oracle database 11g firewalls

8/10/2019 Oracle Database 11g Firewalls

1/40

Working with Firewalls

Learning Objective

After completing this topic, you should be able to

recognize how firewalls are used

1. Using firewalls

To eliminate potential weak points in the network infrastructure, you can choose to passdata from one protocol to another without the complexity of decryption and reencryption.To do so securely, you must have some way to securely transfer data across networkprotocol boundaries.

You can connect your corporate intranet to a broad public network by using the Internet. Although this capability provides enormous business advantages, it also entails risk toyour data and your computer system. One way of protecting the privacy and integrity ofyour system is to place a firewall between the public network and your intranet.

Supplement

Selecting the link title opens the resource in a new browser window.

Learning Ai

Access the learning aid St!le "onsi erations for more information on the styleconsiderations for Oracle g !atabase used in this course.

A firewall is a single point of control on a network, used to prevent unauthori"ed clientsfrom reaching the server. It acts as a filter, screening out unauthori"ed network users fromusing the intranet. It does this by enforcing access control based on the contents of thepackets of data being transmitted. It can thus protect against attacks on individualprotocols or applications.

#irewalls are rule based. They have a list of rules that define which clients can connectand which cannot. They can compare the client$s host name or I% name with the rules,and either grant the client access or not.

A firewall can refer to a single physical device or more often to several network devicesused together.

&etwork architecture can be divided into three regions. On one side is the Internet, on theother is the corporate intranet, and between them is !e'militari"ed (one, also known as
http://dowindow%28%27../html/laod_a12_it_enus_t101_frame.html')http://dowindow%28%27../html/laod_a12_it_enus_t101_frame.html')http://dowindow%28%27../html/laod_a12_it_enus_t101_frame.html')


2/40

!)(, which is separated from both by firewalls. The firewalls block or allow data transferson the basis of I% address, port, protocol type, or some combination of these.

The servers in !)( are called bastion hosts. They are well'fortified servers runninginitial'point'of'contact protocols, such as *TT% or +imple )ail Transfer %rotocol,commonly known as +)T%. They are set up with the expectation that outsiders willattempt to break into them. +pecial care is taken to ensure that break'ins are difficult. If abreak'in occurs, there should be good fault containment.

It should be noted that outgoing re uests are handled differently and have differentpolicies than incoming re uests. Thus, a reasonable policy may be to allow outgoing*TT% re uests but no incoming *TT% re uests.

-hen you follow the prescribed guidelines of this architecture, it provides two benefits

Internet clients are denied access to computers on the intranet and

Internet clients cannot fraudulently identify themselves as computers located in the intranet or!)(

There are certain guidelines for using the recommended architectures in the Internetenvironment. These guidelines include

allow onl! those protocols an ports through the e#terior firewall that are re$uirean have a business justification

Incoming messages originating outside the firewall are allowed to contact only !)(machines. The interior firewall allows only messages originating on !)( machines toaccess the intranet, and often only to access specific servers.

allow outgoing messages onl! through pro#ies on %&'

This guideline simplifies the firewall rules / no intranet'to'Internet traffic0 traffic only from!)( to Internet and only from intranet to !)(.

on(t store information about %&' that is sensitive or can be written back to theinformation of recor ) an

Assume that the !)( servers will be compromised at some time, and make provisions torapidly detect the breach and to saniti"e and restore !)( hosts.

keep the atabase server behin a firewall

Oracle &et, formerly known as &et1 and +234&et, offers support for a variety of firewallsfrom various vendors. Oracle collaborates with firewall vendors to provide Oracle &etsupport. 5ontact your firewall vendor for current information.

*uestion

-hen positioning servers within firewalls, what should be considered6


3/40


4/40

+tateless firewalls look only at the T5% packet header0 these rules examine source,destination, port, and packet state. The state of the connection is not known. This allowsan outside user to probe through your firewall by sending acknowledge, commonly referredto as A5;, packets to I% addresses inside your firewall. There is no record kept of re uestsor open connections for the firewall to check for valid A5; packets.

stateful) an

+tateful firewalls are the most common.


