Re: DB link Secureness

From: Mladen Gogala <gogala.mladen_at_gmail.com>
Date: Sat, 19 Dec 2020 01:46:59 -0500
Message-ID: <CALcG2D+7wWzXDg9EXGnJUKiF74aU6rYdY4FW+b2ydPpTGmYn1A_at_mail.gmail.com>

You can also buy a monitoring software like SolarWinds to secure your configuration. It is an extremely popular software as of the last few days.

On Sat, Dec 19, 2020, 01:26 Stefan Knecht <knecht.stefan_at_gmail.com> wrote:

> Well, there's two sides to this.
>
> In any proper secured network, a DEV machine should not be able to connect
> to a PROD machine. Be it via DB link or any other means. That's not a
> database problem, that's a network zoning problem.
>
> But also, most places use post-import or post-restore steps which are
> automatically or manually performed, to deal with anything left over that
> shouldn't be the way the import creates them (e.g. you'd replace real world
> user's emails with dummy emails when refreshing dev or qa with prod, and
> you'd likely also want to change any passwords or database links
> accordingly).
>
>
>
> On Sat, Dec 19, 2020 at 1:34 AM Lok P <loknath.73_at_gmail.com> wrote:
>
>> I checked two ways i.e first by taking the export dump and doing impdp
>> with parameter SQLFILE and as I see in version 11.2.0.4 the dblink DDL is
>> having a bind variable in place of password.
>>
>> Then I did try to see the .DMP file content and it's all junk. I didn't
>> see any hashed value or bind value. So that looks perfect with respect to
>> security stand point.
>>
>> Now one thing wanted to see, if somebody takes the export dump of dblink
>> from PRODDB and import it in some Dev database say DEVDB , will that dblink
>> will be created without any error? And in that case will the user silently
>> able to connect to the REMOTEPROD using that dblink without anyone's
>> notice? If it's true then even the password is not exposed to outside but
>> still it's a security risk. Correct me if wrong?
>>
>> On Thu, 17 Dec 2020, 9:59 am Lok P, <loknath.73_at_gmail.com> wrote:
>>
>>> I am not very sure how to create DB links using TCPs and if it's the
>>> safest with no security loophole. Can you explain a bit and we are on
>>> 11.2.0.4 so if there is any version dependency?
>>>
>>> But the below doc does state that the password was stored as cleartxt in
>>> sys.link$ in prior 10GR2. But nothing mentioned if export/import password
>>> is exposing that in clear text in current versions or not?
>>>
>>> MOS Doc ID 202987.1
>>>
>>> On Thu, Dec 17, 2020 at 8:14 AM Mladen Gogala <gogala.mladen_at_gmail.com>
>>> wrote:
>>>
>>>> Or create link using TCPS.
>>>>
>>>> On 12/16/20 2:03 PM, Powell, Mark wrote:
>>>> > Ask the security team to present you proof the password can be
>>>> exposed
>>>> > when some exports/imports the link
>>>>
>>>> --
>>>> Mladen Gogala
>>>> Database Consultant
>>>> http://mgogala.byethost5.com
>>>>
>>>> --
>>>> http://www.freelists.org/webpage/oracle-l
>>>>
>>>>
>>>>
>
> --
> //
> zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
> Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/
>

--
http://www.freelists.org/webpage/oracle-l

Received on Sat Dec 19 2020 - 07:46:59 CET

This message: [ Message body ]
Next message: Lok P: "Re: Data movement logic in data guard"
In reply to Stefan Knecht: "Re: DB link Secureness"
Next in thread: Reen, Elizabeth : "RE: DB link Secureness"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message