Re: Oracle security

Hello, Arnold:

One simple security hole is SQL*Net. This is usually found at one or more ports in the 1500-1600 range, although it may be arbitrarily placed at any port. The protocol allows unlimited password-guessing attempts. It's probably best to move this to a port below 1024 and block it at the firewall, although that won't avoid attacks from within. The latter can be reduced using a TCP wrapper.

A similar problem exists for the pipe driver local to the system on which the data base resides.

There are a number of others, and I'll cite a few.

Many people neglect to change the SYS and SYSTEM passwords on a newlycreated  instance.

The files or device nodes on which the data base resides must be properly protected. Sometimes the device nodes end up with default permissions that are too permissive.

Exported data is easily readable.

One must be very deliberate regarding discretionary access control. It's probably best to constrict all updates to use stored procedures.

The basic server product provides only DAC at the table and column level. It also has a healthy number of inference channels.

Oracle provides MAC with Trusted Oracle ($$$) and I believe has a SQL*Net that provides encryption of either authentication information, data, or both. You can, of couse, use transport-level encryption as well.

Regards,

Gary

-- 
__________________________________________________________
Gary Gapinski                email: Gapinski_at_lerc.nasa.gov
NASA Lewis Research Center   voice: +1 216 433 5251