Tuesday, March 11, 2014

Oracle Listener Security

Listener security is an often overlooked component in locking down the database from unexpected access.  With network firewalls in place, database username and password, etc. database administrators is some cases overlook what it more likely the largest open threat to the database and that is the internal user with a username and password and access from local desktop tools. 

We know from several security experts that the most security lapses come from internal sources and things like data download into spreadsheets and other files can be the largest risk to the data being compromised as local machines tend to not have the security controls servers and applications do.

This opens the question why we would allow access to databases from a local machine such as a laptop or other local hosts on the network.  In a typical network there may not be a firewall in place between the client and server for access control.  One way we can lock this down would be to ensure that only authorized clients can access the database through a listener filter to ensure that only the secured servers access the data.

The listener filter acts as additional internal security to ensure that even on your local network that connections from authorized machines are allowed and can help ensure they you data does not come to a local laptop and saved on that laptop and then compromised if that laptop is lost or stolen.
 
Configuring the IP filter on the listener is done via the listener.ora and the following parameters.

tcp.validnode_checking turns on the listener IP filter.
tcp.validnode_checking = yes

tcp.invited_nodes is set to a comma delimited list of hosts/ipaddresses that are allowed through the listener to make a database connection.
tcp.invited_nodes = (hostname1, hostname2)

tcp.excluded_nodes is set to a comma delimited list of hosts/ip addresses that are to be denied access to connect to the database through the listener.
tcp.excluded_nodes = (hastname3, hostname4)

tcp.excluded nodes is a more passive form of filtering by excluding known hosts you do not want to have access, typically the more proactive approach is to use tcp.invited_nodes and it is the most commonly used.  This will only allow servers in the list to make a connection and offers the most assured security and when invited_nodes is used anything not in the list is denied access and therefore excluded.
Posted by at No comments:
Subscribe to: Posts (Atom)