Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
Mar 28th, 2024, 4:59pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   recomendations on listener security
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: recomendations on listener security  (Read 2385 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
recomendations on listener security
« on: Jan 23rd, 2009, 9:01am »
Quote | Modify

We have two databases db1 and db2 .  
 db2 holds v. sensitive data and users only accessed via an app server thru a firewall .  
 db2 however is accessable via the whole intranet and holds less sensitive data.
 
These databases are being placed on the same RAC cluster.  In order to prevent any unauthorised access to db1,  Database db2 will be
restricted via fireall so users only access via a listener on a seperate port (say 1531). Access to db1 will be restricted via firewall  
so users access via apps server connecting to a listener on a different port (say 1525)
 
What we would like confirming is are there any security risks in this methodology,  could someone with access to listener 1 on port 1531  
(which is listening for db2)  gain access or compromise security on db1?
 
listeners will be password protected and follow listener security guidelines in oracle docs, but it there anything more we should be doing?
many thanks
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: recomendations on listener security
« Reply #1 on: Jan 23rd, 2009, 9:42am »
Quote | Modify

Hi Jonathan,
 
The biggest problem is that both databases are on the same node/cluster/server. If you have taken the oppertunity to enable three (four) aliases during install, OSINSTALL, OSOPER, OSDBA (ASSM) then you have some segregation of duties. Also much more importantly you need to have installed the databases under a different user:group. If you have not then the issue is not the two different listeners but the whole array of other security vulnerabilities/configuration/privilege issues that can occur in the less sensitive database. If it would be possible to exploit the less secure database and you have installed the secure one as the same user:group then you have a problem. Someone breaching the less secure one can breach the more secure one. It; unfortunately is not just about traditional security vulnerabilities that have say been patched by a CPU but more often due to configuration issues. Access to the file system may allow theft for instance. Also remember the issue is often not about escalation of privilege but simple theft of data. Also if someone is able to create a link from the insecure database to the most secure there is also a problem (this problem occurs throughout all your databases!).
 
My view is its not just about the listener but the fact that you must harden both databases to the same level.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: recomendations on listener security
« Reply #2 on: Jan 23rd, 2009, 11:34am »
Quote | Modify

OK thanks Pete, lots of food for thought.
 
So first step we should really look at keeping the two databases seperated at every level (i.e. os install users/groups , ports used for listeners)  
Next step lock down the privileges of the users accessing both the databases so we know exactly what they can/cannot do (which lets face it we should know anyway but can't be 100% we do)  
We are only in the planning stage and the two databases will be installed on new servers so these are steps we can defintely take.
 
I know this is keeping it very general but does that summarise what we are lookin at?
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: recomendations on listener security
« Reply #3 on: Jan 23rd, 2009, 4:17pm »
Quote | Modify

Hi Jonathan,
 
Thanks for your reply. I should have mentioned that most sites I deal with already have multiple databases on the same server with everything installed as oracle:dba so whilst what I said is ideal changing an existing install is often veto'd because of the time/risk of change.  
 
It sounds like you are at the head of the curve, this should be commended; seeking advice before building is fantastic and installing all three Unix groups and seperation for databases at the OS level is something that is easily done on new install.
 
So yes go for it. Assessing the privileges on the databases is often time consuming but worth the effort. Simplifying and reducing privileges often simplifies maintenance and also inevitably reduces costs because its simpler and easier to work with. Also simplifying privileges can increase performance as every peice of SQL / PL/SQL needs to have the privileges assessed before execution; simpler privileges means faster recursive SQL in these areas.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: recomendations on listener security
« Reply #4 on: Jan 30th, 2009, 11:29am »
Quote | Modify

thanks vey much, very useful.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues