
Zhaoyang Wang
 
PDF
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
Zhaoyang Wang
 
PDF
Oracle Compute Cloud Service介绍
Zhaoyang Wang
 
PDF
Oracle cloud 使用云市场快速搭建小型电商网站
Zhaoyang Wang
 
PDF
Oracle cloud ravello介绍及测试账户申请
Zhaoyang Wang
 
PDF
Oracle cloud 云介绍及测试账户申请
Zhaoyang Wang
 
PDF
New awesome features in MySQL 5.7
Zhaoyang Wang
 
PDF
Performance Tuning Tool01-Statspack
Zhaoyang Wang
 
PDF
SQL Tuning02-Intorduction to the CBO Optimizer
Zhaoyang Wang
 
PDF
SQL Tuning04-Interpreting Execution Plans
Zhaoyang Wang
 
PDF
SQL Tuning01-Introduction to SQL Tuning
Zhaoyang Wang
 
PDF
MySQL Fulltext Search Tutorial
Zhaoyang Wang
 
PDF
Data Organization in InnoDB
Zhaoyang Wang
 
PDF
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Zhaoyang Wang
 
PDF
Oracle enterprise manager cloud control 12c r5 agent installation
Zhaoyang Wang
 
PDF
Why use MySQL
Zhaoyang Wang
 
PDF
MYSQLCLONE Introduction
Zhaoyang Wang
 
DOCX
Interpreting execution plans
Zhaoyang Wang
 
DOCX
Intorduction to the cbo optimizer
Zhaoyang Wang
 
海通证券金融云思考与实践(数据技术嘉年华2017)
Zhaoyang Wang
 
云管理平台助力海通金融云建设
Zhaoyang Wang
 
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
Zhaoyang Wang
 
Oracle Compute Cloud Service介绍
Zhaoyang Wang
 
Oracle cloud 使用云市场快速搭建小型电商网站
Zhaoyang Wang
 
Oracle cloud ravello介绍及测试账户申请
Zhaoyang Wang
 
Oracle cloud 云介绍及测试账户申请
Zhaoyang Wang
 
New awesome features in MySQL 5.7
Zhaoyang Wang
 
Performance Tuning Tool01-Statspack
Zhaoyang Wang
 
SQL Tuning02-Intorduction to the CBO Optimizer
Zhaoyang Wang
 
SQL Tuning04-Interpreting Execution Plans
Zhaoyang Wang
 
SQL Tuning01-Introduction to SQL Tuning
Zhaoyang Wang
 
MySQL Fulltext Search Tutorial
Zhaoyang Wang
 
Data Organization in InnoDB
Zhaoyang Wang
 
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Zhaoyang Wang
 
Oracle enterprise manager cloud control 12c r5 agent installation
Zhaoyang Wang
 
Why use MySQL
Zhaoyang Wang
 
MYSQLCLONE Introduction
Zhaoyang Wang
 
Interpreting execution plans
Zhaoyang Wang
 
Intorduction to the cbo optimizer
Zhaoyang Wang
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Cloud computing and distributed systems.
kkkkkhan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation theory and applications.pdf
gurumoop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 

