Oracle security 08-oracle network security
-
Upload
zhaoyang-wang -
Category
Technology
-
view
84 -
download
7
description
Transcript of Oracle security 08-oracle network security
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Objectives
After completing this lesson, you should be able to do the following:
• Describe the items on the client, listener, and network security checklists
• Secure administration of the network• Restrict access by IP address• Administer the listener securely• Analyze listener log files
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Client Checklist
• Internet access to secure data requires user authentication, rather than client-computer authentication.
• The options are:– Bypass client-computer configuration and rely on
user authentication to a middle tier.– Configure the client computer:
• Authentication• Authorization
– Administer client certificates.– Educate users.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Configuring the Browser
Browsers include the following security features:• SSL encryption by using the HTTPS protocol• Certificate authorization:
– Client– Server
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Configuring the Client
Configure client computers to use Oracle Advanced Security features with Oracle Net Services:
• Native encryption • SSL authentication by using certificates
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using Certificates
Considerations when using certificates for authentication:
• Distinguished name and issuer uniquely identify the user.
• Test for expiring certificates.• Use certificate reissues to update certificate
information.• Audit certificate revocations.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Network Security: Checklist
• Use a firewall.• Restrict IP addresses.• Encrypt network traffic.• Prevent remote administration of Connection
Manager (CMAN).• Use network log files to monitor connections.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Using a Firewall to Restrict Network Access
ApplicationWeb server
Databaseserver
Client computers
Firewall Firewall
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Restricting Network IP Addresses:Valid Node Checking
Set the following SQLNET.ORA parameters:• Turn on the feature:
• Deny access from these nodes:
• Allow access from these nodes:
tcp.excluded_nodes = 192.168.10.102
tcp.invited_nodes = (192.168.10.102, 192.168.10.112)
tcp.validnode_checking = YES
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Restricting Network IP Addresses:Guidelines
Network IP restrictions can help secure access to your server. Consider the following guidelines:
• Do not use IP restrictions as your only security. IP addresses can be spoofed.
• Use Connection Manager to limit access by node. • Limit access by protocol.• Protect dispatcher ports. IP restrictions do not
prevent connections to the dispatcher.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Restricting Open Ports
• Limit open ports to needed applications:– Open ports are network-attack opportunities.– Know which ports are open on your computer.
• Find open ports:– Oracle product installation ports in portlist.ini– Listener ports in listener.ora– Dispatcher ports by using lsnrctl services– Other ports by using netstat
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Encrypting Network Traffic
• Guideline: Encrypt sensitive network traffic.• Tasks:
– Use HTTPS when sending sensitive data between the client computer and the server.
– Use SSL or native encryption to encrypt Oracle Net Services traffic.
• Use the TCPS protocol for TCP/IP with SSL:...(ADDRESS=(PROTOCOL=tcps)
...
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Oracle Net Services Log Files
Databaseserver
CMADMINprocess
CMGWprocesssqlnet.log
listener.log
<name>_cmadm_pid.log
<name>_cmgw_pid.log
Listener
CMAN listener
<name>_pid.log
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Listener Security: Checklist
• Restrict the privileges of the listener.• Secure administration by:
– Protecting the listener with a password for remote administration
– Using SSL when administering the listener• Protect against denial-of-service attacks.• Monitor listener activity.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Restricting the Privileges of the Listener
• Restrict the privileges of a separate listener process.
• A sample configuration is:EXTPROC_LISTENER=(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))
SID_LIST_EXTPROC_LISTENER=(SID_LIST=(SID_DESC=(SID_NAME=plsextproc)(ORACLE_HOME=
/u01/app/oracle/product/11.2.0/db_1)(PROGRAM=extproc)))
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Use the CREATE LIBRARYPrivilege Sparingly
• External procedures:– Are executed from a library– Run with the privileges of the listener
• By default, the listener has the write privilege to:– Database files– The memory space of the instance
• To avoid misuse of this privilege:– Use it only when needed– Limit the privileges of the listener
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Password Protect the Listener
• Establish a password for the Oracle listener to prevent unauthorized listener administration.
• From the Listener Control utility, issue the following command:
LSNRCTL> CHANGE_PASSWORDOld password: lsnrc80New password: lsnrc90Reenter new password: lsnrc90LSNRCTL> SET PASSWORDPassword:The command completed successfullyLSNRCTL> SAVE_CONFIGThe command completed successfully
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Preventing Online Administration of the Listener
• Listener configuration cannot be changed online.• To change the configuration, you must:
– Make the changes in the LISTENER.ORA file– Reload the configuration
• In the LISTENER.ORA file, enter the following:
• This configuration requires the administrator to have:– Write privileges on the LISTENER.ORA file
ADMIN_RESTRICTIONS_LISTENER=ON
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Administering the Listener Using TCP/IP with SSL
• Use TCP/IP with SSL when administering over an insecure network.
• Make the TCPS protocol the first entry in the address list.
• Example (LISTENER.ORA file configured for SSL):LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcps)(HOST = singleton11g.snda.com)(PORT = 1521)))
...
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
INBOUND_CONNECT_TIMEOUT
Protect the listener from denial-of-service attacks with the following network parameters:
• SQLNET.INBOUND_CONNECT_TIMEOUT• INBOUND_CONNECT_TIMEOUT_listener_name
These parameters: • Set the time allowed for a connection to complete
authentication• Log failures with source IP addresses
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Setting Listener Logging Parameters
• In the LISTENER.ORA file:– LOG_DIRECTORY_listener_name– LOG_FILE_listener_name
• With Oracle Net Manager:
• With the SET command in the Listener Control utility:– LOG_DIRECTORY– LOG_FILE
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Analyzing Listener Log Files
The listener log contains the following information:• Listener log audits:
– Client connection request– Listener Control utility commands
• Listener service registration events:– service_register– service_update– service_died
• Listener direct hand-off information
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Summary
In this lesson, you should have learned how to:• Describe the items on the client, listener, and
network security checklists• Secure administration of the network• Restrict access by IP address• Administer the listener securely• Analyze listener log files