5/40


6/40

Learning Objective

After completing this topic, you should be able to

configure Oracle Connection Manager

1. ntro ucing Oracle "onnection &anager

The problem with using Oracle 5onnection )anager a proxy serverB, commonly knownas 5)A&, as a firewall is that the Oracle instance creates dedicated user connections onseemingly random ports. Cy default, the dispatchers start on high'numbered availableports. It is very hard to predict which ports are going to be used. Cecause administratorsneed to know the ports that will be used to configure the firewall, the needed ports aremost often blocked.

To solve this problem, configure 5)A& inside the firewall to accept incoming traffic on asingle or a few predefined ports. 5)A& then redirects the traffic to the proper listener ordispatcher ports on the database server.

5)A& is a software component that resides on its own computer, separate from a clientor an Oracle !atabase server. It is a proxy for re uests destined for the database server.

You can also configure 5)A& to multiplex sessions, control access, or convert protocols.

Dule'based configuration can be used to provide access control and filter client re uests.-hen configured for session multiplexing, 5)A& funnels multiple sessions through a

single transport protocol connection to a particular destination. This enables the databaseserver to use few connection end points for incoming re uests.

5)A& enables a client and an Oracle !atabase server that have different networkingprotocols to communicate with each other.

/ote

%ou must perform a custom installation when using Oracle -niversal #nstaller toinstall *M) . Oracle provides a version of *M) to partner firewall vendors whowant to provide Oracle et support in their products.

5)A& has three components. They are

listener process

The listener receives client connections and evaluates against a set of rules whether todeny or allow access. If it allows access, the listener forwards a re uest to a gateway


7/40

process, selecting the one with the fewest connections. The listener process is also usedfor dynamic registration.

gatewa! , CMGW - process) an

The CMGW process forwards the re uest to another 5)A& or directly to the database

server, relaying data until the connection terminates. If a connection to the server alreadyexists, the gateway multiplexes or funnels its connections through the existing connection.

a ministrative , CMADMIN- process

CMADMIN is a multithreaded process that performs administrative functions. It monitors thehealth of the gateway processes and the listener and shutting down or starting upprocesses as needed. In addition, it registers the location and load of the gatewayprocesses with the listener, and it answers re uests from the 5)A& 5ontrol utility.

*uestion

-hich 5)A& process forwards re uests to the next relay if access is allowed6

Options+

. 3istener process

7. Eateway process

8. Administrative process

Answer

Option 1: This option is incorrect. The listener process receives clientconnections, uses rules to evaluate connections and determine whether to allow

access, and is used for dynamic registration.

Option 2: This option is correct. The gateway process CMGW forwards re'uests tothe ne t relay if access is allowed and also multiple es client connections.

Option 3: This option is incorrect. The administrative process CMADMIN is amultithreaded process that performs administrative functions, such as monitoringthe health of other processes.

"orrect answer,s-+

7. Eateway process

The three processes are started with the 5)A& 5ontrol utility.

This flow chart depicts the seven steps for 5)A& startup and connection processing


8/40

. the administrative process CMADMINB registers with the listener

7. the gateway process CMGWB registers with CMADMIN and CMADMIN forwards the gateway registration andload information to the listener

8. the PMON database instance process registers with the 5)A& listener

9. all client connection re uests are handled by the listener

:. the listener forwards the connection to the least'loaded gateway process

F. the listener denies access to one of the clients on the basis of rules, and

>. the two client connections that are allowed are multiplexed through a single network protocol connectionto the database server

You can allow or restrict client access to a server by using filtering rules, based on four

criteria

source host names or I% addresses for clients

destination host names or I% addresses for servers

destination database service names, and

client use of Oracle Advanced +ecurity

Access control filtering is specified through the CMAN_RULES parameter in the cman.ora

file. The cman.ora file is located in these directories in


9/40

accepting access

. "onfiguring "&A/

5onfiguring 5)A& is a three'step process

. configure the cman.ora file on the 5)A& computer

7. configure the database instances to register with the 5)A& listener, and

8. configure clients with the protocol addresses of 5)A& and the listener

The cman.ora file specifies listening endpoints for the server, the route path for 5)A&,access control rules, and 5)A& performance parameters. This file is located in thesedirectories in


10/40

"o e

CMAN= ADDRESS= PROTOCOL=tcp! "OST=e#$%&'(n)! PORT=)*+)!!

Then use the access control rule list to specify which connections are allowed. +pecifythis information by using the CMAN_RULES parameter.

