Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: internet secure solutions

Re: internet secure solutions

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Sat, 10 Jan 2004 14:59:26 -0800
Message-ID: <F001.005DC5ED.20040110145926@fatcity.com> 





Hi Paula,



Paul and Steve have given some good ideas on this but also you should
lock down the database as hard as you can. Even if the database is only
accessed via the application server its data is still available from the
internet. Issues such as SQL Injection and cross site scripting can come
into play. use least privilege principles and remove all excess

privileges. There are many papers on Oracle security on my site
http://www.petefinnigan.com/orasec.htm including some very good
checklists. You will find the SANS S.C.O.R.E. and cisecurity benchmarks


linked in the checklist section of this page. Both follow the SANS step-
-step quite closely.



Also if the server the application server is on is breached then the
database is in much bigger trouble from the DMZ than it would normally
be from the net. You need therefore to ensure that the application
server is also hardened. Have a look at the cisecurity OS benchmarks as
well as a start for hardening the OS. Encrypting the data between the
application server and database is admirable and an extra expense but
there are other issues to look at as well. As Steve said firewalls are
needed. If your application allows it data wise / operationally then it
can sometimes be better to not expose the database at all to the net but
expose a subset of data that is needed by your net based users. Do this
by replicating the relevant data to a second database and expose that to
the application server. two way replication could be needed depending on
what your application does.



anyway have a look at some of the Oracle security info on my site
http://www.petefinnigan.com/orasec.htm including SQL injection papers,
and checklists etc  - it might help you.



hth



kind regards



Pete


-- 



Pete Finnigan


email:pete_at_petefinnigan.com


Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.



-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.net


-- 



Author: Pete Finnigan


  INET: oracle_list_at_peterfinnigan.demon.co.uk


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Sat Jan 10 2004 - 16:59:26 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US