Expert offers tips on securing Oracle databases

By Robert Westervelt, SearchOracle.com News Writer
15 Jul 2003 | SearchOracle.com

The database industry is still "plagued with substandard security," according to Oracle expert and author Don Burleson, who advises database administrators to limit access to their servers as a starting point in securing their systems.

Burleson advises Oracle DBAs to focus on their servers, which are often overlooked, in addition to securing the Oracle DBMS itself.

"This is especially important if your computers are networked together," he said. "If you have an inept Unix administrator, it's easy to hack in, and there's no holding you back at that point."

Burleson, an independent consultant who heads Kittrell, N.C.-based Burleson Oracle Consulting, has authored a host of Oracle Press textbooks and works with companies to break into systems and discover any security leaks.

When it comes to securing Oracle 9i, Burleson said, the biggest security mistake Oracle DBAs make is to fail to properly install it, which makes the database vulnerable to hackers and viruses. Oracle has virtually impenetrable security when properly installed, he said.

"What happens is that sometimes DBAs don't completely read the directions and, without meaning to, leave a security hole," he said.

Also, Oracle DBAs may fail to reset the default password and user ID. Keeping default passwords leaves the system wide open to attack, he said.

For starters, Burleson advises companies to allow only trusted IP addresses to access the database server. Second, using random password generators is a bad idea, according to Burleson. It virtually guarantees that users will have a written list of passwords.

To reduce common user passwords, one effective approach has been to link the password-changing software with the user's personnel records, so that the names of family members, street addresses and other easily guessed information may not be included in the password.

Oracle has improved database security in recent versions, Burleson said, by offering row-level security that is not available in other commercial database management products. With Oracle row-level security, users can only see their own work. DBAs don't have to worry about backdoor attacks, he said.

In Oracle 9i, database administrators can audit virtually every component of the database, including activity, schema changes and access at the column and row levels, he said.

"When dealing with a database as complex as Oracle 9i, writing a working audit script is a formidable challenge, because you must ignore all of the internal grants and roles, and focus on non-system users," he said.

Companies must also develop security systems for the data that feeds the applications, rather than only for the applications themselves, he said. This prevents hackers from bypassing the application and thus the security. Oracle applications can be secured in a variety of ways: through the use of Remote Authentication Dial-In User Service (RADIUS) adapters, authentication servers, and industry standard external authentication and encryption methods, he said.

Burleson, an Oracle devotee, compared Oracle's database security efforts with that of the other leading database vendors and called it superior.

Oracle has a number of authentication methods, including Kerberos security, a ticket-based authentication system that sidesteps some security risks. Oracle also uses virtual private databases, which restricts access to selected rows of tables, and "port access security," in which all Oracle applications are directed to listen on a predefined port for incoming connections and generally use a listener daemon process to poll for connections.

Ultimately, securing data in Oracle databases is the responsibility of one person: the DBA.

"It's up to the database administrator to ensure that everyone who accesses the application has the proper credentials," Burleson said.