Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 


Experts offer tips on securing Oracle Databases

 

By Robert Westervelt, SearchOracle.com News Writer
15 Jul 2003 | SearchOracle.com

The database industry is still "plagued with substandard security," according to Oracle expert and author Don Burleson, who advises database administrators to limit access to their servers as a starting point in securing their systems.

Burleson advises Oracle DBAs to focus on their servers, which are often overlooked, in addition to securing the Oracle DBMS itself.

"This is especially important if your computers are networked together," he said. "If you have an inept Unix administrator, it's easy to hack in, and there's no holding you back at that point."

Burleson, an independent consultant who heads Kittrell, N.C.-based Burleson Oracle Consulting, has authored a host of Oracle Press textbooks and works with companies to break into systems and discover any security leaks.

When it comes to securing Oracle 9i, Burleson said, the biggest security mistake Oracle DBAs make is to fail to properly install it, which makes the database vulnerable to hackers and viruses. Oracle has virtually impenetrable security when properly installed, he said.

"What happens is that sometimes DBAs don't completely read the directions and, without meaning to, leave a security hole," he said.

Also, Oracle DBAs may fail to reset the default password and user ID. Keeping default passwords leaves the system wide open to attack, he said.

For starters, Burleson advises companies to allow only trusted IP addresses to access the database server. Second, using random password generators is a bad idea, according to Burleson. It virtually guarantees that users will have a written list of passwords.

To reduce common user passwords, one effective approach has been to link the password-changing software with the user's personnel records, so that the names of family members, street addresses and other easily guessed information may not be included in the password.

Oracle has improved database security in recent versions, Burleson said, by offering row-level security that is not available in other commercial database management products. With Oracle row-level security, users can only see their own work. DBAs don't have to worry about backdoor attacks, he said.

In Oracle 9i, database administrators can audit virtually every component of the database, including activity, schema changes and access at the column and row levels, he said.

"When dealing with a database as complex as Oracle 9i, writing a working audit script is a formidable challenge, because you must ignore all of the internal grants and roles, and focus on non-system users," he said.

Companies must also develop security systems for the data that feeds the applications, rather than only for the applications themselves, he said. This prevents hackers from bypassing the application and thus the security. Oracle applications can be secured in a variety of ways: through the use of Remote Authentication Dial-In User Service (RADIUS) adapters, authentication servers, and industry standard external authentication and encryption methods, he said.

Burleson, an Oracle devotee, compared Oracle's database security efforts with that of the other leading database vendors and called it superior.

Oracle has a number of authentication methods, including Kerberos security, a ticket-based authentication system that sidesteps some security risks. Oracle also uses virtual private databases, which restricts access to selected rows of tables, and "port access security," in which all Oracle applications are directed to listen on a predefined port for incoming connections and generally use a listener daemon process to poll for connections.

Ultimately, securing data in Oracle databases is the responsibility of one person: the DBA.

"It's up to the database administrator to ensure that everyone who accesses the application has the proper credentials," Burleson said.




 

 

 

 

 

��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational