Re: Advantages of Oracle on Windows over Unix

On Jan 17, 2:29 pm, "Charles Hooper" <hooperc2..._at_yahoo.com> wrote:
> Excellent points, comments embedded.
>
> bdbafh wrote:
> > On Jan 17, 1:23 pm, "Charles Hooper" <hooperc2..._at_yahoo.com> wrote:
> > > * For IT staff members that cover many disciplines, operating Oracle on
> > > Windows is easier than doing the same on Linux and Unix, since the
> > > server looks much like all the other servers in the rack, is vulnerable
> > > to many of the same attack vectors as other servers in the rack, and
> > > can be administered using the same tools and commands as the other
> > > servers in the rack.
>
> > >From a cygwin bash shell against an sshd, both the MS Win and RHEL
> > Linux Oracle database servers look the same.I will have to check this out. We run a couple RHEL servers, as well
> as other versions of Red Hat Linux on a couple other systems.
>
> > > * Ctrl - Alt - Delete does not reboot the server, while on Linux, by
> > > default, this action causes an immediate reboot. For someone working
> > > in a mixed operating system environment, who is unaware how to change
> > > the default behavior, this can be a costly and/or time consuming
> > > lesson.
>
> > not with RHEL.The first time I noticed it was on a Red Hat 7.2 server. The Windows
> and Linux servers are on the same KVM, in the same server rack. The
> pattern of quickly hitting Ctrl twice, down arrow, and Enter to switch
> between servers, and then the Ctrl-Alt-Delete sequence to lock down the
> servers worked until I hit the first Linux server. Well, it probably
> needed to be rebooted any way, as it was up for 12 months... We run X
> Window on the RHEL boxes, but not on the non-RHEL Linux systems.
>
> > > * Oracle related log files and existence of backups can be checked from
> > > IT staff members' Windows computers with little effort.
>
> > Or checked from the dba's mail inbox.
>
> > > * Typically, a lower cost entry point, although total cost of ownership
> > > can be debated.
>
> > Same hardware, similar OS fees for "Enterprise Linux".True, or you can jump into Linux at no cost. This comment was directed
> at vendor specific Unix releases.
>
> > > * Use of threads rather than processes, meaning one executable running
> > > on the server for the Oracle instance. This could be argued positive
> > > or negative.
> > > * Server hardware can be single sourced from Dell (or some other
> > > vendor) - if your company has an exclusive contract for computers
> > > through a vendor, this can help reduce total cost of ownership.
>
> > Dell has resold RHEL for quite some time, as has HP.True, our RHEL systems were purchased from Dell, the oldest almost
> three years ago.
>
> > > * Provides the capability of running Oracle and SQLServer on the same
> > > computer. I would not recommend this, but it is possible for those
> > > non-platform independent applications.
> > > * A GUI is always present - there is no performance penalty for
> > > starting up the GUI, but then there is no way to disable the GUI to
> > > improve performance.
> > > * Support for asynchronous IO out of the box.
>
> > This has been a non-issue for quite some time with RHEL.Some of the Unix platforms, as I understand it, still do not support
> asynchronous IO, or it is not enabled by default.
>
> > > * Same virus scanner software used to protect the others servers in the
> > > IT rack can be used to protect the database server. This allows a
> > > single management console for the virus scanning software.
>
> > Don't enable a Samba dæmon - don't need an anti-virus scanner.
> > I have experienced first-hand where AV software gone wrong has nuked
> > Oracle database server software binaries on win32.But, Samba is what allows Linux to integrate into an all Windows
> environment. :-) I disagree that an anti-virus scanner is not needed
> for Linux/Unix platforms. Not all viruses attack just Windows
> platforms. Sun's universal Java language, integrated into Oracle, is
> also a vector for attack. The OEM console in 10g is also an attack
> vector. Just about anything that allows remote administration of the
> server could also become an vector for attack. We were a beta site for
> Trend Micro's Linux based virus scanner. That was not pleasant. I
> applied an RPM to patch the kernel to fix a bug and the virus scanner
> suddenly became incompatible with the operating system. Definitely,
> keep the virus scanner away from the Oracle directories, if installed.
>
> > > * Windows administrators have the opportunity to experience bugs
> > > introduced by Oracle patches before the bugs are experienced by users
> > > on other platforms. Microsoft's Windows Update site has helped promote
> > > the concept of active, immediate patching for Windows administrators.
> > > Case in point: take a look at bug ID 5752147 on Metalink that affects
> > > Oracle 10.2.0.3 on Red Hat Linux. The same bug was reported to Oracle
> > > on November 24, 2006 on the Windows platform (bug IDs 5680308, 5741417,
> > > 5708361, 5761998). I submitted an SR to Oracle related to the same
> > > problem on November 28, 2006, which was closed without resolution.
>
> > In my experience, turn-around time for fixes seems to me to have been
> > longer for win than lin.That seems to be the case. There are more Oracle systems running on
> Linux/Unix than on Windows - taking care of the big customers first is
> likely a big motivation factor.
>
> > > There are at least an equal number of reasons why one should use a
> > > Linux/Unix platform rather than Windows. Is it worth the effort to
> > > bash one platform or the other?
>
> > no, but it seems worth it to me to refute individual points.
> > I'm not claiming that either is better.
> > At least with 10.2, Oracle on MS windows is giving decent trace files
> > for ora-7445 issues.
>
> > -bdbafhYou made very good points, and that highlights the problem with making
> broad generalizations as I attempted to do. For the specific platform
> that you listed, there really can be no objections to your comments.
> Red Hat Linux <> Debian Linux <> HPUX <> every other Unix platform when
> comparing the features, capabilities, and file locations of each.
> Generalizations will not apply to all variants of the Unix platform.
>
> Charles Hooper
> PC Support Specialist
> K&M Machine-Fabricating, Inc.

Charles,

Based upon a paper that was linked to off of Pete Finnigan's site that discusses sniffing passwords off of the wire, I am much more tempted to use an ssh tunnel (aka port forwarding) to connect via sqlnet (oraclenet) to an oracle database instance. All the more reason to install Cygwin on the Ms Win boxes. At first it seems redundant to use an ssh tunnel inside of a VPN, but the traffic is still passing part of its journey in the clear on the destination network.

With regard to Samba on Linux boxes, I prefer to not run such processes and instead push backup sets (scripted, via scp) to a staging server from where the (virtual) dmz between dba and sysadmin is traversed.

With regard to AV software, it depends upon your environment. If the oracle server is running a local firewall and a minimal number of applications, there may not be an attack surface beyond the ssh dæmon the Oracle TNS listener and Apache over SSL. But yeah, if you're running other applications on the box, particularly those that would allow a compromise to escalate to gain root ... (cough SENDMAIL cough) you need all the help you can get.

-bdbafh Received on Wed Jan 17 2007 - 13:45:41 CST