Re: Oracle and Arcserve

"Howard J. Rogers" <hjr_at_dizwell.com> wrote in message news:<40b13e1b$0$8990$afc38c87_at_news.optusnet.com.au>...
> "steve" <me_at_me.com> wrote in message
> > > Oracle servers shouldn't be checking email, and open ports...well, what
> > > were you thinking having open ports :-)
> > >
> >
> > Er actually you missed infections by visiting web sites.
>
> I'm sure I missed all sorts of possible sources of infection. Alll of which
> tend to require user activity of some sort. None of which would therefore
> apply to a server.

Actually, I've found when dealing with O support they often want files uploaded from the server. I realize that one can share the given directory to another computer and upload while networked from there, but that opens the server up to the outside-the-server. Anyways, I usually upload directly from the server, and I bet most people do. I'm sure O is better secured than most sites, but once you are looking at them, you are doing user activity. Not to mention looking at cdos while keeping an eye on OUI ;-)

>
> > also keep in mind that oracle now has a mailer that sits inside the oracle
> > database.
>
> "Mailer". Hmmm.... One who mails. Not one who *receives* mails, opens them
> and executes their attachments. Bit of a different issue.

Good point. But I still see people wanting to upload data from mail.

>
> >not to mention Java mail package which you can also load into the
> > oracle server.
>
> Whatever. We could go round the maypole on this one for ever.
>
> I have 8 servers here that do not have any continuous antivirus monitoring
> (weekly full scans, however, do take place). I have a proxy server that is
> the only way out to the rest of the world, and it's anti-virused up to its
> eyeballs, firewalled, and monitors everything on the (very slow telephone!)
> wire in real time. Every client machine is similarly encumbered. I haven't
> had anything affect those servers yet (3 years and counting).

(as an aside, f-prot seems to be a little more proactive than the big US vendors.)

>
> YMMV, of course. And if you wanted to implement auto-protect to give added
> peace of mind and, who knows, added actual protection, then go ahead and do
> it (but don't claim "it can't do any harm", because the best auto-protect
> tools take 5% or more of CPU time, which isn't nothing and is therefore
> something: a direct cost you need to be aware of).

I think some of the difference in mileage in what you and Connor are saying v. what I've seen may result from whether there is a division of labor between the OS install and the O install. Since I seem to attract Windows problems, and have plenty of O and *ix stuff to do, I don't want to be responsible for Windows installs, and in most places there is someone else responsible for it who knows much more about it than I. Oddly enough, the larger the place, it seems more likely that someone less experienced will do this. The smaller the place, the more likely someone busy and rushed will do this. Kind of the downside of the old saw "If you want something done quickly, give it to a busy person."

I'd be willing to go halfway and say "always put in AV until someone signs off on a security audit for the server." And of course, the AV vendors can screw up too, although they appear to have better QC than most, perhaps due to the "low" level of coding they have to deal with daily.

But for myself, being noticeably paranoid about it doesn't seem to be paranoid enough.

jg

--
@home.com is bogus.
"God has a big eraser." - sign on church.
It made me imagine a 16-ton Pink Pearl coming down Terry Gilliam style
on a spammer. *splorch*