Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Simple Oracle Net Security Question

Re: Simple Oracle Net Security Question

From: M Hashim <m.a.n.hashim_at_sympatico.ca>
Date: Thu, 10 Oct 2002 22:07:58 -0700
Message-ID: <rlqp9.23327$9f2.1247450@news20.bellglobal.com> 





A Security Checklist for Oracle9i





Authenticate clients properly



Remote authentication is a security feature provided by Oracle9i suchthat if
turned on (TRUE), it defers authentication of users to the remoteclient
connecting to an Oracle database. Thus, the database implicitlytrusts any
client to have authenticated itself properly. Note that clients,in general,
such as PCs, are not trusted to perform operating system authentication
properly and therefore, it is very poor security practice to turn on this
feature. In a more secure configuration where this feature is turned off
(FALSE),it enforces proper, server-based authentication of clients
connecting to an Oracle database. To restrict remote authentication and
thereby defer client trust to the database, set the init<sid>.ora (Oracle9i
control file) database configuration parameter in the following manner:
REMOTE_OS_AUTHENT = FALSE


 Encrypt network traffic



If possible, utilize Oracle Advanced Security to encrypt network
trafficbetween clients, databases and application servers. (Note that
OracleAdvanced Security is available only with the Enterprise Edition of
theOracle database).





"Howard J. Rogers" <howardjr2000_at_yahoo.com.au> wrote in message
news:ROmp9.50438$g9.146024_at_newsfeeds.bigpond.com...


>

> "Michael J. Moore" <hicamel_x_the_spam_at_attbi.com> wrote in message

> news:CLmp9.44328$ST4.92423_at_rwcrnsc53...

> > Assume I am using REMOTE_LOGIN_PASSWORDFILE  = EXCLUSIVE and I have

> properly

> > set up the password file. I then connect to my database from a remote

> client

> > using sql*plus. Furthermore Oracle Net is set up using a typical TCP/IP

> > connection.

> >

> > So, my question is, is that connection to the database considered to be

> > secure or could anybody with a sniffer easily see commands that I am

> sending

> > and data that is being returned?

>

> It's totally unsecure, and a sniffer would see everything.

>

> However, it is possible to take advantage of Oracle's Advanced Security

> features, one of which is to encrypt everything going across a Net8

> interconnection.

>

> At which point all the sniffer will sniff is garbled garbage.

>

> Regards

> HJR


>

>

>

> > Thanks,

> > Mike

> >

> >

>

>

Received on Fri Oct 11 2002 - 00:07:58 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US