| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle and Arcserve
Steve <ThisOne_at_Aint.valid> wrote in message news:<c8hldc$4lg$1_at_lust.ihug.co.nz>...
> G Dahler wrote:
> > "Sybrand Bakker" <gooiditweg_at_sybrandb.verwijderdit.demon.nl> a écrit dans le
> > message de
> >
> >>Arcserve is a pain in the butt. If you want to use the GUI you will be
> >>forced to use the Oracle 7 Agent and perform a conventional hot
> >>backup.
> >>Arcserve does support RMAN: ie you can the Arcserve tape driver from
> >>RMAN. Arcserve doesn't integrate RMAN into the GUI, and if you choose
> >>to use RMAN you need to run it from a Windoze task scheduler.
> >>And they change the name of this product every few months, and I
> >>should better remain silent about the CA support website. It is a
> >>nightmare. PERIOD.
> >>
> >
> >
> > Totally agree on that. CA's support is a nightmare, and the product is a
> > total piece of crap. I wonder if some ex-msft engineers were used in the
> > process ? Or maybe it was developped offshore ?
> >
> >
> It was OK 'til CA bought it. After that... well, see all of the other
> products they've destroyed ( hint... ex Ingres dba :)
>
> My main point, and I've asked before, is why on earth are your database
> servers visible? The office network, and all incoming email, and really
> everything apart from port 1521 *should* be disconnected from these servers.
>
> It's stupid to have to av protect database servers. You should put a
> proper security plan into action. Let's face it, we've got enough to do
> without worrying about the outside workd as well!
>
>
> Steve.
test this out on a test box first.
back up the databases and OS config files.
put the oracle server in a separate subnet, and implent a security policy on the router in between networks. block everything inbound below 1024, except for ssh from trusted hosts.
stop the server service, unbind netbios from TCP/IP.
remove the server from the domain, put it in its own workgroup not
named "WORKGROUP".
apply a security policy template from cis.org.
keep stopping services until a netstat -n shows only the oracle tns listener ports (did it on a test box).
this will impact your ability to backup the server, and some antivirus products have dependencies upon services.
One site that I know of had to re-enable services when they went from McAfee to TrendMicro, as a local staging server is used that needs access to the drives via unc names, hence the server service was required.
Here are a few references:
Norberg, Stefan, Securing Windows NT/2000 Servers for the Internet,
O'Reilly, 2001
http://www.oreilly.com/catalog/securwinserv/
Finnigan, Pete, Oracle Security Step-by-Step v1.0, SANS Press, 2003 http://store.sans.org/
Theriault, Marlene, Newman, Aaron, Oracle Security Handbook, Osborne,
2001
http://shop.osborne.com/cgi-bin/osborne/0072133252.html
Various, Securing Windows 2000 Step-by-Step v1.5, SANS Press, 2001 http://store.sans.org/
Internet Security Systems, Windows 2000 Security Technical Reference, Microsoft Press, 2000
Windows Security Scoring Tool Implementation Guide, Center for
Internet Security v2.1.3, 2002
http://www.cis.org
Secure Configuration Guide for Oracle 9i R2 http://otn.oracle.com
hth.
Pd Received on Thu May 20 2004 - 17:59:35 CDT
 |
 |