Database Reference
In-Depth Information
Oracle TNS listener security
You can improve the security of the database by restricting the IP addresses or the
network nodes that the database communicates with. Valid node checking allows
or denies access from specified IP addresses to Oracle services. In order to enable
valid node checking, set the following parameters:
$TNS_ADMIN/sqlnet.ora:
tcp.validnode_checking = YES
tcp.invited_nodes = ( X.X.X.X, hostname, ... )
tcp.excluded_nodes = ( hostname, X.X.X.X, ... )
The first parameter turns on valid node checking. The latter two parameters
respectively specify the IP addresses or hostnames that are permitted to make or
are denied from making network connections to Oracle services. Replace
X.X.X.X
with the IP addresses of middle-tiers. Middle-tier applications include web servers,
forms servers, reports servers, concurrent managers, and discoverer.
Note that you can also turn this on via Autoconfig and it will
do it for you.
Oracle database security
It is always a good database hardening step to remove services and ports that are not
needed and other mechanisms to reach the database. Some examples include:
•
Disable XDB
: In order to support XDB, the TNS Listener process listens on
two additional TCP ports: 2100 for FTP access and 8080 for accessing HTTP.
Oracle E-Business Suite does not require these services; they should
be disabled.
In order to disable XDB, remove or comment out the line in
init.ora
that
reads as follows:
*.dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
•
Review database links
: Review database links in both production and
development environments.
Application tier
At the applications tier, we can harden the system by restricting access to the
administrative web pages and changing and or disabling the seeded accounts.
Search WWH ::
Custom Search