Database Administration with Style!

Database Diva Presents: Security Tutorials for Overworked Oracle™ Database Administrators

Database Server Security

"Security needs to be designed in to the system, not bolted on afterward" Mary Ann Davidson, Oracle CSO

Server security is easiest to achieve by designing security into the data center. If your databases are already hosted, you may be able to "bolt on" some secure features, but others may have to wait until new servers are required.

  • Restrict physical access to the server by keeping it in a locked room. Only grant access to the server room to server and network administrators.
  • Separate the application from the database. Keep databases on a dedicated database server.
  • Keep the database server behind a firewall.
  • Work with your system and network administrators to identify activity that should be allowed, and activity that should be prohibited.
  • Only allow system and database administrators to have login privileges on the database server.
  • On Unix servers, require system and database administrators to login with individually identifiable user ids, and use "sudo" for privileged commands.
  • Require strong passwords and regular password changes for operating system users.
  • Disable unnecessary services.
  • On Windows servers, do not allow file system "sharing". In Unix, do not export file systems.
  • Use Network Address Translations (NAT) to shield server IP addresses.
  • Keep abreast of security issues pertaining to the operating system, and keep the operating system patched to the current level.
  • On Unix systems, use a umask of 027 and set permission on all database file systems to 750. If only members of the dba group will use the Oracle binaries, set the permission on the file system where the binaries are installed to 750.
  • Restrict access to backup tapes and export files. Unless you are using an encrypted backup techonolgy, such as Oracle Secure Backup, access to the backups is an easy way to gain access to your data, and very hard to detect.

Scanning Tools

Scanning tools help you find vulnerabilities in your server network. Unfortunately, they will do the same for attackers. Chances are, your network has been scanned. Find out what the attackers already know. Work with your system and network administrators to determine which scanning tools to use, and then review the results with them.

  • AppDetective - AppDetective is a network-baksed vulnerability assessment scanner written specifically to identify database issues.
  • AppSentry for Oracle AppSentry for Oracle from Integrigy performs checks on the server, software and database configuration, with over 100 Oracle specific items. Can be configured to perform a brute force database attack.
  • Nessus - Nessus is a comprehensive scanning tool for discovering security problems. Nessus plugins extend the functionality of the tool. New plugins are released as new vulnerabilities are discovered. There are over 40 plugins for Oracle vulnerabilities.
  • NGSSquirrel for Oracle - an Oracle specific network scanner that checks for patch levels, password issues, listener vulnerabilities in Enterprise or single server networks.

Links to more information about server and network security

About.Com

Last update 05/14/2008

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates.