Oracle® Advanced Security, Client Access Control and SSH Tunnelling
The Oracle® Advanced Security database option helps customers address security, privacy and regulatory compliance requirements. Oracle® Advanced Security provides industry standards-based data privacy, integrity, authentication, single sign-on, and access authorisation in a variety of ways. For example, you can configure either Oracle® Net native encryption or Secure Sockets Layer (SSL) for data privacy. Oracle® Advanced Security also provides the choice of several strong authentication methods, including Kerberos, Remote Authentication Dial-In User Service (RADIUS), smart cards, and digital certificates.
Oracle® Advanced Security is only available to products that interface with Oracle® Net Services, such as the Easysoft ODBC-Oracle Driver. Drivers that do not interface with Oracle® Net Services (because they do not use Oracle® Client software) are unable to use this option.
This article describes some of the network encryption and Oracle® Advanced Security features that are available to Easysoft ODBC-Oracle Driver users. In addition, the article describes the Oracle® Net node validation feature that lets you restrict access to the Oracle® listener by client IP address and how to use Secure Shell (SSH) tunnelling as an alternative way of securing Oracle® network traffic.
Contents
- Oracle® Net Native Encryption
- Oracle® Advanced Security
- Client Access Control
- Protecting Oracle® Network Traffic with SSH Tunnelling
- References
Oracle® Net Native Encryption
Oracle® Net native encryption protects the confidentiality of Oracle® data as it is transmitted across the network. Encrypting Oracle® network traffic safeguards sensitive data such as social security numbers, credit card numbers and other personally identifiable information against packet sniffing. Packet sniffing is where an attacker tries to capture unencrypted data by using a network sniffer. This sniffing takes place without the knowledge of either the client machine or database server.
To illustrate how Oracle® Net native encryption safeguards data privacy, we used a packet sniffer to capture both unencrypted and encrypted data as it was transmitted across the network. The following extract shows some unencrypted Oracle® Net traffic, retrieved from an Oracle® XE database by using unixODBC’s isql with the Easysoft ODBC-Oracle Driver:
06/27-10:22:49.978242 0:3:FF:3A:42:A3 -> 0:11:11:38:42:A3 type:0x800 len:0x122 192.168.0.137:4836 -> 192.168.0.234:1521 TCP TTL:64 TOS:0x0 16 FB 08 08 A4 13 09 08 00 00 00 00 3F 73 65 6C ............?sel 65 63 74 20 46 49 52 53 54 5F 4E 41 4D 45 2C 20 ect FIRST_NAME, 4C 41 53 54 5F 4E 41 4D 45 2C 20 4E 41 54 49 4F LAST_NAME, NATIO 4E 41 4C 5F 49 44 5F 4E 55 4D 42 45 52 20 66 72 NAL_ID_NUMBER fr 6F 6D 20 65 6D 70 6C 6F 79 65 65 73 01 00 00 00 om EMPLOYEES.... 0A 00 00 00 00 00 00 00 00 00 00 00 07 06 53 74 ..............St 65 76 65 6E 04 4B 69 6E 67 08 31 34 34 31 37 38 even.King.144178 30 37 15 03 00 07 07 05 4E 65 65 6E 61 07 4B 6F 07......Neena.Ko 63 68 68 61 72 09 32 35 33 30 32 32 38 37 36 15 chhar.253022876. 03 00 07 07 03 4C 65 78 07 44 65 20 48 61 61 6E .....Lex.De Haan 09 35 30 39 36 34 37 31 37 34 15 03 00 07 07 09 .509647174...... 41 6C 65 78 61 6E 64 65 72 06 48 75 6E 6F 6C 64 Alexander.Hunold 09 31 31 32 34 35 37 38 39 31 15 03 00 07 07 05 .112457891......
The names and social security numbers of these employee records have been captured in plain text by the sniffer.
We then activated Oracle® Net encryption on the client machine and database server. To do this, we created sqlnet.ora on the client machine and added these lines to the file:
# Activate encryption. For a complete list of supported encryption # algorithms, refer to the Oracle Database Advanced Security # Administrator's Guide. SQLNET.ENCRYPTION_TYPES_CLIENT = RC4_256 SQLNET.ENCRYPTION_CLIENT = required
Because we were using the Easysoft ODBC-Oracle Driver with the Instant Client, we used the TNS_ADMIN environment variable to point to the directory where sqlnet.ora was located.
