Re: internet secure solutions
In article <[EMAIL PROTECTED]>, nelson flores <[EMAIL PROTECTED]> writes >Something important to take into account when talking about security, is >the problem with "if you don't know it's happening you can't stop it..." >.. >Remember to read/analyze logs for unusual stuff (Oracle or FW logs)... >preferably with an IDS, as it makes the job of finding out whether you >have a security breach a whole lot easier. > > Good point, the checklists on my site also talk about Oracle auditing - I have a paper on auditing and also my paper "detecting SQL injection on Oracle" (http://www.petefinnigan.com/orasec.htm) talks about some ideas for trapping actions such as SQL Injection. As you also say analysing firewall logs with or without an IDS is also very important. Kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: internet secure solutions
Something important to take into account when talking about security, is the problem with "if you don't know it's happening you can't stop it..." .. Remember to read/analyze logs for unusual stuff (Oracle or FW logs)... preferably with an IDS, as it makes the job of finding out whether you have a security breach a whole lot easier. -Original Message- Pete Finnigan Sent: Saturday, January 10, 2004 2:59 PM To: Multiple recipients of list ORACLE-L Hi Paula, Paul and Steve have given some good ideas on this but also you should lock down the database as hard as you can. Even if the database is only accessed via the application server its data is still available from the internet. Issues such as SQL Injection and cross site scripting can come into play. use least privilege principles and remove all excess privileges. There are many papers on Oracle security on my site http://www.petefinnigan.com/orasec.htm including some very good checklists. You will find the SANS S.C.O.R.E. and cisecurity benchmarks linked in the checklist section of this page. Both follow the SANS step- by-step quite closely. Also if the server the application server is on is breached then the database is in much bigger trouble from the DMZ than it would normally be from the net. You need therefore to ensure that the application server is also hardened. Have a look at the cisecurity OS benchmarks as well as a start for hardening the OS. Encrypting the data between the application server and database is admirable and an extra expense but there are other issues to look at as well. As Steve said firewalls are needed. If your application allows it data wise / operationally then it can sometimes be better to not expose the database at all to the net but expose a subset of data that is needed by your net based users. Do this by replicating the relevant data to a second database and expose that to the application server. two way replication could be needed depending on what your application does. anyway have a look at some of the Oracle security info on my site http://www.petefinnigan.com/orasec.htm including SQL injection papers, and checklists etc - it might help you. hth kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: nelson flores INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: internet secure solutions
Hi Paula, Paul and Steve have given some good ideas on this but also you should lock down the database as hard as you can. Even if the database is only accessed via the application server its data is still available from the internet. Issues such as SQL Injection and cross site scripting can come into play. use least privilege principles and remove all excess privileges. There are many papers on Oracle security on my site http://www.petefinnigan.com/orasec.htm including some very good checklists. You will find the SANS S.C.O.R.E. and cisecurity benchmarks linked in the checklist section of this page. Both follow the SANS step- by-step quite closely. Also if the server the application server is on is breached then the database is in much bigger trouble from the DMZ than it would normally be from the net. You need therefore to ensure that the application server is also hardened. Have a look at the cisecurity OS benchmarks as well as a start for hardening the OS. Encrypting the data between the application server and database is admirable and an extra expense but there are other issues to look at as well. As Steve said firewalls are needed. If your application allows it data wise / operationally then it can sometimes be better to not expose the database at all to the net but expose a subset of data that is needed by your net based users. Do this by replicating the relevant data to a second database and expose that to the application server. two way replication could be needed depending on what your application does. anyway have a look at some of the Oracle security info on my site http://www.petefinnigan.com/orasec.htm including SQL injection papers, and checklists etc - it might help you. hth kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: internet secure solutions