Oracle security 08-oracle network security

  • 1. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Oracle Network Security
  • 2. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Objectives After completing this lesson, you should be able to do the following: • Describe the items on the client, listener, and network security checklists • Secure administration of the network • Restrict access by IP address • Administer the listener securely • Analyze listener log files
  • 3. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Client Checklist • Internet access to secure data requires user authentication, rather than client-computer authentication. • The options are: – Bypass client-computer configuration and rely on user authentication to a middle tier. – Configure the client computer: • Authentication • Authorization – Administer client certificates. – Educate users.
  • 4. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Configuring the Browser Browsers include the following security features: • SSL encryption by using the HTTPS protocol • Certificate authorization: – Client – Server
  • 5. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Configuring the Client Configure client computers to use Oracle Advanced Security features with Oracle Net Services: • Native encryption • SSL authentication by using certificates
  • 6. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Using Certificates Considerations when using certificates for authentication: • Distinguished name and issuer uniquely identify the user. • Test for expiring certificates. • Use certificate reissues to update certificate information. • Audit certificate revocations.
  • 7. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Network Security: Checklist • Use a firewall. • Restrict IP addresses. • Encrypt network traffic. • Prevent remote administration of Connection Manager (CMAN). • Use network log files to monitor connections.
  • 8. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Using a Firewall to Restrict Network Access Application Web server Database server Client computers Firewall Firewall
  • 9. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Restricting Network IP Addresses: Valid Node Checking Set the following SQLNET.ORA parameters: • Turn on the feature: • Deny access from these nodes: • Allow access from these nodes: tcp.excluded_nodes = 192.168.10.102 tcp.invited_nodes = (192.168.10.102, 192.168.10.112) tcp.validnode_checking = YES
  • 10. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Restricting Network IP Addresses: Guidelines Network IP restrictions can help secure access to your server. Consider the following guidelines: • Do not use IP restrictions as your only security. IP addresses can be spoofed. • Use Connection Manager to limit access by node. • Limit access by protocol. • Protect dispatcher ports. IP restrictions do not prevent connections to the dispatcher.
  • 11. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Restricting Open Ports • Limit open ports to needed applications: – Open ports are network-attack opportunities. – Know which ports are open on your computer. • Find open ports: – Oracle product installation ports in portlist.ini – Listener ports in listener.ora – Dispatcher ports by using lsnrctl services – Other ports by using netstat
  • 12. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Encrypting Network Traffic • Guideline: Encrypt sensitive network traffic. • Tasks: – Use HTTPS when sending sensitive data between the client computer and the server. – Use SSL or native encryption to encrypt Oracle Net Services traffic. • Use the TCPS protocol for TCP/IP with SSL: ... (ADDRESS= (PROTOCOL=tcps) ...
  • 13. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Oracle Net Services Log Files Database server CMADMIN process CMGW processsqlnet.log listener.log <name>_cmadm_pid.log <name>_cmgw_pid.log Listener CMAN listener <name>_pid.log
  • 14. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Listener Security: Checklist • Restrict the privileges of the listener. • Secure administration by: – Protecting the listener with a password for remote administration – Using SSL when administering the listener • Protect against denial-of-service attacks. • Monitor listener activity.
  • 15. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Restricting the Privileges of the Listener • Restrict the privileges of a separate listener process. • A sample configuration is: EXTPROC_LISTENER= (DESCRIPTION= (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))) SID_LIST_EXTPROC_LISTENER= (SID_LIST= (SID_DESC= (SID_NAME=plsextproc) (ORACLE_HOME= /u01/app/oracle/product/11.2.0/db_1) (PROGRAM=extproc)))
  • 16. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Use the CREATE LIBRARY Privilege Sparingly • External procedures: – Are executed from a library – Run with the privileges of the listener • By default, the listener has the write privilege to: – Database files – The memory space of the instance • To avoid misuse of this privilege: – Use it only when needed – Limit the privileges of the listener
  • 17. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Password Protect the Listener • Establish a password for the Oracle listener to prevent unauthorized listener administration. • From the Listener Control utility, issue the following command: LSNRCTL> CHANGE_PASSWORD Old password: lsnrc80 New password: lsnrc90 Reenter new password: lsnrc90 LSNRCTL> SET PASSWORD Password: The command completed successfully LSNRCTL> SAVE_CONFIG The command completed successfully
  • 18. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Preventing Online Administration of the Listener • Listener configuration cannot be changed online. • To change the configuration, you must: – Make the changes in the LISTENER.ORA file – Reload the configuration • In the LISTENER.ORA file, enter the following: • This configuration requires the administrator to have: – Write privileges on the LISTENER.ORA file ADMIN_RESTRICTIONS_LISTENER=ON
  • 19. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Administering the Listener Using TCP/IP with SSL • Use TCP/IP with SSL when administering over an insecure network. • Make the TCPS protocol the first entry in the address list. • Example (LISTENER.ORA file configured for SSL): LISTENER= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS= (PROTOCOL=tcps) (HOST = singleton11g.snda.com) (PORT = 1521))) ...
  • 20. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] INBOUND_CONNECT_TIMEOUT Protect the listener from denial-of-service attacks with the following network parameters: • SQLNET.INBOUND_CONNECT_TIMEOUT • INBOUND_CONNECT_TIMEOUT_listener_name These parameters: • Set the time allowed for a connection to complete authentication • Log failures with source IP addresses
  • 21. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Setting Listener Logging Parameters • In the LISTENER.ORA file: – LOG_DIRECTORY_listener_name – LOG_FILE_listener_name • With Oracle Net Manager: • With the SET command in the Listener Control utility: – LOG_DIRECTORY – LOG_FILE
  • 22. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Analyzing Listener Log Files The listener log contains the following information: • Listener log audits: – Client connection request – Listener Control utility commands • Listener service registration events: – service_register – service_update – service_died • Listener direct hand-off information
  • 23. 云和恩墨 成就所托 by 王朝阳 18516271611 [email protected] Summary In this lesson, you should have learned how to: • Describe the items on the client, listener, and network security checklists • Secure administration of the network • Restrict access by IP address • Administer the listener securely • Analyze listener log files