Re: Make a database accessible over the internet

Hi Harry,

you need to take a look at two documents, the CIS Oracle benchmark and the SANS score document. Both are good security checklists for Oracle. The CIS also includes a self check tool to see how vulnerable you are.

EE will not give you a major advantage security wise over the standard edition. I have found the simpler the better for the installation and features when trying to secure Oracle. Most of the issues are due to bugs (vulnerabilities) SQL Injection issues, mostly configuration and privilege issues. No matter how many times its said "least privilege principle" is not usually followed. Exposing the database even through an application server to the Internet can still make it vulnerable to may sorts of attacks.

Take a look at the two documents I mention above and also at the tow part paper i wrote about SQL Injection in Oracle - links are available on http://www.petefinnigan.com/orasec.htm - there is a link to the CIS tool on my tools page.

kind regards

Pete

In article <un4ek0pgf7f627b22kjls0mg7nhn13g3l9_at_4ax.com>, Harry_Boswell_at_deq.state.ms.us writes
>We are looking at doing this also - we've had limited internet
>exposure to an instance that is rebuilt nightly, on a server that is
>"isolated" from the rest of our network. But our business process has
>changed, and we're going to have to provide limited access to a live
>instance, on a non-isolated server, through a web application
>(Websphere). We're using Oracle 9i Standard Edition, and reading
>through the Oracle 9i Security Overview document, I'm getting
>increasingly nervous, thinking that we really need to upgrade to EE.
>Is my concern justified? Can I make SE sufficiently secure?
>
>Thanks,
>Harry

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.