"o e

CMAN_RULES= RULE_LIST= RULE= SRC=-o't! DST=-o't!SR ='erv%ce_name '%#! ACT=accept re0ect #rop!!

1 RULE= ...!2!

5)A& does not support wildcards for partial I% addresses. If you use a wildcard, use it inplace of a full I% address. The I% address of the client can, for example, be SRC=3! .

5)A& supports only the /nn notation for subnet addresses. In +45.5+.++5.6+/+78 /+7 represents a subnet mask that comprises the 7> leftmost bits.

This means that only the first 7> bits in the client@s I% address are compared with the I%address in the rule.

The CMAN_PRO9ILE parameter is used to set attributes for 5)A&.

The two CMAN_PRO9ILE parameters relating to security are

AUTHENTICATION_LEVEL an

The AUT"ENTICATION_LE EL parameter specifies the level of security. This parameterhas the value to re=ect connect re uests that are not using +ecure &etwork +ervices,commonly known as +&+. +&+ is a part of Oracle Advanced +ecurity. At the default value

, AUT"ENTICATION_LE EL does not check for +&+ between the client and the server.

LOG_LEVEL

The LOG_LE EL parameter specifies the level of logging performed by 5)A&. Thisparameter accepts four log levels / o:: , ('er , a#m%n , and '(pport . O:: is the default.

The REMOTE_ADMIN parameter determines whether remote access to 5)A& is allowed.

The following two values are valid

"o e

CMAN_PRO9ILE= PARAMETER_LIST= REMOTE_ADMIN=NO!!


11/40

The ;ES value allows access from a remote 5)A& 5ontrol utility session to 5)A&.

The NO value allows access only to the local 5)A&. This value prevents session access to5)A& by a user that is running a remote 5)A& 5ontrol utility.

2. Allowing or en!ing access

A rule must also exist allowing connections from the node where the cmctl command isissued to the cmon service.

You can use the access control rule list to specify which connections are accepted,re=ected, or dropped. You can specify this information by using the CMAN_RULES parameter, which filters a connection or group of connections.

S!nta#

5)A&JD


12/40


13/40


14/40

You then perform the following steps to complete the process of configuring a protocoladdress for 5)A&

. On the %rotocol +ettings page, specify the parameter information for the selected protocol andclick /e#t .%ou specify the parameter information ! host name and port number in the 6ost ame and ort

umber fields respectively.

To communicate with the database using the T* 7# protocol, the database computerEs hostname is re'uired. 4nter the T* 7# host name for the computer where the database is located.

) T* 7# port number is also re'uired. The port number for Oracle databases is usually > C>.%ou should not normally need to specify a different port number.

7. On the +ervice page, specify the release and enter the name of the destination database service. 5lick/e#t . !o not test the connection at this time.To identify the database or service you must provide either its service name, for Oracle=i =.> or later, orsystem identifier ;S#D


15/40

address is T5% port :7 , and not the default local listening address of T5% port :7 ,you must specify an alias by using the REMOTE_LISTENER parameter.

"o e

REMOTE_LISTENER=cman_l%'t

After the alias is specified, it must be resolved with a service name entry in thetn'name'.ora file. #or example, this is the code for an alias for a 5)A& listenerlocated at pro&


16/40


17/40


18/40


19/40

a'o_a(t-ent%cat%on_:%lter O99connect%on_'tat%'t%c' O99event_ ro(p O99lo _#%rector< /-ome/oracle/net or /lolo _level USERma&_connect%on' +*5%#le_t%meo(t 4%nFo(n#_connect_t%meo(t 4'e''%on_t%meo(t 4o(tFo(n#_connect_t%meo(t 4ma&_ ate a


20/40

Cy setting the log level in the 5)A& configuration file, you can enable 5)A& to logconnection events.

This is the command for setting logging.

"o e

cman.ora Lo Parameter'LOG_DIRECTOR; = Jpat-@

The LOG_LE EL parameter sets the location of the log file directory. It is set in the profileof the cman.ora file. It establishes the level of logging.

