| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Re: Security : Denial Of Service
Hi Davis & Pete Finnigan,
Thank you so much for your response. Let me go through Pete Finnigan's security related white papers.
-Sami
-----Original Message-----
To: saminathans_at_myrealbox.com
Date: Mon, 10 Nov 2003 16:56:13 +0000
The type of attack you are suggesting is a problem that exists with all systems not just Oracle databases. For example an attack against a system administrator/application owner account on any platform (Windows, Mainframe, Unix, Database) could all potentially be shutdown by too many logon attempt failures.
Often, with these type of accounts you cannot apply the same password mgmt rules (3 strikes and you are out). But having violation alerts/notification for attacks (ie. Audit trails) requirement for complex passwords that can withstand brute force attacks (eg. dictionary searches).
I would suggest following Pete Finnigan's advice would be prudent. He knows what he is talking about when it comes to security. I have a copy of the Oracle Security Step-by-Step guide he mentioned which is only available from the SANS Institute (SysAdmin, Auditing, Networking & Security).
If you work for a large corporation you will probably have a security officer. It might be a good idea to talk to them.
Also check out:
www.securityfocus.com
www.sans.org
btw Drake over reacted and was I thought very rude. I think Drake felt your question was best asked on a secured forum.
Cheers
David
>From: "Saminathan" <saminathans_at_myrealbox.com>
>Reply-To: ORACLE-L_at_fatcity.com
>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
>Subject: Security : Denial Of Service
>Date: Sun, 09 Nov 2003 17:14:25 -0800
>
>Hi List,
>
>"A secure system makes data available to authorized users, without delay.
>Denial-of-service attacks are attempts to block authorized users’ ability
>to access
>and use the system when needed."
>
>By using user-profile one can lock DB users if he/she provides wrong
>password 3 times.
>Then DBA has to unlock the users to make it work. By knowing DB userid
>somebody can lock the DB users (by providing wrong password 3 times)
>so that when the actual user try to loing it will block him/her to access
>the db.
>
>How does oracle address this "Denial Of Service" ?
>
>Any response would be highly appreciated.
>
>Thanks
>-Sami
>
>
>
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.net
>--
>Author: Saminathan
> INET: saminathans_at_myrealbox.com
>
>Fat City Network Services -- 858-538-5051 http://www.fatcity.com
>San Diego, California -- Mailing list and web hosting services
>---------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Saminathan INET: saminathans_at_myrealbox.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Mon Nov 10 2003 - 12:09:26 CST
 |
 |