Expert offers tips on securing Oracle databases
By Robert Westervelt, SearchOracle.com News Writer
15 Jul 2003 | SearchOracle.com
The database industry is still "plagued with substandard security,"
according to Oracle expert and author Don Burleson, who advises
database administrators to limit access to their servers as a starting
point in securing their systems.
Burleson advises Oracle DBAs to focus on their servers, which are
often overlooked, in addition to securing the Oracle DBMS itself.
"This is especially important if your computers are networked
together," he said. "If you have an inept Unix administrator, it's
easy to hack in, and there's no holding you back at that point."
Burleson, an independent consultant who heads Kittrell, N.C.-based
Burleson Oracle Consulting, has authored a host of Oracle Press
textbooks and works with companies to break into systems and discover
any security leaks.
When it comes to securing Oracle 9i, Burleson said, the biggest
security mistake Oracle DBAs make is to fail to properly install it,
which makes the database vulnerable to hackers and viruses. Oracle has
virtually impenetrable security when properly installed, he said.
"What happens is that sometimes DBAs don't completely read the
directions and, without meaning to, leave a security hole," he said.
Also, Oracle DBAs may fail to reset the default password and user
ID. Keeping default passwords leaves the system wide open to attack,
For starters, Burleson advises companies to allow only trusted IP
addresses to access the database server. Second, using random password
generators is a bad idea, according to Burleson. It virtually
guarantees that users will have a written list of passwords.
To reduce common user passwords, one effective approach has been to
link the password-changing software with the user's personnel records,
so that the names of family members, street addresses and other easily
guessed information may not be included in the password.
Oracle has improved database security in recent versions, Burleson
said, by offering row-level security that is not available in other
commercial database management products. With Oracle row-level
security, users can only see their own work. DBAs don't have to worry
about backdoor attacks, he said.
In Oracle 9i, database administrators can audit virtually every
component of the database, including activity, schema changes and
access at the column and row levels, he said.
"When dealing with a database as complex as Oracle 9i, writing a
working audit script is a formidable challenge, because you must
ignore all of the internal grants and roles, and focus on non-system
users," he said.
Companies must also develop security systems for the data that
feeds the applications, rather than only for the applications
themselves, he said. This prevents hackers from bypassing the
application and thus the security. Oracle applications can be secured
in a variety of ways: through the use of Remote Authentication Dial-In
User Service (RADIUS) adapters, authentication servers, and industry
standard external authentication and encryption methods, he said.
Burleson, an Oracle devotee, compared Oracle's database security
efforts with that of the other leading database vendors and called it
Oracle has a number of authentication methods, including Kerberos
security, a ticket-based authentication system that sidesteps some
security risks. Oracle also uses virtual private databases, which
restricts access to selected rows of tables, and "port access
security," in which all Oracle applications are directed to listen on
a predefined port for incoming connections and generally use a
listener daemon process to poll for connections.
Ultimately, securing data in Oracle databases is the responsibility
of one person: the DBA.
"It's up to the database administrator to ensure that everyone who
accesses the application has the proper credentials," Burleson said.