Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Asinine security in Oracle, Part Deux

RE: Asinine security in Oracle, Part Deux

From: Robert Monical <tech_at_restek.com>
Date: Mon, 10 Jun 2002 14:20:43 -0800
Message-ID: <F001.004799B3.20020610142043@fatcity.com> 


There are a ton of things I like about NT. Especially the
Win2K incarnation.

Production Internet server is not one of them.



I get a critical update notice about every week to 10 days.

These almost always require a reboot of the server.

Some of the vulnerabilities are pretty significant.



As nice as NT is for ease of use and hardware compatibility, it appears
to be very difficult to secure.

Not just an Oracle 9iAS problem: appears that Microsoft has trouble
getting it secure as well.



Given the evolving state of the Microsift distributed computing
architecture, and how diverse features like Internet Explorer are an
"integral part of the operating system" I'm not confident that
the future holds a lot of promise for NT security. NT keeps changing far
too rapidly, it is too big, and the components are too tightly
coupled..





At 12:19 PM 6/10/2002 -0800, Boivin, Patrice J wrote:


I am working on notes re. how to secure iAS on
Win32 for us here.  Pete

Finnigan is working with SANS (and Oracle) to put an Oracle 
security

step-by-step guide together.



I asked Oracle Canada if, when they talk about "Unbreakable
Oracle", this

includes iAS on NT.  No response from the Oracle contact
people.  Meanwhile

the MetaLink techs declined to provide guidelines as well, they said
they

can only answer specific questions, one issue per TAR.  Now I see
Oracle is

talking about unbreakable LINUX, perhaps because they may have more
control

over OS configuration(?). 



If anyone has more info / suggestions / warnings on how to secure iAS on
NT,

please bring them up.



Re. securing NT, for fun I tried the trial version of InfoStat
scanner

(single user trial license) on my NT workstation here, to see the
result

after having patched Windows NT workstation to the latest patchset
and

windows update.  It found less than five critical vulnerabilities,
but a

total of 108 vulnerabilities in all.  This includes the critical
ones.  Most

of them do not appear to be major, it all depends on how high you want
to

raise the bar I suppose.



C|Net e-mailed me a notice that their little application now scans
for

vulnerabilities, it found nine on my workstation.



I am also doing searches on the 'net for info on how to secure Apache
for

win32, not obvious since the apache group's focus is mostly LINUX and
UNIX.



I am not endorsing one OS or the other but am a little frustrated with
the

lack of info out there.  It's a bit of a cat and mouse game I
think.  I also

find it hard to balance the opinions of people who like to see
particular

vendors flounder on the one hand, and posturing and bravado on the part
of

software and OS vendors on the other.



I like things to be cut and dry and this doesn't appear to be one of
those

things.



Comments would be appreciated.


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Robert Monical
  INET: tech@restek.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Jun 10 2002 - 17:20:43 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US