High Availbility

OS & Virtualization

Monday, January 28, 2013

Are you encrypting database traffic?

Encrypting Oracle network traffic safeguards sensitive data such as social security numbers, credit card numbers and other personally identifiable information against packet sniffing. Packet sniffing is where an attacker tries to capture unencrypted data by using a network sniffer. This sniffing takes place without the knowledge of either the client machine or database server.

With Oracle Advanced Security, you can set up network encryption to your database in a matter of hours. You can also configure your Oracle databases to only accept mutually authenticated and encrypted connections. This means that in addition to protecting against network eavesdropping, you can also protect against unauthorized connections to your database.

 

Oracle Net Native Encryption


These lines were added to sqlnet.ora on the database server: SQLNET.ENCRYPTION_TYPES_SERVER = RC4_256
SQLNET.ENCRYPTION_SERVER = required


You can also use Oracle Net manager to achieve the same result (do this on both client/server)

1.       Go to Local -> Profile
2.       Select Oracle Advanced Security -> Encrytion
 

No additional configuration was necessary. We connected to the database and retrieved the same data.

 http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/prod/security/network_encrypt/ntwrkencrypt.htm

Client Access Control


Oracle Net valid node checking lets you allow or deny access to an Oracle database server based on the IP address (or host name) of the client machine making the request. You can control access to the database server by specifying either which machines are allowed access or which machines are denied access.

To use the node validation feature, set the following sqlnet.ora (protocol.ora for Oracle 8) parameters on the database server:

# Enable node validation
tcp.validnode_checking = YES

# Prevent these client IP addresses from
# making connections to the Oracle listener.
tcp.excluded_nodes = {list of IP addresses}

# Allow these IP addresses to connect.
tcp.invited_nodes = {list of IP addresses}

Protecting Oracle Network Traffic with SSH Tunnelling


SSH provides a secure encrypted communications channel between two machines over an insecure network. A client machine can connect to an Oracle database over a secure SSH connection by using port forwarding. SSH port forwarding provides another way to protect data privacy through encryption and safeguard against data interception and alteration.


Creating an SSH tunnel between a client machine and an Oracle database server requires an SSH client to be present on the client machine and an SSH server to be present on the database server. No configuration is necessary on the database server.

On the Server

1.       Install CopSSH http://www.itefix.no/i2/copssh
2.       Create a windows user and activate this user


On the Client

1.       Install Putty
2.       Under connection ->SSH -> Tunnels.
a.       Enter a source port (can be any free port eg 8080)
b.      Enter the Destination , the database server IP address, listener port (eg 192.168.1.1:1521
c.       Check the local ports accept connections from other hosts
 
 
Modified the tnsnames.ora to use localhost and source port

In addition to being encrypted, data passed through an SSH tunnel is automatically integrity checked and authenticated by using SSH credential
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)