Guidelines for Securing the Network
relock the sample schema accounts. See Oracle Database Sample Schemas for more information about the sample schemas. 3.
During installation, when you are prompted for a password, create a secure password. Follow Guidelines 1, 2, and 3 in "Guidelines for Securing Passwords" on page 10-6.
4.
Immediately after installation, lock and expire default user accounts. See Guideline 2 in "Guidelines for Securing User Accounts and Privileges" on page 10-2.
Guidelines for Securing the Network Security for network communications is improved by using client, listener, and network guidelines to ensure thorough protection. Using SSL is an essential element in these lists, enabling top security for authentication and communications. These guidelines are as follows: ■
Securing the Client Connection
■
Securing the Network Connection
■
Securing a Secure Sockets Layer Connection
Securing the Client Connection Because authenticating client computers is problematic over the Internet, typically, user authentication is performed instead. This approach avoids client system issues that include falsified IP addresses, hacked operating systems or applications, and falsified or stolen client system identities. Nevertheless, the following guidelines improve the security of client connections: 1.
Enforce access controls effectively and authenticate clients stringently. By default, Oracle allows operating system-authenticated logins only over secure connections, which precludes using Oracle Net and a shared server configuration. This default restriction prevents a remote user from impersonating another operating system user over a network connection. Setting the initialization parameter REMOTE_OS_AUTHENT to TRUE forces the database to accept the client operating system user name received over an unsecure connection and use it for account access. Because clients, such as PCs, are not trusted to perform operating system authentication properly, it is poor security practice to use this feature. The default setting, REMOTE_OS_AUTHENT = FALSE, creates a more secure configuration that enforces proper, server-based authentication of clients connecting to an Oracle database. You should not alter the default setting of the REMOTE_OS_AUTHENT initialization parameter, which is FALSE. Setting this parameter to FALSE does not mean that users cannot connect remotely. It means that the database will not trust that the client has already authenticated, and will therefore apply its standard authentication processes.
2.
Configure the connection to use Secure Sockets Layer (SSL).
10-10 Oracle Database Security Guide