These lines were added to sqlnet.ora on the database server:
SQLNET.ENCRYPTION_TYPES_SERVER = RC4_256 SQLNET.ENCRYPTION_SERVER = required
Finally, we connected to the database and retrieved the same data. No additional configuration was necessary. Because the Easysoft ODBC-Oracle Driver uses the Oracle® client libraries, Oracle® Net features such as encryption are automatically available to the driver.
This extract shows how activating Oracle® Net encryption protects the privacy of the data:
06/27-10:33:19.188351 0:3:FF:3A:42:A3 -> 0:11:11:38:42:A3 type:0x800 len:0x124 192.168.0.137:1127 -> 192.168.0.234:1521 TCP TTL:64 TOS:0x0 00 E2 00 00 06 00 00 00 00 00 46 1F D6 42 23 46 ..........F..B#F 37 98 C1 E5 79 F0 4F 2E BD BE E4 7C F6 4E 59 E0 7...y.O....|.NY. 0D 36 F9 29 6E A7 B1 74 04 A1 43 7F B0 42 42 74 .6.)n..t..C..BBt 44 D1 EB BF 5D A5 A0 C4 60 17 9A C4 6D 40 22 24 D...]...`...m@"$ C2 83 BC 75 1D 512 ED A5 51 3C 1C A2 24 AF DA A7 ...u....Q<..$... 99 AB F3 EA 4E 41 2D 65 03 1E CC 74 4E FC 1A 7A ....NA-e...tN..z 23 31 9E 82 E3 E6 D3 6C 22 6E E4 C3 17 54 95 F3 #1.....l"n...T.. 01 52 00 00 06 00 00 00 00 00 41 D1 37 08 36 43 .R........A.7.6C BA 5D 12 01 2D 39 34 92 76 CD AB 32 E8 DF A9 FF .]..-94.v..2.... 52 69 2A A1 4C 17 DF 32 98 07 C1 8C 30 4D 48 CC Ri*.L..2....0MH. 86 AF 0B 2D 6C C1 C6 05 1D 09 5F 1D ED D1 E8 16 ...-l....._..... 40 A1 D9 65 6A 0F 05 29 F0 B2 B4 91 01 FF BB 13 @..ej..)........ A3 85 C2 24 D5 DE 1C 09 3D 12 E8 0C 09 A8 AF 20 ...$....=...... 12 1B 1D 68 88 2F EF E7 E2 F1 A1 91 3D 20 90 6A ...h./......= .j 60 57 C9 03 70 17 5E 46 66 33 4E 10 C7 BB 97 6E `W..p.^Ff3N....n D4 F0 36 43 39 39 69 3C DD 71 B4 3F 94 0A 5C EE ..6C99i<.q.?..\. E5 CB 6B DD 27 1D 86 41 20 02 AB FC D0 1F 89 7C ..k.'..A ......| 02 D9 11 90 C8 DA 55 72 5C 2F B8 95 D8 12 5C 01 ......Ur\/....\.
The confidential employee data is now unreadable.
Oracle® Net encryption provides the following encryption algorithms to protect information: Rivest Cipher 4 (RC4), Data Encryption Standard (DES), Triple-DES and Advanced Encryption Standard (AES). An encryption algorithm transforms data into a form that cannot be deciphered without a decryption key. The native network encryption algorithms provide varying levels of security and performance.
Note that Oracle® Net always encrypts passwords before sending them across the network even if encryption is not otherwise activated.
Oracle® Advanced Security
This section lists some of the Oracle® Advanced Security features that are available to Easysoft ODBC-Oracle Driver users:
-
Data Integrity Checking Data integrity checking provides protection against attempts to tamper with data transmitted across the network. Integrity is the guarantee that data has not been altered during transmission -- the data received therefore is the same as the data that was sent.
Oracle® Net Services provides a set of data integrity algorithms that protect against data modification and data replay attacks. In a data modification attack, data is intercepted in transit, altered and retransmitted. For example, a £100 bank deposit is intercepted, changed to £10,000 and retransmitted. In a replay attack, data is captured and then repeatedly retransmitted. For example, a bank withdrawal of £100 is intercepted and retransmitted ten times so that the final withdrawal amount equals £1000.
Oracle® Net Services lets you select either the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm (SHA-1) to protect against data tampering. These cryptographic hash algorithms enable a digital fingerprint to be generated that is passed with the data the fingerprint was generated from. The recipient of the data regenerates the fingerprint and compares it with the original fingerprint sent with the data. If the two fingerprints do not match, the data has been changed either intentionally or unintentionally.
-
SSL Oracle® Advanced Security SSL secures the network connection between the client machine and Oracle® database server, protecting the privacy of data passed between the client application and database. In addition, SSL can be used to strongly authenticate users by means of X.509 digital certificates. SSL also uses cryptographic hashes to ensure data integrity.
