Re: Oracle and Arcserve

From: Steve <ThisOne_at_Aint.valid>
Date: Fri, 21 May 2004 20:17:34 +1200
Message-ID: <c8kduv$hgm$1@lust.ihug.co.nz>

Paul Drake wrote:
> Steve <ThisOne_at_Aint.valid> wrote in message news:<c8hldc$4lg$1_at_lust.ihug.co.nz>...
>

>>G Dahler wrote:
>>
>>>"Sybrand Bakker" <gooiditweg_at_sybrandb.verwijderdit.demon.nl> a écrit dans le
>>>message de
>>>
>>>
>>>>Arcserve is a pain in the butt. If you want to use the GUI you will be
>>>>forced to use the Oracle 7 Agent and perform a conventional hot
>>>>backup.
>>>>Arcserve does support RMAN: ie you can the Arcserve tape driver from
>>>>RMAN. Arcserve doesn't integrate RMAN into the GUI, and if you choose
>>>>to use RMAN you need to run it from a Windoze task scheduler.
>>>>And they change the name of this product every few months, and I
>>>>should better remain silent about the CA support website. It is a
>>>>nightmare. PERIOD.
>>>>
>>>
>>>
>>>Totally agree on that. CA's support is a nightmare, and the product is a
>>>total piece of crap. I wonder if some ex-msft engineers were used in the
>>>process ? Or maybe it was developped offshore ?
>>>
>>>
>>
>>It was OK 'til CA bought it. After that... well, see all of the other 
>>products they've destroyed ( hint... ex Ingres dba :)
>>
>>My main point, and I've asked before, is why on earth are your database 
>>servers visible? The office network, and all incoming email, and really 
>>everything apart from port 1521 *should* be disconnected from these servers.
>>
>>It's stupid to have to av protect database servers. You should put a 
>>proper security plan into action. Let's face it, we've got enough to do 
>>without worrying about the outside workd as well!
>>
>>
>>Steve.

>
>
> test this out on a test box first.
> back up the databases and OS config files.
>
> put the oracle server in a separate subnet, and implent a security
> policy on the router in between networks. block everything inbound
> below 1024, except for ssh from trusted hosts.
>
> stop the server service, unbind netbios from TCP/IP.
> remove the server from the domain, put it in its own workgroup not
> named "WORKGROUP".
> apply a security policy template from cis.org.
>
> keep stopping services until a netstat -n shows only the oracle tns
> listener ports (did it on a test box).
>
>
> this will impact your ability to backup the server, and some antivirus
> products have dependencies upon services.
>
> One site that I know of had to re-enable services when they went from
> McAfee to TrendMicro, as a local staging server is used that needs
> access to the drives via unc names, hence the server service was
> required.
>
> Here are a few references:
>
> Norberg, Stefan, Securing Windows NT/2000 Servers for the Internet,
> O'Reilly, 2001
> http://www.oreilly.com/catalog/securwinserv/
>
> Finnigan, Pete, Oracle Security Step-by-Step v1.0, SANS Press, 2003
> http://store.sans.org/
>
> Theriault, Marlene, Newman, Aaron, Oracle Security Handbook, Osborne,
> 2001
> http://shop.osborne.com/cgi-bin/osborne/0072133252.html
>
> Various, Securing Windows 2000 Step-by-Step v1.5, SANS Press, 2001
> http://store.sans.org/
>
> Internet Security Systems, Windows 2000 Security Technical Reference,
> Microsoft Press, 2000
>
> Windows Security Scoring Tool Implementation Guide, Center for
> Internet Security v2.1.3, 2002
> http://www.cis.org
>
> Secure Configuration Guide for Oracle 9i R2
> http://otn.oracle.com
>
> hth.
>
> Pd

Hi Paul,

I _think_ you're agreeing with me? Thanks for the references, although most of my customers are more interested in Solaris, HP-UX, Linux and TRU64!

My main point was 'why are these Oracle database servers visible to the internet?' If you're making any of the data public, it is surely on your terms, via some middleware.

If your server is not visible, then you don't need antivirus software. Why should it be? It's a database server, and doesn't need even to receive email.
If you've got problems with integrating with the office backup, then install a local tape drive/provide one way access to a SAN.

I know that the points I'm making are much simpler and far more obvious when you're looking after a large Oracle site, but if your business is data driven ( as most are ), then what cost is the loss of its core?

I know that this approach works, as I've implemented it in a number of companies already, including some using Windoze servers. It's all about priorities, and hoping to change those of the customer _before_ the catastrophe occurs.

Steve Received on Fri May 21 2004 - 03:17:34 CDT