Problem solve Get help with specific problems with your technologies, process and projects.

Three steps to help improve Oracle database security

Oracle security expert Brian Fedorko reveals the three most important steps to take to improve your Oracle database security posture.

What are three things we can do to quickly and easily to increase the security posture of our Oracle databases?
First, secure your listener. Make sure the listener is password protected (this can be done via the lsnrctl utility or through the Netmanager GUI) and logging is enabled. Prevent people from modifying the listener remotely by adding the ADMIN_RESTRICTIONS_ = ON string to your listener.ora file. This is the default behavior in Oracle 10g and above unless you have disabled Local OS authentication by adding LOCAL_OS_AUTHENTICATION_ = OFF to your listener.ora file.

Be aware that securing the listener in 11g deviates from this advice! In 11g, the default listener can only be administered locally. Furthermore, the listener utilizes the local OS authentication to determine which user started the listener, and only allows that user (and super users) to administer the listener. However, setting a password for the 11g listener will ALLOW remote administration! For the Oracle 11g listener, you will actually reduce the database's network security posture by enabling a listener password. It is counter-intuitive, but this is a huge security improvement for the listener. There are many actions you can take to further harden your listener from attack, but these can be quickly and easily implemented on most systems with no adverse effects.

Second, ensure your OS permissions are set properly. Access should be appropriately, and strictly controlled to all the Oracle binaries, system files, archived redo logs and backups. Archived redo logs can easily be mined to divulge data that has been entered into your database using the Oracle LOGMNR utility, and cold backups or raw datafiles can be effectively read using a simple hex editor.

Lastly, and probably the most unobvious -- control physical access to your database server! If an attacker can gain physical access to your system, they can get to your data. Even Full Disk Encryption (FDE) can be defeated if someone gains access to the hardware. Depending on the size of your business, this may be as simple as changing out a few doorknobs. For a large organization, this is not a quick and easy endeavor – it requires considerable planning and implementation. However, it requires very little Oracle expertise to significantly mitigate this critical risk.

Dig Deeper on Oracle database security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.