SSL encryption protects against packet sniffing where an attacker tries to capture unencrypted data by using a network sniffer. SSL authentication protects against man-in-the-middle attacks, where the attacker sits invisibly between the client machine and the database server, pretending to be the client on one side and the server on the other, fooling both sides. The attacker reads all the traffic in the process, all without the knowledge of the legitimate sender and receiver. With SSL authentication, the database server provides the client with a digital certificate that is signed and issued by a reliable Certificate Authority (CA). The certificate guarantees that the database server is who it claims to be. This prevents data from being intercepted by a server masquerading as the real target server.
You can use the SSL encryption and data integrity features in combination with the other authentication methods supported by Oracle® Advanced Security. For example, you can use the encryption provided by SSL in combination with the authentication provided by Kerberos.
-
Transparent Data Encryption TDE, described by Oracle® as "Perhaps the most important new feature in Oracle® Database 10g Release 2" is an Oracle® Advanced Security option that protects sensitive data such as credit card and social security numbers by encrypting the files where the data is stored. This prevents attackers who attempt to bypass database access control mechanisms by looking inside the data files from viewing sensitive data.
TDE uses an external security module to store and manage encryption keys. Separating security functions such as encryption from standard database functions makes it possible to divide administration duties between DBAs and security administrators. This strategy enhances security because no single administrator is granted comprehensive access to data. The security modules frees applications from having to manage encryption keys. An application that processes sensitive information can use TDE to provide strong data encryption with little or no change to the application.
TDE gives security administrators the assurance that data on disk or backup media is encrypted, yet handling encrypted data becomes transparent to applications.
-
Strong Authentication Oracle® Advanced Security provides a choice of authentication methods including Kerberos, RADIUS and SSL certificates. These authentication methods offer a stronger alternative to traditional password-based authentication and so provide better protection against unauthorised access to the Oracle® database. Because Oracle® Advanced Security supports third-party authentication services, there is the potential to take advantage of solutions in your existing security framework, reducing administrative overhead.
Kerberos provides the benefits of single sign-on and centralised authentication to Oracle® users. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. This makes it unnecessary for users to remember multiple passwords and for security administrators to protect multiple password repositories, reducing the cost of managing user accounts. Centralised authentication means that password checking happens in one place. This makes it possible to prevent an unauthorised user from accessing all systems or to alter all access rights and privileges of an employee who is leaving the company by making one change in one place. In addition, client machines and database servers do need not to store any information that can be used to try to guess a password.
Oracle’s Kerberos implementation supports both Massachusetts Institute of Technology (MIT) and Windows Active Directory Kerberos environments, making Kerberos authentication available to application clients running on Linux, Unix and Windows.
RADIUS is a client/server security protocol widely used for user authentication, authorisation and accounting. When a user tries to access an Oracle® database, the Oracle® database server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server then authenticates the user, grants the user access to the database and logs session information, including when, how often and for how long the user was connected to the Oracle® database server.
Oracle’s RADIUS support enables you to use any authentication method that supports the RADIUS standard, including token cards and smart cards. This is especially useful for businesses that are interested in two-factor authentication, which establishes user identity based on what a user knows (password or PIN) and what a user has (smart card or token card). For example, with SecurID token authentication, each user has a token card that displays a dynamic number, which changes every sixty seconds. To gain access to the Oracle® database server, the user enters a valid pass code that includes both a PIN and the dynamic number currently displayed on the user’s SecurID card.
Client Access Control
Oracle® Net valid node checking lets you allow or deny access to an Oracle® database server based on the IP address (or host name) of the client machine making the request. You can control access to the database server by specifying either which machines are allowed access or which machines are denied access. The Oracle® listener checks the IP address or host name of the client machine and, based on the rules you define, decides to allow or deny the request.
Because node validation works at the listener level, a potential attacker does not get as far as the database, making Denial of Service (DoS) attacks more difficult. DoS is any form of attack on a system that tries to prevent legitimate users from accessing it. The most common form of attack is to overwhelm a server with connection requests that cannot be completed. This causes the server to become so busy attempting to respond to the attack that it ignores legitimate requests for connections.
