Three steps to help improve Oracle database security

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle database security How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Oracle database security Oracle delivers database fixes in Critical Patch Update How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Forrester outlines database security trends in 2009

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

First, secure your listener. Make sure the listener is password protected (this can be done via the lsnrctl utility or through the Netmanager GUI) and logging is enabled. Prevent people from modifying the listener remotely by adding the ADMIN_RESTRICTIONS_ = ON string to your listener.ora file. This is the default behavior in Oracle 10g and above unless you have disabled Local OS authentication by adding LOCAL_OS_AUTHENTICATION_ = OFF to your listener.ora file.

Be aware that securing the listener in 11g deviates from this advice! In 11g, the default listener can only be administered locally. Furthermore, the listener utilizes the local OS authentication to determine which user started the listener, and only allows that user (and super users) to administer the listener. However, setting a password for the 11g listener will ALLOW remote administration! For the Oracle 11g listener, you will actually reduce the database's network security posture by enabling a listener password. It is counter-intuitive, but this is a huge security improvement for the listener. There are many actions you can take to further harden your listener from attack, but these can be quickly and easily implemented on most systems with no adverse effects.

Second, ensure your OS permissions are set properly. Access should be appropriately, and strictly controlled to all the Oracle binaries, system files, archived redo logs and backups. Archived redo logs can easily be mined to divulge data that has been entered into your database using the Oracle LOGMNR utility, and cold backups or raw datafiles can be effectively read using a simple hex editor.

Lastly, and probably the most unobvious -- control physical access to your database server! If an attacker can gain physical access to your system, they can get to your data. Even Full Disk Encryption (FDE) can be defeated if someone gains access to the hardware. Depending on the size of your business, this may be as simple as changing out a few doorknobs. For a large organization, this is not a quick and easy endeavor – it requires considerable planning and implementation. However, it requires very little Oracle expertise to significantly mitigate this critical risk.