Is all SQL*Net traffic between the app server and the database server? In other words, is all traffic secure where packets cannot be sniffed? Or do you need to encrypt the SQL query result set data going from the server to an unknown client? I believe that's what Oracle Advanced Security gives you. If you just want to limit access to the database server and you're using tcp you can put the following entries into the $ORACLE_HOME/network/admin/sqlnet.ora file: TCP.VALIDNODE_CHECKING=yes TCP.INVITED_NODES=(myappserver.mycompany.com,mydbaworkstation.mycompay.c om) Regardless of Oracle implementation, isn't a firewall a mandatory part of the equasion? Steve Orr Bozeman, Montana -Original Message- [EMAIL PROTECTED] Sent: Friday, January 09, 2004 11:29 AM To: Multiple recipients of list ORACLE-L Running Oracle 9i and Solaris 2.9. It appears to me that the solution can be hardware based or Oracle based then. Which brings up questions about cost versus administration versus reliability. Hmmm. -Original Message- Paul Drake Sent: Friday, January 09, 2004 12:49 PM To: Multiple recipients of list ORACLE-L --- [EMAIL PROTECTED] wrote: > Guys, > > Any good doc. on securing data on database on > internal network behind firewall with an application > server accessing it in the DMZ. I am thinking > Advanced security but would appreciate something on > this subject. I have stored some documents on > security from previous strings but cannot get to my > folder do to a system issue. > > Thanks for any assistance. Hi. how about some OS and database server version info? It wouldn't surprise me if SysAdmin Mag has an article on exactly this. Will more than just OracleNet traffic need to be encrypted? If so, then an ssh tunnel (or some other vpn solution) might make more sense. One method is entirely physical: private network (non-virtual) over additional NICs + crossover cable but that would require that you run a firewall on the server housing the database, as the application server is in an untrusted network. As it circumvents the existing firewall, it could get you fired for violating the site security policy, so it isn't necessarily a good solution. But its one worth considering. I really like using dedicated point to point connections between app server and database server where both servers have dual integrated gigabit cards, no one has coughed up the funds for switched gigabit ethernet ports and one of the integrated gigabit nics is unused (for a fat client/server app). but it does not scale for several hosts. Pd -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Orr, Steve INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: internet secure solutions
Running Oracle 9i and Solaris 2.9. It appears to me that the solution can be hardware based or Oracle based then. Which brings up questions about cost versus administration versus reliability. Hmmm. -Original Message- Paul Drake Sent: Friday, January 09, 2004 12:49 PM To: Multiple recipients of list ORACLE-L --- [EMAIL PROTECTED] wrote: > Guys, > > Any good doc. on securing data on database on > internal network behind firewall with an application > server accessing it in the DMZ. I am thinking > Advanced security but would appreciate something on > this subject. I have stored some documents on > security from previous strings but cannot get to my > folder do to a system issue. > > Thanks for any assistance. Hi. how about some OS and database server version info? It wouldn't surprise me if SysAdmin Mag has an article on exactly this. Will more than just OracleNet traffic need to be encrypted? If so, then an ssh tunnel (or some other vpn solution) might make more sense. One method is entirely physical: private network (non-virtual) over additional NICs + crossover cable but that would require that you run a firewall on the server housing the database, as the application server is in an untrusted network. As it circumvents the existing firewall, it could get you fired for violating the site security policy, so it isn't necessarily a good solution. But its one worth considering. I really like using dedicated point to point connections between app server and database server where both servers have dual integrated gigabit cards, no one has coughed up the funds for switched gigabit ethernet ports and one of the integrated gigabit nics is unused (for a fat client/server app). but it does not scale for several hosts. Pd __ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Paul Drake INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: <[EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: internet secure solutions
--- [EMAIL PROTECTED] wrote: > Guys, > > Any good doc. on securing data on database on > internal network behind firewall with an application > server accessing it in the DMZ. I am thinking > Advanced security but would appreciate something on > this subject. I have stored some documents on > security from previous strings but cannot get to my > folder do to a system issue. > > Thanks for any assistance. Hi. how about some OS and database server version info? It wouldn't surprise me if SysAdmin Mag has an article on exactly this. Will more than just OracleNet traffic need to be encrypted? If so, then an ssh tunnel (or some other vpn solution) might make more sense. One method is entirely physical: private network (non-virtual) over additional NICs + crossover cable but that would require that you run a firewall on the server housing the database, as the application server is in an untrusted network. As it circumvents the existing firewall, it could get you fired for violating the site security policy, so it isn't necessarily a good solution. But its one worth considering. I really like using dedicated point to point connections between app server and database server where both servers have dual integrated gigabit cards, no one has coughed up the funds for switched gigabit ethernet ports and one of the integrated gigabit nics is unused (for a fat client/server app). but it does not scale for several hosts. Pd __ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Paul Drake INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: internet secure solutions
Guys, Any good doc. on securing data on database on internal network behind firewall with an application server accessing it in the DMZ. I am thinking Advanced security but would appreciate something on this subject. I have stored some documents on security from previous strings but cannot get to my folder do to a system issue. Thanks for any assistance. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: <[EMAIL PROTECTED] INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).