I would like to start series of write ups/post based on the experience regarding How to perform Security Audit for oracle database and applications.
Hoping that it will guide/help you to ensure/be aware of the areas related to Oracle Database & Applications Security , and Data Security, and to perform frequent internal security audit for Proactive and Reactive measures.
Assumption: Though most of the topic it would be in plain English / Laymen language, I assume that the reader has and understands basic RDBMS, Applications , Data and networking concepts.
I don't want to rush with multiple concepts in one post. I would like to go step by step with detail analysis and description. In this series of post , im not going to talk about tools which can automate the complete audit operations, Thought process is to explain the key areas/factors related to data security, Recommendations / Guidelines related to them, How and What to audit and action to be taken over them.
So Let us Begin.....
What is Data Security ? : Simple Terms : Ensuring my data (sensitive/insensitive) not visible and accessible by others, available & accessible by me always.
Hope i dont want to elaborate , and i have obvious assumption that the readers knows what is data security.
What are areas we need to protect and monitor for Data Security ( High level ) ?
(other words : Area you should plan to audit the data security)
Network : Network layer plays an vital role in IT Data Security.
IP Address and Port access should be perfect maintained such that other intruders cannot get into our system. Based on the Sensitivity and volume on the data , It is recommended to have an ethical hacker on board to take proactive and reactive actions.
1. Production Servers and Non-Production Servers highly recommended to be in two different networks.
2. Production Servers (file system , database and applications) are not recommended to be accessible from non-prod servers.
3. Mandatory : Production Servers (file system, database and applications) should not be visible outside network ( if there is a requirement, the network security should be tightened up that the one specific applications should only be accessible ).
4. Production (Database and applications) Ports should not be using the default one like 1521 for DB and 8000 for Applications. - Reason behind 1521 and 8000 are worldwide known default Oracle database and applications ports, so Intruders can easily get into system very easily.
For Applications , It is recommended to implement SSL for Oracle applications , or traffic that comes to oracle applications server should be protected by SSL , for example Hardware Load Balancer.
5. Highly recommended to set TCP.INVITED_NODES in sqlnet.ora, which wont let all other IP address which was not mentioned in INVITED_NODES to access the database.
6. Subscribe for Oracle OTN Notifications , through which you will get Frequest Oracle security Updates ... As well as (related to this topic), if there are any network vulnerability released like for example : Poodle vulnerability related to SSLv3 , you will get to know and you can take immediate action over them.
How and What to Audit:
1. Get the list of non-production servers , sort them by number of developer or users using them. though all servers needs to be controlled and checked but in general the server which was accessed by high number of users should be continously monitored and checked.
2. Though there are lot of monitoring tools available, as a basic components you can use telnet.
3. Check that the points mentioned in the guidelines are met. , if not work with network team to block the ports (Action to be taken).
4. For Oracle Database ,
login to database server , do tnsping/telnet with production host ip and 1521 port ,
telnet 192.168.1.2 1521
you may also do
netstat -anp|grep 1521
It should not be successful, if it is successful then check with DBAs to change the db port to different other than 1521
5. For Oracle Applications,
login to database server , do tnsping/telnet with production host ip and 8000 port ,
telnet 192.168.1.2 8000
you may also do
netstat -anp|grep 8000
It should not be successful, if it is successful then check with Apps DBAs to change the applications port to different other than 8000.
Recommended : recommended to implement SSL for Oracle applications , or traffic that comes to oracle applications server should be protected by SSL , for example Hardware Load Balancer.
Next Posts : Database and Applications Security... After that Data security.
-- Narasimha Rao