Re: Question re security

  • From: Nuno Souto <dbvision@xxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Sat, 18 Jan 2014 15:23:23 +1100

On 18/01/2014 5:29 AM, Hans Forbrich wrote:
"Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database."
Yeah, tell me about it. About bloody time! It's only taken all these years for Oracle to catch-up to every other db provider under the Sun... It's still too hard to enable the blessed thing, though. With MSSQL it's a tick in a screen. With Oracle it's a complex operation involving weird incantations and some chook blood...
Changing the port is generally a complete waste of time as it takes almost zero effort "for any hacker worth his/her salt" using a standard sniffer to determine the ports that Oracle might be running on. Might as well use the known port and use the time and effort otherwise used in managing a non-default to strengthen that as much as possible.
Disagree. What security and audit folks need to understand is context. Every time someone talks about security, out comes the "insiders are the main danger". Then once that is addressed, it's the "hackers worth their salt" that come up. They are NOT synonyms and are NOT addressed by the same techniques!!!
The insider danger is mostly made up of organization knowledge and very little technical nous. While the hacker is all out on the tech front and useless as far as organization is concerned. Of course, some interim nuances allowed between those extremes - social engineering, etcetc.
I've worked in the google space and set up my fair share of "bait" sacrificial servers for the hackers to zero into - I won't go into how, here. Where I am now I have yet to see anyone - outside of support personnel - who can even setup an odbc connection, let alone hack it! While changing the port is useless for true hackers, to stop them was never its intention. But I can assure you it'll stop EVERY single one of our would be "insiders"! 
As always: bang for buck.

--
Cheers
Nuno Souto
dbvision@xxxxxxxxxxxx

--
//www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 01-2014