Oracle英文版培訓(xùn)課件之Security：L16-Net

OracleNetServices:

SecurityChecklistsObjectivesAftercompletingthislesson,youshouldbeabletodothefollowing:Describetheitemsontheclient,listener,andnetworksecuritychecklistsSecureadministrationofthenetworkRestrictaccessbyIPaddressEncryptnetworktrafficOverview:SecurityChecklistsThefollowingaresecuritychecklists:ClientchecklistNetworkchecklist:SecuretrafficSecureadministrationUsefirewallsListenerchecklist:LimitlistenerprivilegesSecureadministrationMonitoractivityClientChecklistInternetaccesstosecuredatarequiresuserauthentication,ratherthanclient-computerauthentication.Theoptionsare:Bypassclient-computerconfigurationandrelyonuserauthenticationtoamiddletier.Configuretheclientcomputer:AuthenticationAuthorizationAdministerclientcertificates.Educateusers.SecuringtheClientComputerWhytheclientcomputercannotbesecured:IPaddressescanbespoofed.Theclientoperatingsystem(OS)isseldomsecure.Theclientcomputerisseldomphysicallysecure.WhentheclientOScannotbesecured:UsermustauthenticatetothedatabaseDisableREMOTE_OS_AUTHENTICATION

tothedatabaseConfiguretheclientcomputertouse:CertificatesEncryptionChecksummingConfiguringtheBrowserBrowsersincludethefollowingsecurityfeatures:SSLencryptionbyusingtheHTTPSprotocolCertificateauthorization:ClientServerConfiguringtheClientConfigureclientcomputerstouseOracleAdvancedSecurityfeatureswithOracleNetServices:NativeencryptionSSLauthenticationbyusingcertificatesSSLencryptionUsingCertificatesConsiderationswhenusingcertificatesforauthentication:Distinguishednameandissueruniquelyidentifytheuser.Testforexpiringcertificates.Usecertificatereissuestoupdatecertificateinformation.Auditcertificaterevocations.NetworkSecurity:ChecklistUseafirewall.RestrictIPaddresses.Encryptnetworktraffic.PreventremoteadministrationofConnectionManager(CMAN).Usenetworklogfilestomonitorconnections.UsingaFirewalltoRestrict

NetworkAccessApplicationWebserverDatabaseserverClientcomputersFirewallFirewallRestrictingNetworkIPAddresses:

ValidNodeCheckingSetthefollowingSQLNET.ORAparameters:Turnonthefeature:Denyaccessfromthesenodes:Allowaccessfromthesenodes:tcp.excluded_nodes=4tcp.invited_nodes=(46,47)tcp.validnode_checking=YESRestrictingNetworkIPAddresses:

GuidelinesNetworkIPrestrictionscanhelpsecureaccesstoyourserver.Considerthefollowingguidelines:DonotuseIPrestrictionsasyouronlysecurity.IPaddressescanbespoofed.UseConnectionManagertolimitaccessbynode.Limitaccessbyprotocol.Protectdispatcherports.IPrestrictionsdonotpreventconnectionstothedispatcher.ConfiguringIPRestrictions

withNetManagerRestrictingOpenPortsLimitopenportstoneededapplications:Openportsarenetwork-attackopportunities.Knowwhichportsareopenonyourcomputer.Findopenports:Oracleproductinstallationportsinportlist.iniListenerportsinlistener.oraCMANportsbyusing:CMCTL-c<cman_name>SHOWSERVICESDispatcherportsbyusinglsnrctlservicesOtherportsbyusingnetstatornmapEncryptingNetworkTrafficGuideline:Encryptsensitivenetworktraffic.Tasks:UseHTTPSwhensendingsensitivedatabetweentheclientcomputerandtheserver.UseSSLornativeencryptiontoencryptOracleNetServicestraffic.UsetheTCPSprotocolforTCP/IPwithSSL:...(ADDRESS=(PROTOCOL=tcps)...End-to-EndEncryptionEncryptWewillgopubliconWednesday.Decryptfdh37djf246gs’b[da,\sskWewillgopubliconWednesday.ComputerAComputerBChecksummingComputerAComputerBWewillAgopub-B-liconCWedn-esdayDWewillgopubliconWednesday.WewillgopubliconWednesday.OracleNetServicesLogFilesDatabaseserverCMADMINprocessCMGWprocesssqlnet.loglistener.log<name>_cmadm_pid.log<name>_cmgw_pid.logListenerCMANlistener<name>_pid.logSummary