Experts offer tips on securing
By Robert Westervelt, SearchOracle.com News Writer
15 Jul 2003 | SearchOracle.com
The database industry is still "plagued with substandard
security," according to Oracle expert and author Don Burleson,
who advises database administrators to limit access to their
servers as a starting point in securing their systems.
Burleson advises Oracle DBAs to focus on their servers,
which are often overlooked, in addition to securing the Oracle
"This is especially important if your computers are
networked together," he said. "If you have an inept Unix
administrator, it's easy to hack in, and there's no holding
you back at that point."
Burleson, an independent consultant who heads Kittrell,
N.C.-based Burleson Oracle Consulting, has authored a host of
Oracle Press textbooks and works with companies to break into
systems and discover any security leaks.
When it comes to securing Oracle 9i, Burleson said, the
biggest security mistake Oracle DBAs make is to fail to
properly install it, which makes the database vulnerable to
hackers and viruses. Oracle has virtually impenetrable
security when properly installed, he said.
"What happens is that sometimes DBAs don't completely read
the directions and, without meaning to, leave a security
hole," he said.
Also, Oracle DBAs may fail to reset the default password
and user ID. Keeping default passwords leaves the system wide
open to attack, he said.
For starters, Burleson advises companies to allow only
trusted IP addresses to access the database server. Second,
using random password generators is a bad idea, according to
Burleson. It virtually guarantees that users will have a
written list of passwords.
To reduce common user passwords, one effective approach has
been to link the password-changing software with the user's
personnel records, so that the names of family members, street
addresses and other easily guessed information may not be
included in the password.
Oracle has improved database security in recent versions,
Burleson said, by offering row-level security that is not
available in other commercial database management products.
With Oracle row-level security, users can only see their own
work. DBAs don't have to worry about backdoor attacks, he
In Oracle 9i, database administrators can audit virtually
every component of the database, including activity, schema
changes and access at the column and row levels, he said.
"When dealing with a database as complex as Oracle 9i,
writing a working audit script is a formidable challenge,
because you must ignore all of the internal grants and roles,
and focus on non-system users," he said.
Companies must also develop security systems for the data
that feeds the applications, rather than only for the
applications themselves, he said. This prevents hackers from
bypassing the application and thus the security. Oracle
applications can be secured in a variety of ways: through the
use of Remote Authentication Dial-In User Service (RADIUS)
adapters, authentication servers, and industry standard
external authentication and encryption methods, he said.
Burleson, an Oracle devotee, compared Oracle's database
security efforts with that of the other leading database
vendors and called it superior.
Oracle has a number of authentication methods, including
Kerberos security, a ticket-based authentication system that
sidesteps some security risks. Oracle also uses virtual
private databases, which restricts access to selected rows of
tables, and "port access security," in which all Oracle
applications are directed to listen on a predefined port for
incoming connections and generally use a listener daemon
process to poll for connections.
Ultimately, securing data in Oracle databases is the
responsibility of one person: the DBA.
"It's up to the database administrator to ensure that
everyone who accesses the application has the proper
credentials," Burleson said.