Databases Reference
In-Depth Information
Database-specific features (e.g., Oracle Advanced Security)
Connection-based methods (e.g., using the Secure Sockets Layer
[SSL])
Secure tunnels (e.g., using Secure Shell [SSH] tunnels)
Relying on the operating system (e.g., IPSec encryption)
These examples cover the spectrum, starting with database-specific
techniques all the way to general operating system facilities. The more
generic the method, the less work you need to do—relying on the fact that
someone else has already done the work for you. Note that in all but the
first category, encrypting of data-in-transit is based on industry standards
and does not depend on your database vendor. Also note that although
most methods encrypt the entire communication stream, that is not always
necessary. What you really want to encrypt are data values, and encrypting
the entire stream may conflict with other network-based security solutions
you choose to deploy. This advanced capability is not supported by all
database environments and is certainly not possible if you choose one of
the lower-level techniques, which have no understanding of the specifics of
what is being communicated between the database client and the server. As
a result, all of the options described in the following sections encrypt the
entire communication stream.
Oracle Advanced Security
Oracle Advanced Security (previously called Advanced Networking
Option) is a package of enhancements that supports network encryption.
Depending on the release you use and your licensing agreement, this
package can be an extra cost (i.e., it is another line item that you may have
to pay extra for) and is available only for the Enterprise Edition of the
database. This option can therefore be expensive (especially when com-
pared with some of the other options to follow, which are basically free),
perhaps explaining why it has never gained widespread adoption among
Oracle users.
When you use Oracle Advanced Security, the listener initiates an
encryption negotiation sequence during the handshake phase whenever a
client asks for a connection. During this encryption negotiation phase, the
client tells the server which encryption methods it supports. The server
compares this with the encryption methods it has available. If there is a
nonempty intersection, the server picks a method based on the preferred
methods defined by its configuration. If the intersection is empty (meaning
Search WWH ::
Custom Search