Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Simple Oracle Net Security Question
A Security Checklist for Oracle9i
Authenticate clients properly
Remote authentication is a security feature provided by Oracle9i suchthat if turned on (TRUE), it defers authentication of users to the remoteclient connecting to an Oracle database. Thus, the database implicitlytrusts any client to have authenticated itself properly. Note that clients,in general, such as PCs, are not trusted to perform operating system authentication properly and therefore, it is very poor security practice to turn on this feature. In a more secure configuration where this feature is turned off (FALSE),it enforces proper, server-based authentication of clients connecting to an Oracle database. To restrict remote authentication and thereby defer client trust to the database, set the init<sid>.ora (Oracle9i control file) database configuration parameter in the following manner: REMOTE_OS_AUTHENT = FALSE Encrypt network traffic
If possible, utilize Oracle Advanced Security to encrypt network trafficbetween clients, databases and application servers. (Note that OracleAdvanced Security is available only with the Enterprise Edition of theOracle database).
"Howard J. Rogers" <howardjr2000_at_yahoo.com.au> wrote in message
news:ROmp9.50438$g9.146024_at_newsfeeds.bigpond.com...
>
> "Michael J. Moore" <hicamel_x_the_spam_at_attbi.com> wrote in message
> news:CLmp9.44328$ST4.92423_at_rwcrnsc53...
> > Assume I am using REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE and I have
> properly
> > set up the password file. I then connect to my database from a remote
> client
> > using sql*plus. Furthermore Oracle Net is set up using a typical TCP/IP
> > connection.
> >
> > So, my question is, is that connection to the database considered to be
> > secure or could anybody with a sniffer easily see commands that I am
> sending
> > and data that is being returned?
>
> It's totally unsecure, and a sniffer would see everything.
>
> However, it is possible to take advantage of Oracle's Advanced Security
> features, one of which is to encrypt everything going across a Net8
> interconnection.
>
> At which point all the sniffer will sniff is garbled garbage.
>
> Regards
> HJR
>
>
>
> > Thanks,
> > Mike
> >
> >
>
>
Received on Fri Oct 11 2002 - 00:07:58 CDT