The Database as a Networked Server - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

used to access your data, what database drivers are being used, which ver-

sions they are using, and more. This knowledge is invaluable; it allows you

to segment connections based on the application and, therefore, distinguish

between access points such as application server versus developers using var-

ious tools, and even users using rogue or ad hoc applications. Moreover,

you can correlate this information with location information and under-

stand who is using which tool, from which network node, and what they

are doing. For example, in Figure 3.2, the access diagram not only shows

you the node on the network from which the request is coming but also

which application made the request.

Tracking the applications and tools that are used to initiate database

connections is one of the most overlooked areas in database security and

auditing, but also one that is being adopted quickly. Reasons for adoption

include the following:

1.

Knowing which tools and versions are being used allows you to

address points of vulnerabilities.

2.

Knowing which tools and versions are being used allows you to

comply with IT governance initiatives.

3.

Comparing the set of tools being used with the network location

allows you to alert on questionable changes.

4.

Classification allows you to make sure that company and applica-

tion processes are being adhered to.

Getting a full list of applications and tools touching your database is

important from both a security perspective as well as a governance perspec-

tive. From a security perspective, it allows you to eliminate points of vulner-

abilities that can exist on the database client side and/or the database

drivers. As an example, Oracle security alert number 46 (www.oracle.com/

technology/deploy/security/pdf/2002alert46rev1.pdf ) discusses a buffer

overflow vulnerability that exists in iSQL*Plus in Oracle 9i (releases 9.0.x,

9.2.0.1, 9.2.0.2). The vulnerability allows an attacker to exploit a buffer

overflow condition to gain unauthorized access. If you track what tools and

applications are being used in your environment, you can decide whether

you want to apply the available patch or whether you will “outlaw” the use

of iSQL*Plus and revert back to SQL*Plus (which does not have this vul-

nerability). Another such example involving iSQL*Plus is CERT vulnera-

bility note VU#435974 (www. kb.cert.org/vuls/id/435974).

Search WWH ::

Custom Search

Home