Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: internet secure solutions

Re: internet secure solutions

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Sat, 10 Jan 2004 14:59:26 -0800
Message-ID: <F001.005DC5ED.20040110145926@fatcity.com>


Hi Paula,

Paul and Steve have given some good ideas on this but also you should lock down the database as hard as you can. Even if the database is only accessed via the application server its data is still available from the internet. Issues such as SQL Injection and cross site scripting can come into play. use least privilege principles and remove all excess

privileges. There are many papers on Oracle security on my site
http://www.petefinnigan.com/orasec.htm including some very good
checklists. You will find the SANS S.C.O.R.E. and cisecurity benchmarks
linked in the checklist section of this page. Both follow the SANS step- -step quite closely.

Also if the server the application server is on is breached then the database is in much bigger trouble from the DMZ than it would normally be from the net. You need therefore to ensure that the application server is also hardened. Have a look at the cisecurity OS benchmarks as well as a start for hardening the OS. Encrypting the data between the application server and database is admirable and an extra expense but there are other issues to look at as well. As Steve said firewalls are needed. If your application allows it data wise / operationally then it can sometimes be better to not expose the database at all to the net but expose a subset of data that is needed by your net based users. Do this by replicating the relevant data to a second database and expose that to the application server. two way replication could be needed depending on what your application does.

anyway have a look at some of the Oracle security info on my site http://www.petefinnigan.com/orasec.htm including SQL injection papers, and checklists etc - it might help you.

hth

kind regards

Pete
--

Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Pete Finnigan
  INET: oracle_list_at_peterfinnigan.demon.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Sat Jan 10 2004 - 16:59:26 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US