How difficult is it to set up authentication and encryption for all
traffic to a DB server? Can I use the same certificate I am using for
the same purposes on a my web server or do I need a second
certificate?
--
Chuck
"M Hashim" <m.a.n.hashim_at_sympatico.ca> wrote in message news:<rlqp9.23327$9f2.1247450_at_news20.bellglobal.com>...
> A Security Checklist for Oracle9i
>
>
>
> Authenticate clients properly
>
> Remote authentication is a security feature provided by Oracle9i suchthat if
> turned on (TRUE), it defers authentication of users to the remoteclient
> connecting to an Oracle database. Thus, the database implicitlytrusts any
> client to have authenticated itself properly. Note that clients,in general,
> such as PCs, are not trusted to perform operating system authentication
> properly and therefore, it is very poor security practice to turn on this
> feature. In a more secure configuration where this feature is turned off
> (FALSE),it enforces proper, server-based authentication of clients
> connecting to an Oracle database. To restrict remote authentication and
> thereby defer client trust to the database, set the init<sid>.ora (Oracle9i
> control file) database configuration parameter in the following manner:
> REMOTE_OS_AUTHENT = FALSE
>
> Encrypt network traffic
>
> If possible, utilize Oracle Advanced Security to encrypt network
> trafficbetween clients, databases and application servers. (Note that
> OracleAdvanced Security is available only with the Enterprise Edition of
> theOracle database).
>
>
>
> "Howard J. Rogers" <howardjr2000_at_yahoo.com.au> wrote in message
> news:ROmp9.50438$g9.146024_at_newsfeeds.bigpond.com...
> >
> > "Michael J. Moore" <hicamel_x_the_spam_at_attbi.com> wrote in message
> > news:CLmp9.44328$ST4.92423_at_rwcrnsc53...
> > > Assume I am using REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE and I have
> properly
> > > set up the password file. I then connect to my database from a remote
> client
> > > using sql*plus. Furthermore Oracle Net is set up using a typical TCP/IP
> > > connection.
> > >
> > > So, my question is, is that connection to the database considered to be
> > > secure or could anybody with a sniffer easily see commands that I am
> sending
> > > and data that is being returned?
> >
> > It's totally unsecure, and a sniffer would see everything.
> >
> > However, it is possible to take advantage of Oracle's Advanced Security
> > features, one of which is to encrypt everything going across a Net8
> > interconnection.
> >
> > At which point all the sniffer will sniff is garbled garbage.
> >
> > Regards
> > HJR
> >
> >
> >
> > > Thanks,
> > > Mike
> > >
> > >
> >
> >
Received on Thu Oct 24 2002 - 08:17:36 CDT
