Frank van Bortel wrote:
> Aakash wrote:
>
>> Thanks for the response, i am asking this just to get an security
>> perspective, a group of colleagues were disscussing about this when we
>> came upto this point,
>> most of us were of the opinion that its not possible. hence i thot i
>> wud put it up here to get views from all over.
>>
>> the actual disscussion was like " if an sql*plus session is in
>> progress, can anyone get into the active sql*plus session and play
>> around with the transactions happening, without know the
>> username/passwd being used by the session"
>>
>> thanks again, any more view will be appreciated.
>>
>>
>> Hans Forbrich <forbrich_at_yahoo.net> wrote in message
>> news:<6Dbpc.8769$j6.8739_at_edtnps84>...
>>
>>> Aakash wrote:
>>>
>>>
>>>> hello everyone,
>>>>
>>>> after a client machine,say SQL*Plus, establishes a session with the
>>>> oracle database , is it possible to intrude into the established
>>>> session? i.e is it possible to get into the session layer of the
>>>> oracle session? is oracle vulnerable to such an hacking?
>>>
>>>
>>> Not if your network is protected.
>>>
>>> Very very difficult if your network is open and sniffable.
>>>
>>> You might want to look at http://www.petefinnigan.com for a gernreal
>>> discussion of Oracle security.
>>>
>>> /Hans
>
>
> It is extremely easy to make sqlnet connections encrypted.
> Merely requires one or two entries in the network configuration
> files on client and server, and you're done.
> uid/password are then encrypted as well.
Can you, or anyone else, think of a quick demo that could be used to
show the change to students?
Run it in default configuration ... show the connection stream ...
modify ... view the connection stream?
--
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)
Received on Sat May 15 2004 - 10:49:50 CDT