#our levels are supported by the LOG_LE EL parameter

"o e

LOG_LE EL = level

o:: / for no logging

"o e3OEJ3KMK3 L off

('er / for user log information

"o e3OEJ3KMK3 L user

a#m%n / for administrative log information, and

"o e3OEJ3KMK3 L admin

'(pport / for Oracle +upport +ervices log information

"o e3OEJ3KMK3 L support

You can select o:: to capture a minimum amount of log information. +elect '(pport tocapture a maximum amount of log information.


21/40


22/40

Three log files are generated by 5)A&

Jcman_name@_cm _p%#.lo for the gateway process

Jcman_name@_cma#m_p%#.lo for the administrative process, and

Jcman_name@_p%#.lo for the listener process

In the gateway process files cman_p%#.lo in


23/40


24/40


25/40

The PRODUCT_USER_PRO9ILE , commonly known as %


26/40

The 'uery is the following0

SI3@ S434*T product, C userid, K attribute, L char5value G2OM product5user5profile$

The output of the 'uery is a table listing the product, userid, attribute, andchar5value details in the four columns ! 2OD-*T, -S42#D, )TT2#B-T4, and*6)25A)3-4.

"o e

S?L@ SELECT pro#(ct8 + ('er%#8

6 attr%F(te8 B c-ar_val(e * 9ROM pro#(ct_('er_pro:%le

PRODUCT USERID ATTRIQUTE C"AR_ ALUE$$$$$$$$ $$$$$$ $$$$$$$$$$ $$$$$$$$$$S?L3Pl(' "R INSERT DISAQLEDS?L3Pl(' S" ROLES "R_CLERS?L3Pl(' S" SET ROLE DISAQLED

S?L@

the "R user cannot perform the INSERT commandThis is indicated based on the first row values in the table. The value of the product is SI3J lus,userid is 62, attribute is # S42T, and char5value is D#S)B34D.

"o e+23R +K3K5T product, 7 userid, 8 attribute, 9 charJvalue : #DO) productJuserJprofile0

%DO!


27/40


28/40

S?L@ #e'c pro#(ct_('er_pro:%leName N(ll T


29/40

CHAR_VALUE

The C"AR_ ALUE column can contain the character string DISAQLED , which is used todisable a +23, +234%lus, or %3H+23 command. C"AR_ ALUE can also contain the rolename that is used to disable a role.

#or rows related to +234%lus, set these columns to &


30/40

Option 1: This option is incorrect. The PRODUCT column contains the name of the product to which the row applies.

Option 2: This option is incorrect. The USERID column is the username, inuppercase, of the user to whom you want the row to apply.

Option 3: This option is correct. The ATTRIQUTE column can contain the name of the command to disable or the character string ROLES to disable a role.

Option 4: This option is incorrect. The C"AR_ ALUE column can control thecharacter string DISAQLED or the role name.

"orrect answer,s-+

8. ATTRIQUTE

. %isabling comman s an roles in S*LIT , and E>ECUTE. The +23 commands you candisable include SET ROLE, RE O E, ALTER, NOAUDIT, UPDATE, AUDIT, CONNECT,SELECT , LOC , and DELETE. The %3H+23 commands you can delete are QEGIN andDECLARE.

Supplement

Selecting the link title opens the resource in a new browser window.

Learning Ai


31/40

Answer

Option 1: This option is incorrect. %ou can disable the COP; command with the- table, but this is a SI3J lus command and not a SI3 command.

Option 2: This option is correct. -sing the - table, you can disable the SI3SET ROLE command. %ou can also disable other SI3 commands, includingALTER, DELETE, NOAUDIT, and UPDATE.

Option 3: This option is incorrect. %ou can disable the QEGIN command with the- table, but this is a 37SI3 command and not a SI3 command.

Option 4: This option is correct. -sing the - table, you can disable the SI3RE O E command. %ou can also disable other SI3 commands, including AUDIT,CONNECT, SELECT , and LOC .

"orrect answer,s-+

7. SET ROLE9. RE O E

!isabling certain +234%lus commands can result in the following conse uences

"OST also disables your operating system$s alias for "OST , such as on ECUTE command.

%reventing a user from executing INSERT is an example of disabling a command. TheS;STEM user owns the %


32/40

S?L@ INSERT INTO pro#(ct_('er_pro:%le + ALUES S?L3Pl(' 8 "R 8 INSERT 8 6 NULL8 NULL8 DISAQLED 8 NULL8 NULL!) ro create#.

