Re: Listener Passwords, who uses them and why?

DA Morgan wrote:

> Always. But then I always have tcp.validnode_checking=yes in my
> SQLNET.ORA
Yeah, "nice" parameter for ad-hoc security but not really that robust again real attacks.

I've used it myself to deny operators and developers access to a production database after complaining numerous times that they have no business there (but it is always easier to quickly hack and fix code on production than go through the proper development, Q&A and deployment process).

But it takes literally seconds to start a second IP stack on most operating systems (especially Linux) with a "valid node" IP address. Granted, more difficult in using something like a DoS attack against the actual machine with that IP to eliminate that machine (and a duplicate IP situation).. but should not be a problem for a serious attacker.

Any access control that relies on IP addresses only, is flawed. Yes, this is not the only tool in the Oracle Networking box and yes it's handy at times. But I can just see some (especially non-savy management) grasping at this type of thing to be used for robust security..

My concern is not about the 99% "riff raff" that attempts to access the database. They are easily kept at bay with simplistic controls like valid node checking. My concern is the 1% that are anything but riff raff.

And that is what management should also be concerned about as that is what the real threat to their business is. I've seen how "stuff" has not only been stolen, but used in a pre-emptive strike on the market by the competition.

My take on Oracle security is to lock down the castle (database) itself. Guarding the roads (network) to the castle have its uses to keep the riff raff away. But I expect the real attackers to use lessor travel roads and know that they will eventually arrive at the gates of the castle. How well guarded that castle is, is what counts at the end.

--
Billy