资源描述
Oracle Net Services:Security ChecklistsObjectivesAfter completing this lesson,you should be able to do the following:Describe the items on the client,listener,and network security checklistsSecure administration of the networkRestrict access by IP addressEncrypt network trafficOverview:Security ChecklistsThe following are security checklists:Client checklistNetwork checklist:Secure traffic Secure administration Use firewallsListener checklist:Limit listener privileges Secure administration Monitor activityClient ChecklistInternet access to secure data requires user authentication,rather than client-computer authentication.The options are:Bypass client-computer configuration and rely on user authentication to a middle tier.Configure the client computer:AuthenticationAuthorization Administer client certificates.Educate users.Securing the Client ComputerWhy the client computer cannot be secured:IP addresses can be spoofed.The client operating system(OS)is seldom secure.The client computer is seldom physically secure.When the client OS cannot be secured:User must authenticate to the database.Disable Remote OS authentication to the database.Configure the client computer to use:Certificates Encryption ChecksummingConfiguring the BrowserBrowsers include the following security features:SSL encryption by using the HTTPS protocolCertificate authorization:Client ServerConfiguring the ClientConfigure client computers to use Oracle Advanced Security features with Oracle Net Services:Native encryption SSL authentication by using certificatesSSL encryptionUsing CertificatesConsiderations when using certificates for authentication:Distinguished name and issuer uniquely identify the user.Test for expiring certificates.Use certificate reissues to update certificate information.Audit certificate revocations.Network Security:ChecklistUse a firewall.Restrict IP addresses.Encrypt network traffic.Prevent remote administration of Connection Manager(CMAN).Use network log files to monitor connections.Using a Firewall to Restrict Network AccessApplicationWeb serverDatabaseserverClient computersFirewallFirewallRestricting Network IP Addresses:Valid Node CheckingSet the following SQLNET.ORA parameters:Turn on the feature:Deny access from these nodes:Allow access from these nodes:tcp.excluded_nodes=(135.245.234.44)tcp.invited_nodes=(144.198.58.146,144.198.58.147)tcp.validnode_checking=YESRestricting Network IP Addresses:GuidelinesNetwork IP restrictions can help secure access to your server.Consider the following guidelines:Do not use IP restrictions as your only security.IP addresses can be spoofed.Use Connection Manager to limit access by node.Limit access by protocol.Protect dispatcher ports.IP restrictions do not prevent connections to the dispatcher.Configuring IP Restrictions with Net ManagerRestricting Open PortsLimit open ports to needed applications:Open ports are network-attack opportunities.Know which ports are open on your computer.Find open ports:Oracle product installation ports in portlist.ini Listener ports in listener.ora CMAN ports by using:CMCTL-c SHOW SERVICES Dispatcher ports by using lsnrctl services Other ports by using netstat or nmapEncrypting Network TrafficGuideline:Encrypt sensitive network traffic.Tasks:Use HTTPS when sending sensitive data between the client computer and the server.Use SSL or native encryption to encrypt Oracle Net Services traffic.Use the TCPS protocol for TCP/IP with SSL:.(ADDRESS=(PROTOCOL=tcps).End-to-End EncryptionEncryptWe will go public on Wednesday.Decryptfdh37djf246gsbda,sskWe will go publicon Wednesday.Computer AComputer BConfigure Network EncryptionUse Net Manager to configure:Client sqlnet.oraServer sqlnet.oraChecksummingComputer AComputer B We willA go pub-B -lic onC Wedn-esdayDWe will go public on Wednesday.We will go publicon Wednesday.Configure ChecksummingUse Net Manager to Configure:Server IntegrityClient IntegrityOracle Net Services Log FilesDatabaseserverCMADMIN processCMGW processsqlnet.loglistener.log_cmadm_pid.log_cmgw_pid.logListenerCMAN listener_pid.logPractice 19 Overview:Configure Net SecurityThis practice covers the following topics:Configuring a non-default listenerConfiguring native network encryptionConfiguring checksummingSummaryIn this lesson,you should have learned how to:Describe the items on the client,listener,and network security checklistsSecure administration of the networkRestrict access by IP addressEncrypt network traffic
展开阅读全文