S?L@ CONNECT -r/333333Connecte#.S?L@ INSERT INTO 0oF' ALUES C 8 C 8484!SP+$4*BB %nval%# comman# %n'ert

To allow the "R user to execute INSERT from +234%lus, delete the row with therestriction.

"o e

S?L@ CONNECT '


33/40

You must use only PUQLIC or in the USERID column for roles that are granted toPUQLIC . If you try to disable a role that has not been granted to a user, none of the rolesfor that user are disabled.

To re'enable roles, delete the row containing the restriction.

"o e

S?L@ SET ROLE ALL E>CEPT "R_CLER

To ensure that users do not use the SET ROLE command to change their roles after login,disable the SET ROLE command.

You must also disable the %3H+23 DECLARE and QEGIN commands and the +234%lusE>ECUTE commands to prevent application users from enabling application roles througha %3H+23 block.

!isabling these commands allows the +234%lus user only those privileges that areassociated with the roles that are enabled when they start +234%lus.

This example explains the five steps involved in disabling a role "R_CLER for the S" user

"o e

S?L@ CONNECT '


34/40

7. grant the "R_CLER role to the S" user

"o e+23R 5O&&K5T systemH44444445onnected.

+23R EDA&T hrJclerk TO sh0

Erant succeeded.

8. test the grant of the "R_CLER role to the S" user

"o e+23R 5O&&K5T shH444445onnected.+23R +K3K5T 4 #DO) hr.=obs

7 -*KDK =obJtitle L @%rogrammer@0UOCJI! UOCJTIT3K )I&J+A3ADY )AGJ+A3ADY'''''''''' '''''''''' '''''''''' ''''''''''ITJ%DOE %rogrammer 9

9. disable the "R_CLER role when the S" user connects to +234%lus, and

"o e+23R 5O&&K5T systemH44444445onnected.

+23R I&+KDT I&TO productJuserJprofile 7 MA3


35/40


36/40

ODA' S>S missing or invalid password for role @*DJ53KD;@

This example explains the steps involved in disabling SET ROLE.

"o e

S?L@ connect ' CONNECT s4 !!!!!!Connecte"#SQL> SELECT ! 5ROM 4%#6o7s

* WHERE 6o7_t(t)e 8 ,P%o9%3mme%,0SELECT ! 5ROM 4%#6o7s

!ERROR 3t )(ne 1:ORA;


37/40

SQL> SET ROLE 4%_c)e% 0SP*;< : (n?3)(" comm3n": set %o)e

This code segment ensures that the S" user cannot e ecute the SET ROLE command.

There are five guidelines that determine how the %


38/40

Option 2: This option is correct. The SELECT privilege is granted to PUQLIC onthe - table, which allows all users to view the restrictions that are applicable tothemselves.

Option 3: This option is incorrect. SI3J lus reads the - table when a user

logs in to SI3J lus. Therefore, changes to the - table take effect only the ne t time the affected users log in to SI3J lus.

Option 4: This option is correct. The - table applies only to the local database.#f accessing a remote database with a database link, the remote database cannote tract the username from the database link to determine the current user.

"orrect answer,s-+

7. The SELECT privilege is granted to PUQLIC on this table9. It applies only to the local database

Summar!

In this topic, you@ve learned how the %


39/40


40/40

NULL8NULL8 "R_EMP_MGR 8NULL8NULL! and include this clause on a separate line.5ommit the changes when complete. Then connect as %#AY with a password of?oracleJ ? and retrieve all records from the +K++IO&JDO3K+ view. Then attempt to setthe role to *DJK)%J)ED.

Steps listnstructions

. Type INSERT INTO pro#(ct_('er_pro:%le and press 4nter

7. Type ALUES S?L3Pl(' 8 P9A; 8 ROLES 8 NULL8NULL8 "R_EMP_MGR 8NULL8NULL! and press4nter

8. Type COMMIT and press 4nter

9. Type CONNECT p:a< and press 4nter

:. Type oracle_) and press 4nter

F. TypeSELECT 3 9ROM 'e''%on_role'

and press 4nter

>. Type SET ROLE -r_emp_m r and press 4nter

:ask 5+ *uer!ing the =U= table

You have ensured the %#AY cannot execute %3H+23 procedures and tested the settingsin the %DO!

oracle database 11g firewalls

Documents