Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Aug 22nd, 2019, 5:35am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   3rd party connections to Oracle db?
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: 3rd party connections to Oracle db?  (Read 3919 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
3rd party connections to Oracle db?
« on: Aug 22nd, 2008, 9:50pm »
Quote | Modify

Hello all,
 
We are currently looking at ways to allow our clients to securely access their ERP databases (which we are hosting) via Point-to-Point WAN links or VPN. To date, we have only allowed access from internally controlled Citrix/MS Term Servers but we are seeing a significant number of requests from clients where they need to integrate non-hosted 3rd party apps or to perform dblinks for data warehousing systems at their location(s).
 
We have implemented the usual protections already - firewalls only allowing the single data warehouse/remote db access on the single SQLnet port, IDP, hardened Oracle installs - but from an application layer I don't see anything from preventing a remote db, which we don't
necessarily trust for a variety of reasons, from issuing a "bad"command to the db on our side other than the permission level of the account used in the db link. Is there some sort of "application firewall" for the Oracle stack that would make sense to look at? We have looked at Oracle Connection Manager (OCM) already and it doesn't really do any "security checks" as far as SQL requests. It is primarily looking at IP/Port info and allowing that approved host to access a single db name which does provide us a little better security since we have multiple db's on a single listener (dev, test, demo, stage for example and only dev should be accessed via the db link). We keep our db's up at the latest Oracle CPU level with a roughly 60 day lag time between release of the CPU and our deployment to production since we're very limited on the downtime we can take each month (1 month dev, next month prod).
 
If anyone has any docs or thoughts on how to better secure the 3rd party links I'd appreciate it.
 
Thanks,
 
mh
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: 3rd party connections to Oracle db?
« Reply #1 on: Aug 24th, 2008, 7:52pm »
Quote | Modify

Hmmmm,
 
This is a major issue for you; you presumably do not have much choice in allowing this or not?
 
From a mechanical level, OCM or valid node checking can be used as a very simple Oracle TNS level firewall but as you have noticed there is no way to add any security rules. In the real world these two methods are not easy to use successfully to block TNS unless everyone is on a static IP.  
 
You can take cheap approaches in terms of defence in depth, i.e. add a logon trigger to prevent access via the link account unless it originates from the right app and location and any other rules. You can also add DDL triggers to prevent use of other privileges. Another method maybe to have the link user have no privileges and expose what is needed via PL/SQL API where the privs are definer rights via another user.  
 
It is taken as read that your firewall and network seggeration / VPN are necessary.
 
At the application level you could use software such as Sentrigo Hedgehog to prevent any unauthorised actions. This will actually be useful at the database and application levels and because it runs at the database level any attempts at bypass are detected. Also it doesnt suffer from he issues associated with network based solutions. I should point out that my company is a reseller. I wrote a detailed review of Hedgehog here - http://www.petefinnigan.com/weblog/archives/00001179.htm
 
hth
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: 3rd party connections to Oracle db?
« Reply #2 on: Aug 25th, 2008, 2:47pm »
Quote | Modify

on Aug 24th, 2008, 7:52pm, Pete Finnigan wrote:
Hmmmm,
 
This is a major issue for you; you presumably do not have much choice in allowing this or not?

 
We used to have choice ... now it's almost to the point where we can't get a client to sign unless they have remote access to the DB. Too many 3rd party apps and data warehousing req's.
 
Quote:

From a mechanical level, OCM or valid node checking can be used as a very simple Oracle TNS level firewall but as you have noticed there is no way to add any security rules. In the real world these two methods are not easy to use successfully to block TNS unless everyone is on a static IP.

 
One nice thing about coming over the WAN links is we can static NAT out the hosts on their side that should be allowed to connect. Send the desktop's through a dynamic IP Pool and we can pretty much ensure that only the single NAT'd IP connects. Not perfect security since there are ways around it but it's a step in the right direction.
 
Quote:

You can take cheap approaches in terms of defence in depth, i.e. add a logon trigger to prevent access via the link account unless it originates from the right app and location and any other rules. You can also add DDL triggers to prevent use of other privileges. Another method maybe to have the link user have no privileges and expose what is needed via PL/SQL API where the privs are definer rights via another user.

 
Thanks Pete! Will talk to our DBA's here about using this to add a layer of application security.
 
Quote:

At the application level you could use software such as Sentrigo Hedgehog to prevent any unauthorised actions. This will actually be useful at the database and application levels and because it runs at the database level any attempts at bypass are detected. Also it doesnt suffer from he issues associated with network based solutions. I should point out that my company is a reseller. I wrote a detailed review of Hedgehog here - http://www.petefinnigan.com/weblog/archives/00001179.htm

 
Will take a look at it. Thanks again Pete.
 
mh
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: 3rd party connections to Oracle db?
« Reply #3 on: Aug 25th, 2008, 3:39pm »
Quote | Modify

Hey Pete, just off the top of my head - anyone ever try putting a Hedgehog install on top of the OCM listener to filter SQL traffic before it gets to the real DB listener?  
 
I don't know a whole lot about OCM's processing, but I believe OCM is just a DB listener under the covers.
 
mh
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: 3rd party connections to Oracle db?
« Reply #4 on: Aug 25th, 2008, 6:41pm »
Quote | Modify

Hi,
 
Defining an application role for the user used by the db-link could also be used as a measure to improve security (in addtion to other checks suggested by others). The user should have minimal privileges (only create session) all other privileges needed should be granted after executing a procedure that should test all kind of things relevant to your situation.
See Using Secure Application Roles to Enforce Security (http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles .htm,
http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apd vntro.htm,
Pete has also written about secure roles)
) for more information about application roles. I think application roles (based on procedures) came into existance with Oracle 9i.
 
I prefer secure roles above defining security in logon triggers because of the complexity if you have many schemas in your database. The logon trigger can become hard to read/maintain.
 
regards,
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: 3rd party connections to Oracle db?
« Reply #5 on: Aug 26th, 2008, 9:44am »
Quote | Modify

Hi Mh and Ivan,
 
Ivan: The secure application roles are a good idea and use the same principals I was suggesting in terms of location, use etc. Of course on one hand its slightly better in that anyone logging in has no privilege (except the 27,000 public ones in 11g..Smiley) but on the downside the connection succeeds, with the logon trigger we stop the connection at startup if its not the right process. I would suggest that for "better" security both approaches would work, security in depth!
 
mh: Sentrigo hedgehog attaches to the database shared memory segments so runs as close to the database as possible without being inside it. it doesn't use the networking or listeners so it has a great advantage in that it doesn't matter the connection type, whether normal listener or ocm hedgehog still captures tne traffic "in the database".
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: 3rd party connections to Oracle db?
« Reply #6 on: Sep 3rd, 2008, 10:06pm »
Quote | Modify

Thanks guys!
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board