As most of the applications that are using Oracle Databases are two or three tiered, communication over network is involved. The network and its components are probably the most vulnerable area due to the increased amount of exposure. Network communication layer attacks are usually one of the hardest to detect as the majority of them do not require a direct connection to the database server, but instead are targeted towards the network traffic and the data in flight. In the following chapter we will present some of the most widely used attack and defense techniques against the Oracle network components.

This connection hijacking scenario and the proxy program used were developed by Laszlo Toth and presented at Hackactivity 2009 (http://soonerorlater.hu/index.khtml?article_id=514).The flash presentation can be viewed at http://soonerorlater.hu/flash/pytnsproxy_1.htm.

This is a classic scenario and example of a man in the middle (MITM) attack in which an interposed attacker hijacks a client connection.

For this scenario we will use three hosts: database server (noderorcl1), Oracle client (nodeorcl5), and attacker host (mitmattack). The scenario will be performed using Oracle 11.0.1.6 Enterprise Edition on all hosts. The attacker host will be configured on a virtual machine running Fedora 11 x 84 (Leonidas # 1 SMP 2.6.29.4-167.fc11.x86_64 Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU / Linux). The setting up and configuration of the attacker host, mitmattack, will be covered in this recipe.

Oracle has built-in network encryption methods in its Oracle Advanced Security pack. The main advantage of using OAS encryption instead of other encryption methods is its ability to integrate and work with other Oracle security products such as Oracle Database Firewall and third-party products provided by other vendors such as IBM (InfoSphere Guardium), Imperva, and others. As a disadvantage, being a separate pack, it is expensive and requires licensing.

In case that you use unencrypted network communication, all the data flow from server to client will be sent in clear text. The only exception is the password which is sent in encrypted form during authentication. Packet interception becomes a trivial task if the attacker is located at the right place on the network and the data is transmitted unencrypted. In this recipe we will sniff and analyze the data in flight between nodeorcl5 and nodeorcl1 using Winshark. We will capture the...

Using data integrity guarantees that the packets will not be altered during transmission and reception. Data integrity can be used against replay attacks and MITM attacks, where the attacker may send crafted packets to obtain or modify different information from the database. Oracle provides SHA1 and MD5 hash functions for data integrity. Similarly with network encryption, if you want to use data integrity, an OAS license must be purchased. In the following recipe we will configure SHA1 for data integrity and we will demonstrate its utility against the Oracle Hijacking scenario.

In Oracle you also have the possibility to use SSL based encrypted transmission between clients and servers. In this recipe we will introduce Oracle wallets. As its name suggests, an Oracle wallet is a container that can hold certificates, keys, and passwords. These are used primarily for network security operations and in implementing transparent data encryption, a subject that we will cover in Chapter 3, Securing Data at Rest.

Internet Protocol Security (IPSEC) is a protocol suite developed to encapsulate security using encryption, integrity, and authentication for Internet Protocol. It operates at the Internet layer of the IP protocol and is currently supported by all major operating systems. IPSEC implementation is suitable from small to large enterprise networks and can be used as an alternative to Oracle Advanced Security encryption. In this recipe we will show how to establish an IPSEC connection between nodeorcl5 and a Windows client. On Red Hat we will use freeswan IPSEC implementation and will configure a test-like setup using prehashed keys.

Stunnel is a program that acts as a proxy that removes, wraps, and encrypts the network communication using SSL thought tunnelling. It is suitable mainly to be used by DBAs for remote database administration or for encrypting communication (log transport) with DataGuard. In this recipe we will encrypt a connection between nodeorcl5 and nodeorcl1 using stunnel.

In these days ssh is the de facto method for establishing a remote connection to a host. It can also be used to tunnel and encrypt network communication between two hosts. SSH tunneling can be implemented for encrypting network communication between a computer used by a DBA for remote database administration, but is also suitable to be used with Data Guard for encrypting log shipping. In this recipe we will encrypt the network communication between nodeorcl1 and nodeorcl5 using ssh.

Using the set lsnrctl command listener, we may dynamically change and override parameters. An attacker may use this capability for his own advantage by launching a series of DoS attacks against the database. The simplest DoS attack example is to simply stop the listener. Other DoS attacks can be produced by setting the listener trace (for example set listener trace to overwrite system01.dbf - set trc_file '/u01/HACKDB/system01.dbf')or log files to overwrite data files or redo logs, or they can be used to generate scripts in a desired location that may be used later.

Some database applications can use external dynamic libraries implemented in a language such as C or C++. Usually these external libraries are developed for performance reasons, but they can also represent a major security threat by being replaced with ones that contain malicious code. Therefore this feature must be used with maximum precaution.

The listener process allows executing external programs using a dedicated program named extproc, which is located by default at $ORACLE_HOME/bin. The access to these external libraries can be configured within the listener configuration file listener.ora.

The following is a configuration example from listener.ora that allows executing a specific library:

  (SID_LIST =
    (SID_DESC =
      (SID_NAME = CLRExtProc)
      (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db/)
      (PROGRAM = extproc)
      (ENVS = "EXTPROC_DLLS=ONLY:/home/oracle/appclrso.so")
    )
  )

The corresponding entry for extproc from...

The usage of the valid node checking security feature is very similar to the TCP wrappers presented in Chapter 1, Operating System Security. Using this capability, you can deny or the allow connecting clients based on IP address or hostname.