Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "V3rity has released a redo log mining tool to extract DDL from redo logs"] [Next entry: "Pete Finnigan will be teaching Oracle Security in Tallinn, Estonia and speaking at UKOUG Unix SIG at TVP"]

Do Oracle 11g features weaken security?

I did a session at the Logica Guru4Pro event a few weeks ago and posted the slides to my site on my Oracle security white papers page. I also talked about this in my blog in a post titled "New Oracle Security presentation available".

After that post Alex skyped me to ask me what I meant in slide 33 where i said "11gR1 has broken this with the default sid/service name feature". In slide 33 i am talking about what i call the "Access Issue", i.e. to access a database at the TNS level, say through SQL*Plus you need certain information; IP Address/Hostname, port, service name/SID, usrername/password. In real life most sites make this information available simply by shipping some of this information to the desktop. Most sites I have been to, usernames and passwords are guessable so in most cases its easy (if you try) to connect to a database.

If one of the peices of information; the service name is no longer necessary then in my opinion that reduces the security of the database in that it makes it easier for anyone to attempt access. When Alex skyped me i described the meaning of this to him but couldnt find a link. Alex skyped me again last night to say he had found a link. The DEFAULT_SERVICE_{listener name} expects a fully qualified service name. This parameter of the listener.ora file is not turned on by default. So by default 11g security is not weakened. If you use this new parameter you are weakening security of your database as you are allowing people to attempt to connect without finding out one of the key peieces of information necessary to do so.

There has been 5 Comments posted on this article

July 1st, 2010 at 12:57 pm

Pete Finnigan says:

And by fueling your car you're making it easier for thieves to steal it. So?

July 2nd, 2010 at 01:20 am

Pete Finnigan says:

Car needs petrol. Oracle DB does not need a default SID - so not really analogous.
What could be the reasons for setting this parameter except for saving time connecting?

July 2nd, 2010 at 02:08 pm

Pete Finnigan says:

Thanks for your comment Mike. I think Paul summed it up nicely. You need to know the service name to connect. If you then dint need to know it (i.e. its not required) then that has to weaken the security. So, I am warning people; if they choose to set this then they potentially lessen the security of the database.



July 5th, 2010 at 10:07 am

Pete Finnigan says:

The fact that a non-default service name contributes something to security is purely incidental. It's a little like shutting off the lights where you park your car so that the theives can't see what they're doing.

I think it's a terrible disservice to waste what little attention people give to security on this. Better tell them again not to have guessable passwords. That's the feature that is designed, and has a real potential, for keeping the bad guys out of databases.

July 5th, 2010 at 08:45 pm

Pete Finnigan says:

Hi Anon,

Thanks for your comment.

I think that the post has stimulated some conversation and thats a good thing.

My experience, as i have said a few times is that the basic building blocks of being able tp perform a connection to the database are often left lying around, given to everyone (example in the post), easily guessable and more. Making one of the peices not necessary makes it even simpler so its worth mentioning but you are right, people need to get the basics right. Fix weak passwords, dont use guessable sid's dont use default ports but more importantly use a firewall/IDS/IPS to prevent connections to the database in the first place.

Disservice? - I dont think so, lets cover all bases.

Thanks again, its good to discuss these issues

Kind regards