Pete Finnigan's Oracle Security Forum - 3rd party connections to Oracle db?

Forum

Home/Forum

Welcome, Guest. Please Login. Nov 22^nd, 2024, 7:00am News: If you would like to register contact the forum admin
Home \| Help \| Search \| Members \| Login

   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security (Moderator: Pete Finnigan)
   3rd party connections to Oracle db?

« Previous topic | Next topic »

Pages: 1

Reply | Notify of replies | Send Topic | Print

Author

Topic: 3rd party connections to Oracle db? (Read 5139 times)

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

3rd party connections to Oracle db?
« on: Aug 22^nd, 2008, 9:50pm »

Quote | Modify

Hello all,

We are currently looking at ways to allow our clients to securely access their ERP databases (which we are hosting) via Point-to-Point WAN links or VPN. To date, we have only allowed access from internally controlled Citrix/MS Term Servers but we are seeing a significant number of requests from clients where they need to integrate non-hosted 3rd party apps or to perform dblinks for data warehousing systems at their location(s).

We have implemented the usual protections already - firewalls only allowing the single data warehouse/remote db access on the single SQLnet port, IDP, hardened Oracle installs - but from an application layer I don't see anything from preventing a remote db, which we don't
necessarily trust for a variety of reasons, from issuing a "bad"command to the db on our side other than the permission level of the account used in the db link. Is there some sort of "application firewall" for the Oracle stack that would make sense to look at? We have looked at Oracle Connection Manager (OCM) already and it doesn't really do any "security checks" as far as SQL requests. It is primarily looking at IP/Port info and allowing that approved host to access a single db name which does provide us a little better security since we have multiple db's on a single listener (dev, test, demo, stage for example and only dev should be accessed via the db link). We keep our db's up at the latest Oracle CPU level with a roughly 60 day lag time between release of the CPU and our deployment to production since we're very limited on the downtime we can take each month (1 month dev, next month prod).

If anyone has any docs or thoughts on how to better secure the 3rd party links I'd appreciate it.

Thanks,

mh

IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: 3rd party connections to Oracle db?
« Reply #1 on: Aug 24^th, 2008, 7:52pm »

Quote | Modify

Hmmmm,

This is a major issue for you; you presumably do not have much choice in allowing this or not?

From a mechanical level, OCM or valid node checking can be used as a very simple Oracle TNS level firewall but as you have noticed there is no way to add any security rules. In the real world these two methods are not easy to use successfully to block TNS unless everyone is on a static IP.

You can take cheap approaches in terms of defence in depth, i.e. add a logon trigger to prevent access via the link account unless it originates from the right app and location and any other rules. You can also add DDL triggers to prevent use of other privileges. Another method maybe to have the link user have no privileges and expose what is needed via PL/SQL API where the privs are definer rights via another user.

It is taken as read that your firewall and network seggeration / VPN are necessary.

At the application level you could use software such as Sentrigo Hedgehog to prevent any unauthorised actions. This will actually be useful at the database and application levels and because it runs at the database level any attempts at bypass are detected. Also it doesnt suffer from he issues associated with network based solutions. I should point out that my company is a reseller. I wrote a detailed review of Hedgehog here - http://www.petefinnigan.com/weblog/archives/00001179.htm

hth

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: 3rd party connections to Oracle db?
« Reply #2 on: Aug 25^th, 2008, 2:47pm »

Quote | Modify

on Aug 24^th, 2008, 7:52pm, Pete Finnigan wrote:

Hmmmm,

This is a major issue for you; you presumably do not have much choice in allowing this or not?

We used to have choice ... now it's almost to the point where we can't get a client to sign unless they have remote access to the DB. Too many 3rd party apps and data warehousing req's.

Quote:

From a mechanical level, OCM or valid node checking can be used as a very simple Oracle TNS level firewall but as you have noticed there is no way to add any security rules. In the real world these two methods are not easy to use successfully to block TNS unless everyone is on a static IP.

