Network security was improved by using client, listener, and network guidelines to ensure protection. Using SSL is an essential element in these lists, enabling top security for authentication and communications.
These guidelines are as follows:
Securing the Client Connection
Securing the Network Connection
Securing a Secure Sockets Layer Connection
Securing the Client Connection:
1.Enforce access controls effectively and authenticate clients stringently.
2.Configure the connection to use encryption.
3.Set up strong authentication.
Securing the Network Connection:
1.Use Secure Sockets Layer (SSL) when administering the listener.
2.Monitor listener activity.
3.Prevent online administration by requiring the administrator to have the write privilege on the listener password and on the listener.ora file on the server.
4.Do not set the listener password.
5.When a host computer has multiple IP addresses associated with multiple network interface controller (NIC) cards, configure the listener to the specific IP address.
6.Restrict the privileges of the listener, so that it cannot read or write files in the database or the Oracle server address space.
7.Use encryption to secure the data in flight.
8.Use a firewall.
9.Prevent unauthorized administration of the Oracle listener.
10.Check network IP addresses.
11.Encrypt network traffic.
12.Secure the host operating system (the system on which Oracle Database is installed).
Securing a Secure Sockets Layer Connection:
1.Ensure that configuration files (for example, for clients and listeners) use the correct port for SSL, which is the port configured upon installation.
2.Ensure that TCPS is specified as the PROTOCOL in the ADDRESS parameter in the tnsnames.ora file (typically on the client or in the LDAP directory).
3.Ensure that the SSL mode is consistent for both ends of every communication. For example, the database (on one side) and the user or application (on the other) must have the same SSL mode.
4.Ensure that the server supports the client cipher suites and the certificate key algorithm in use.
5.Enable DN matching for both the server and client, to prevent the server from falsifying its identity to the client during connections.
6. Do not remove the encryption from your RSA private key inside your server.key file, which requires that you enter your pass phrase to read and parse this file.