To use the node validation feature, set the following sqlnet.ora (protocol.ora for Oracle® 8) parameters on the database server:
# Enable node validation
tcp.validnode_checking = YES
# Prevent these client IP addresses from
# making connections to the Oracle listener.
tcp.excluded_nodes = {list of IP addresses}
# Allow these IP addresses to connect.
tcp.invited_nodes = {list of IP addresses}
Attempts to connect to the Oracle® listener from the excluded IP addresses are blocked. For example:
/usr/local/easysoft/unixodbc/bin/isql -v ORACLE [S1000][unixODBC][Easysoft][Oracle]ORA-12537: TNS:connection closed
Protecting Oracle® Network Traffic with SSH Tunnelling
SSH provides a secure encrypted communications channel between two machines over an insecure network. A client machine can connect to an Oracle® database over a secure SSH connection by using port forwarding. SSH port forwarding provides another way to protect data privacy through encryption and safeguard against data interception and alteration.
Port forwarding is sometimes called tunnelling because the SSH connection provides a secure "tunnel" through which another TCP/IP connection may pass. Port forwarding works by mapping a local port on the client to a remote port on the server. All traffic coming to the local port is forwarded to the remote port. When you use SSH port forwarding with the Easysoft ODBC-Oracle Driver and Oracle® client, the SSH client intercepts all Oracle® Net traffic coming from the client machine, encrypts it, and transmits it to the SSH daemon running on the Oracle® database server. The SSH daemon decrypts the Oracle® Net traffic and then forwards the data to the Oracle® listener.
Oracle® Net (formerly known as Net8) is a software layer present on both the client machine and Oracle® database server that is responsible for establishing and maintaining the connection between the client application and server. When Oracle® Net is used to communicate with the Oracle® database server on a TCP/IP network, Oracle® Net traffic can be encrypted by passing it through an SSH tunnel.
Encrypting Oracle® Net traffic protects sensitive data such as social security and credit card numbers against packet sniffing.
Creating an SSH tunnel between a client machine and an Oracle® database server requires an SSH client to be present on the client machine and an SSH server to be present on the database server. No configuration is necessary on the database server.
Accessing an Oracle® Database Over an SSH Connection
The following example shows how to access an Oracle® database over an SSH connection:
- Do one of the following:
- If you are using the OCI version of the Oracle® ODBC driver (which uses the client libraries), create this data source in /etc/odbc.ini:
[ORACLE_SSH] Driver = ORACLE Database = //localhost:9901/mydb User = mydbuser Password = mydbpassword
The
Databaseattribute specifies port 9901 on the client machine rather than the usual port 1521 on the database server. - If you are using the WP version of the Oracle® ODBC driver (which does not use the client libraries), create this data source in /etc/odbc.ini:
[ORACLE_SSH] Driver = Easysoft ODBC-Oracle WP Server = localhost Port = 9901 SID = mydb User = mydbuser Password = mydbpassword
The
Portattribute specifies port 9901 on the client machine rather than the usual port 1521 on the database server.
- If you are using the OCI version of the Oracle® ODBC driver (which uses the client libraries), create this data source in /etc/odbc.ini:
- Start the SSH server on the database server.
- Before connecting to the database, set up port forwarding by initiating an SSH connection on the client machine:
ssh -L 9901:mydbhost:1521 mydbhost
The command opens an SSH connection to mydbhost and also securely forwards all network traffic from port 9901 on the client machine to port 1521 on mydbhost.
Note that the port number on the client machine does not have to be 9901. You can use any port you want, as long as it does not interfere with other services. If you try to use a privileged port, you will need to establish the SSH connection as the root user.
- Use isql to test the new data source:
cd /usr/local/easysoft/unixodbc/bin ./isql -v ORACLE_SSH
In addition to being encrypted, data passed through an SSH tunnel is automatically integrity checked and authenticated by using SSH credentials.
Integrity is the guarantee that data has not been tampered with during transmission -- the data received therefore is the same as the data that was sent. The underlying transport of SSH, TCP/IP, does have integrity checking to detect alteration that results from network problems. However, TCP/IP’s integrity checking is ineffective against deliberate tampering and can be fooled by an attacker. SSH uses cryptographic integrity checking to verify that transmitted data has not been altered.
SSH integrity checking protects against data modification and data replay attacks.
SSH uses cryptographic hash algorithms based on MD5 and SHA-1 for integrity checking: well known and widely trusted algorithms. (Note that although SSH protocol version 2 (SSH-2) uses MD5 and SHA-1 for integrity, the previous version, SSH-1, uses a comparatively weak method: a 32-bit cyclic redundancy check (CRC-32) on the unencrypted data in each packet.)
When the SSH tunnel is created, the SSH client verifies the identity of the SSH server (server authentication), and the server verifies the identity of the user requesting access (user authentication). Server authentication ensures that the SSH server is genuine and not an impostor masquerading as the SSH server. This protects against attempts by an attacker to redirect the network connection to a different machine.
