Tips and Tricks: Oracle Security Measures

Author:

April 2008

Situation
You have a Web application accessing an Oracle 9i/10g production database containing sensitive data.  You have development and test databases residing on separate servers that require access to production.

Problem
You want to provide a secure environment and still meet the current requirements.

Solution
Two techniques which are relatively simple to implement are to password protect the Oracle Listener and Implement IP validation.

Tips & Tricks
1.)  Password protect the Oracle Listener
o    Prevent inadvertent stopping or unauthorized access to the listener.

o    Using Oracle Net Manager
  • Open the Listeners pull down
  • Select the Listener
•    Select General Parameters tab
o    Select Authentication tab
o    Select “Require a Password for Listener Operations
  • Default old password is blank
  • Once completed, Save Network Configuration
  • Entry has been added to the LISTENER.ORA file.
•    PASSWORDS_LISTENER statement

o    Restart the listener
o    On 8i and 9i, the password will be required for all Listener Operations
o    On Oracle 10g, OS authentication is used as well
  • User (oracle for example) starting the listener will not be required to supply password
  • Other users may issue Listener commands, provided they can supply the correct password
o    Accessing the Oracle Listener after password implementation
  • Run LSNRCTL
•    LSNRCTL> set password
o    This does not change password
•    LSNRCTL> enter password
•    LSNRCTL> enter desired command


2.)    Implement IP validation
SQLNET.ORA parameter            Description
TCP.VALIDNODE_CHECKING     Specifies Oracle to check access rights
TCP.EXCLUDED_NODES            Specifies which clients using TCP/IP are denied access
TCP.INVITED_NODES               Specifies which clients using TCP/IP are allowed access

•    Use Oracle Net Manager
o    Highlight Profile
  • Access Rights tab
  • Select “Check TCP/IP client access rights
  • Enter desired IPs respectively
  • Make sure the database server IP is in the Allowed Access Group
•    In the following example, only the IPs listed are allowed access
•    SQLNET.ORA example
TCP.VALIDNODE_CHECKING=YES
TCP.INVITED_NODES=
(
192.168.0.2,      # Web Server IP
192.168.0.3,     # Test Server IP
192.168.0.4,     # Database Server IP
192.168.0.5,     # Developer 1 IP
192.168.0.6    # Developer 2 IP
)
TCP.EXCLUDED_NODE=
(
192.168.10
)
Comments (0)Add Comment
Write comment
 
 
smaller | bigger
 

busy
search | login