Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> 3rd party connections to Oracle db?
(Message started by: Pete Finnigan on Aug 22nd, 2008, 9:50pm)

Title: 3rd party connections to Oracle db?
Post by Pete Finnigan on Aug 22nd, 2008, 9:50pm
Hello all,

We are currently looking at ways to allow our clients to securely access their ERP databases (which we are hosting) via Point-to-Point WAN links or VPN. To date, we have only allowed access from internally controlled Citrix/MS Term Servers but we are seeing a significant number of requests from clients where they need to integrate non-hosted 3rd party apps or to perform dblinks for data warehousing systems at their location(s).

We have implemented the usual protections already - firewalls only allowing the single data warehouse/remote db access on the single SQLnet port, IDP, hardened Oracle installs - but from an application layer I don't see anything from preventing a remote db, which we don't
necessarily trust for a variety of reasons, from issuing a "bad"command to the db on our side other than the permission level of the account used in the db link. Is there some sort of "application firewall" for the Oracle stack that would make sense to look at? We have looked at Oracle Connection Manager (OCM) already and it doesn't really do any "security checks" as far as SQL requests. It is primarily looking at IP/Port info and allowing that approved host to access a single db name which does provide us a little better security since we have multiple db's on a single listener (dev, test, demo, stage for example and only dev should be accessed via the db link). We keep our db's up at the latest Oracle CPU level with a roughly 60 day lag time between release of the CPU and our deployment to production since we're very limited on the downtime we can take each month (1 month dev, next month prod).

If anyone has any docs or thoughts on how to better secure the 3rd party links I'd appreciate it.

Thanks,

mh

Title: Re: 3rd party connections to Oracle db?
Post by Pete Finnigan on Aug 24th, 2008, 7:52pm
Hmmmm,

This is a major issue for you; you presumably do not have much choice in allowing this or not?

From a mechanical level, OCM or valid node checking can be used as a very simple Oracle TNS level firewall but as you have noticed there is no way to add any security rules. In the real world these two methods are not easy to use successfully to block TNS unless everyone is on a static IP.

You can take cheap approaches in terms of defence in depth, i.e. add a logon trigger to prevent access via the link account unless it originates from the right app and location and any other rules. You can also add DDL triggers to prevent use of other privileges. Another method maybe to have the link user have no privileges and expose what is needed via PL/SQL API where the privs are definer rights via another user.

It is taken as read that your firewall and network seggeration / VPN are necessary.

At the application level you could use software such as Sentrigo Hedgehog to prevent any unauthorised actions. This will actually be useful at the database and application levels and because it runs at the database level any attempts at bypass are detected. Also it doesnt suffer from he issues associated with network based solutions. I should point out that my company is a reseller. I wrote a detailed review of Hedgehog here - http://www.petefinnigan.com/weblog/archives/00001179.htm

hth

cheers

Pete

Title: Re: 3rd party connections to Oracle db?
Post by Pete Finnigan on Aug 25th, 2008, 2:47pm

on 08/24/08 at 19:52:06, Pete Finnigan wrote:
Hmmmm,

This is a major issue for you; you presumably do not have much choice in allowing this or not?


We used to have choice ... now it's almost to the point where we can't get a client to sign unless they have remote access to the DB. Too many 3rd party apps and data warehousing req's.


Quote:
From a mechanical level, OCM or valid node checking can be used as a very simple Oracle TNS level firewall but as you have noticed there is no way to add any security rules. In the real world these two methods are not easy to use successfully to block TNS unless everyone is on a static IP.


One nice thing about coming over the WAN links is we can static NAT out the hosts on their side that should be allowed to connect. Send the desktop's through a dynamic IP Pool and we can pretty much ensure that only the single NAT'd IP connects. Not perfect security since there are ways around it but it's a step in the right direction.


Quote:
You can take cheap approaches in terms of defence in depth, i.e. add a logon trigger to prevent access via the link account unless it originates from the right app and location and any other rules. You can also add DDL triggers to prevent use of other privileges. Another method maybe to have the link user have no privileges and expose what is needed via PL/SQL API where the privs are definer rights via another user.


Thanks Pete! Will talk to our DBA's here about using this to add a layer of application security.


Quote:
At the application level you could use software such as Sentrigo Hedgehog to prevent any unauthorised actions. This will actually be useful at the database and application levels and because it runs at the database level any attempts at bypass are detected. Also it doesnt suffer from he issues associated with network based solutions. I should point out that my company is a reseller. I wrote a detailed review of Hedgehog here - http://www.petefinnigan.com/weblog/archives/00001179.htm


Will take a look at it. Thanks again Pete.

mh

Title: Re: 3rd party connections to Oracle db?
Post by Pete Finnigan on Aug 25th, 2008, 3:39pm
Hey Pete, just off the top of my head - anyone ever try putting a Hedgehog install on top of the OCM listener to filter SQL traffic before it gets to the real DB listener?

I don't know a whole lot about OCM's processing, but I believe OCM is just a DB listener under the covers.

mh

Title: Re: 3rd party connections to Oracle db?
Post by Pete Finnigan on Aug 25th, 2008, 6:41pm
Hi,

Defining an application role for the user used by the db-link could also be used as a measure to improve security (in addtion to other checks suggested by others). The user should have minimal privileges (only create session) all other privileges needed should be granted after executing a procedure that should test all kind of things relevant to your situation.
See Using Secure Application Roles to Enforce Security (http://www.oracle.com/technology/obe/obe10gdb/security/approles/approles.htm,
http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvntro.htm,
Pete has also written about secure roles)
) for more information about application roles. I think application roles (based on procedures) came into existance with Oracle 9i.

I prefer secure roles above defining security in logon triggers because of the complexity if you have many schemas in your database. The logon trigger can become hard to read/maintain.

regards,

Ivan

Title: Re: 3rd party connections to Oracle db?
Post by Pete Finnigan on Aug 26th, 2008, 9:44am
Hi Mh and Ivan,

Ivan: The secure application roles are a good idea and use the same principals I was suggesting in terms of location, use etc. Of course on one hand its slightly better in that anyone logging in has no privilege (except the 27,000 public ones in 11g..:-)) but on the downside the connection succeeds, with the logon trigger we stop the connection at startup if its not the right process. I would suggest that for "better" security both approaches would work, security in depth!

mh: Sentrigo hedgehog attaches to the database shared memory segments so runs as close to the database as possible without being inside it. it doesn't use the networking or listeners so it has a great advantage in that it doesn't matter the connection type, whether normal listener or ocm hedgehog still captures tne traffic "in the database".

cheers

Pete

Title: Re: 3rd party connections to Oracle db?
Post by Pete Finnigan on Sep 3rd, 2008, 10:06pm
Thanks guys!



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board