Re: Advanced Security

> The applications (from vendors) don't allow for field encryption.

Then you cannot and do not need DBMS_CRYPTO or DBMS_OBFUSCATION_TOOLKIT.

> Row restriction is not needed.

Then you do not need Fine Grained Access Control (FGAC), also known as Virtual Private Database (VPD).

> I feel that auditing allows us to look in the barn and see who took the
> horse. I want to keep anyone from looking in the barn. This is data
> which MUST be protected. It is enough to allow identity theft.

If the data must be protected, then don't you want to know when/if someone has accessed it? Yes, auditing allows you to "look in the barn", but it gives you chance to see who is riding the horse!

> Web pages using HTTPS protect the contents between clients and webpages.
> ASO protects the content between the database and the web server.
>
> The issue is connection from
> 1) application fat clients,
> 2) ODBC clients,
> 3) and SQLPlus clients.
>
> We have the DB server configured to use ASO with "request" and the web
> servers set to "required". They are ok.
>
> I have been told that ASO is not needed since to sniff the packets, you
> would need to tap into a box which receives the packets. Is this
> nonsense or is there another reason to use it?

The security guys will tell you that anyone "on the network" can potentially gain access to the packets to be sniffed. So you may want to encrypt your network traffic. Please read this doc to show you how:

http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm

HTH,
Brian

-- 
===================================================================

Brian Peasland
dba_at_nospam.peasland.net
http://www.peasland.net

Remove the "nospam." from the email address to email me.


"I can give it to you cheap, quick, and good.
Now pick two out of the three" - Unknown