One nice thing about coming over the WAN links is we can static NAT out the hosts on their side that should be allowed to connect. Send the desktop's through a dynamic IP Pool and we can pretty much ensure that only the single NAT'd IP connects. Not perfect security since there are ways around it but it's a step in the right direction.

Quote:

You can take cheap approaches in terms of defence in depth, i.e. add a logon trigger to prevent access via the link account unless it originates from the right app and location and any other rules. You can also add DDL triggers to prevent use of other privileges. Another method maybe to have the link user have no privileges and expose what is needed via PL/SQL API where the privs are definer rights via another user.

Thanks Pete! Will talk to our DBA's here about using this to add a layer of application security.

Quote:

At the application level you could use software such as Sentrigo Hedgehog to prevent any unauthorised actions. This will actually be useful at the database and application levels and because it runs at the database level any attempts at bypass are detected. Also it doesnt suffer from he issues associated with network based solutions. I should point out that my company is a reseller. I wrote a detailed review of Hedgehog here - http://www.petefinnigan.com/weblog/archives/00001179.htm

Will take a look at it. Thanks again Pete.

mh

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: 3rd party connections to Oracle db?
« Reply #3 on: Aug 25^th, 2008, 3:39pm »

Quote | Modify

Hey Pete, just off the top of my head - anyone ever try putting a Hedgehog install on top of the OCM listener to filter SQL traffic before it gets to the real DB listener?

I don't know a whole lot about OCM's processing, but I believe OCM is just a DB listener under the covers.

mh

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: 3rd party connections to Oracle db?
« Reply #4 on: Aug 25^th, 2008, 6:41pm »

Quote | Modify

Hi,

Defining an application role for the user used by the db-link could also be used as a measure to improve security (in addtion to other checks suggested by others). The user should have minimal privileges (only create session) all other privileges needed should be granted after executing a procedure that should test all kind of things relevant to your situation.
See Using Secure Application Roles to Enforce Security (http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles .htm,
http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apd vntro.htm,
Pete has also written about secure roles)
) for more information about application roles. I think application roles (based on procedures) came into existance with Oracle 9i.

I prefer secure roles above defining security in logon triggers because of the complexity if you have many schemas in your database. The logon trigger can become hard to read/maintain.

regards,

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: 3rd party connections to Oracle db?
« Reply #5 on: Aug 26^th, 2008, 9:44am »

Quote | Modify

Hi Mh and Ivan,

Ivan: The secure application roles are a good idea and use the same principals I was suggesting in terms of location, use etc. Of course on one hand its slightly better in that anyone logging in has no privilege (except the 27,000 public ones in 11g..

) but on the downside the connection succeeds, with the logon trigger we stop the connection at startup if its not the right process. I would suggest that for "better" security both approaches would work, security in depth!

mh: Sentrigo hedgehog attaches to the database shared memory segments so runs as close to the database as possible without being inside it. it doesn't use the networking or listeners so it has a great advantage in that it doesn't matter the connection type, whether normal listener or ocm hedgehog still captures tne traffic "in the database".

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: 3rd party connections to Oracle db?
« Reply #6 on: Sep 3^rd, 2008, 10:06pm »

Quote | Modify

Thanks guys!

IP Logged

Pages: 1

Reply | Notify of replies | Send Topic | Print


« Previous topic \| Next topic »

PFCLScan
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

Learn more
PFCLObfuscate
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

Learn more
PFCLCode
PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

Learn more
PFCLForensics
PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

Learn more
PFCLReselling
PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

Learn more
PFCLATK
PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

Learn more
PFCLCookie
PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

Learn more
PFCLTraining
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

Learn more
PFCLServices
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

Learn more
PFCLConsulting
Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

Learn more
PFCLCustom
All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

Learn more
PFCLCloud
Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

Learn more
PFCLUserRights
PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

Learn more
PFCLSTK
PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

Learn more
PFCLSFTK
PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

Learn more
PFCLSEO
PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues

Learn more