Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 







Expert offers tips on securing Oracle databases

By Robert Westervelt, News Writer
15 Jul 2003 |

The database industry is still "plagued with substandard security," according to Oracle expert and author Don Burleson, who advises database administrators to limit access to their servers as a starting point in securing their systems.

Burleson advises Oracle DBAs to focus on their servers, which are often overlooked, in addition to securing the Oracle DBMS itself.

"This is especially important if your computers are networked together," he said. "If you have an inept Unix administrator, it's easy to hack in, and there's no holding you back at that point."

Burleson, an independent consultant who heads Kittrell, N.C.-based Burleson Oracle Consulting, has authored a host of Oracle Press textbooks and works with companies to break into systems and discover any security leaks.

When it comes to securing Oracle 9i, Burleson said, the biggest security mistake Oracle DBAs make is to fail to properly install it, which makes the database vulnerable to hackers and viruses. Oracle has virtually impenetrable security when properly installed, he said.

"What happens is that sometimes DBAs don't completely read the directions and, without meaning to, leave a security hole," he said.

Also, Oracle DBAs may fail to reset the default password and user ID. Keeping default passwords leaves the system wide open to attack, he said.

For starters, Burleson advises companies to allow only trusted IP addresses to access the database server. Second, using random password generators is a bad idea, according to Burleson. It virtually guarantees that users will have a written list of passwords.

To reduce common user passwords, one effective approach has been to link the password-changing software with the user's personnel records, so that the names of family members, street addresses and other easily guessed information may not be included in the password.

Oracle has improved database security in recent versions, Burleson said, by offering row-level security that is not available in other commercial database management products. With Oracle row-level security, users can only see their own work. DBAs don't have to worry about backdoor attacks, he said.

In Oracle 9i, database administrators can audit virtually every component of the database, including activity, schema changes and access at the column and row levels, he said.

"When dealing with a database as complex as Oracle 9i, writing a working audit script is a formidable challenge, because you must ignore all of the internal grants and roles, and focus on non-system users," he said.

Companies must also develop security systems for the data that feeds the applications, rather than only for the applications themselves, he said. This prevents hackers from bypassing the application and thus the security. Oracle applications can be secured in a variety of ways: through the use of Remote Authentication Dial-In User Service (RADIUS) adapters, authentication servers, and industry standard external authentication and encryption methods, he said.

Burleson, an Oracle devotee, compared Oracle's database security efforts with that of the other leading database vendors and called it superior.

Oracle has a number of authentication methods, including Kerberos security, a ticket-based authentication system that sidesteps some security risks. Oracle also uses virtual private databases, which restricts access to selected rows of tables, and "port access security," in which all Oracle applications are directed to listen on a predefined port for incoming connections and generally use a listener daemon process to poll for connections.

Ultimately, securing data in Oracle databases is the responsibility of one person: the DBA.

"It's up to the database administrator to ensure that everyone who accesses the application has the proper credentials," Burleson said.




Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.