Oracle Call Interface Enhancements - Oracle 11g

Starting with Oracle Database 11g,numerous initializationparameters allow DBAs to have a more granular level of security for OCI applications.These parameters are sec_*initialization para meters:

The initialization parameters in the previous listing that start with dash dash sec (-- secare the initialization parameters specific for OCI.In addi tion,Oracle enables the DBAs to set banner and audit pages through sqlnet.ora parameters.These featuresenable the DBAs to secure data bases for all appli cations that leverage OCI.The OCI security enhancements are enabled for databasesstarting in Oracle Release 1(11.1) and for any version of the client.Oracle Database 11g OCI security allows you to harden the database further by enabling you to do the following:

  • Set the level of information captured for perceived bad packets on the server.
  • Drop or delay database connections because of bad packet overflow.
  • Configure the maximum number of connection attempts.
  • Control the display of database release information.
  • Set up the banner for unauthorized access.

Set the Level of Information Captured for Bad Packets

First we’ll show what you can do in Oracle Database11g relative to bad packets received on the database tier.Bad packets can be received because of network protocol errors or malicious attacks by hackers to send a large amount of bad packets.

Either way, bad packets can create havoc to the database environment by causing disk space outages or denial of service Now, you can leverage theSEC_PROTOCOL_ ERROR_TRACE_ACTION database initialization parameter to determine the level of information you want to capture for bad packets.

This parameter accepts the values for NONE,TRACE,LOG,and ALERT.The default setting for this parameter is TRACE.When SEC_PROTOCOL_ERROR_TRACE_ACTION is set to TRACE,trace files generate on the database server.

You can leave this setting for debugging purposes.The LOG value produces an entry in the alert log file but does not generate a trace file.This is the preferable option for a lot of DBAs.You can set this parameter to LOG,and if problems persist,you can change the parameter to ALERT.By setting the para meter to ALERT, Oracle will produce an entry in the alert log file and yet generate a trace file.Lastly, SEC_PROTOCOL_ ERROR_TRACE_ACTION can be set to NONE to specify that you do not want to generate a trace file or produce alert log entries for bad packets.You can set this parameter to LOG using the alter system command, as shown here:

SQL> alter system set sec_protocol_error_trace_action = LOG; System altered.

Delay or Drop Database Connections

Not only can Oracle Database 11g protect you from a flood of bad packets to the database server,but it can also protect you by disconnecting or deferring the connections made to the server.The initialization para meter controls this behavior.By default,this parameter value is set to CONTINUE and does not stopconnections from being dropped or deferred.You can modify the behavior of server continuity by using the following syntax:

The DROP option will drop the database connection after n number of bad packets.In this particular example,the client will disconnect from the database after 30 bad packet transfers to the database.the database will go into self-preservation mode.The worst-case scenario for the client is that it may have to reestablish the connection to the database.If you consider database disconnectivity too harsh, you can use the DELAY value to delay the client by n seconds before the database will accept another packet from the client for the same session. Let’s look at setting the DELAY option:In this particular example,the client connection will forcibly delay sending packets by 15 seconds. This allows the database to protect itself from denial-of-service attacks.The risk to the client is that the application may suffer from degraded performance.

Configure Maximum Number of Server Connection Attempts

The maximum number of OCI authentication attempts is set to 10 by default. For security reasons,you may want to change this setting to a number acceptable to your security administrators.You can change this behavior by setting the SEC_MAX_ FAILED_ LOGIN_ ATTEMPTS initialization parameter. Unfor tunately, modification to theSEC_MAX_ FAILED_LOGIN_ATTEMPTS parameter requires a database bounce.You can change the SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter using the following ALTER SYSTEM command:

In this particular example,the OCI connection allows only five authentication attempts before it is disconnected.

Control the Display of Database Release Information

Just like you can see the database version in SQL*Plus, you can display the database versionbanner for OCIconnections. SEC_RETURN_SERVER_RELEASE_BANNER controls this behavior.The default value for SEC_RETURN_SERVER_ RELEASE_BANNER is FALSE, which means Oracle displays the version number to the client.Therefore,by default, Oracle will display only the high-level version information to the client, as shown here:

Oracle Database 11g Enterprise Edition Release 11.1.0.0.0 – Production

If you set SEC_RETURN_SERVER_RELEASE_BANNER to YES, then Oracle will disclose the full version of the database including the release number. You can do this by using this syntax:

This parameter also requires a database restart.Once this parameter is set to TRUE,OCI clients will see the full version of the database,as shown here:

Oracle Database 11g Enterprise Edition Release 11.1.0.6 - Production

Set Up the Banner and Auditing for Unauthorized Access

Oracle enables the capability to set up a banner page forunauthorized access.Many security administrators consider the banner page for initial login to be crucial to warn the hackers that unauthorized access will not be tolerated.You can enable banners for unauthorized access by setting theSEC_USER_UNAUTHORIZED_ACCESS_BANNER parameter in thesqlnet.ora file.This paramete needs to point to the location of a text file that has the unautho rized banner page.For example, you can specify this banner page in your sqlnet .ora file:

SEC_USER_UNAUTHORIZED_ACCESS_BANNER = /apps/oracle/general/banner/access.txt

An example of an enterprise corporate-authorized banner page looks something like this:

Oracle Database11g does not just stop at providing a banner page for uauthorized access but also allows the setup of an audit page to warn clients that their connections are being audited.Respectively, you can set up an auditing banner to warn clients by adding an entry in the sqlnet.ora file similar to what you see here:

SEC_USER_AUDIT_ACTION_BANNER = /apps/oracle/general/banner/audit.txt

By default,these parameters are not set.In addition, you must modify the client to make proper OCI calls to take advantage of these security settings. The OCI_ATTR_ACCESS_BANNER call will retrieve the access banner information from the database server.Likewise, you can invoke the OCI_ATTR_AUDIT_BANNER call to retrieve audit banner text from the serv


All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Oracle 11g Topics