Enabling REMOTE_OS_AUTHENT and Security Risks in Oracle

An available approach is the use the “identified externally” account creation and set the parameter file parameter REMOTE_OS_AUTHENT to true. This approach enables and account that has been created using the same name as the client account to connect to the database via SQL*Net without the use of a password. Let’s say the account on a computer is identified with the name James and an account is created in the PROD database for “james identified externally”. James can now select SQL*Plus from his PC start/program menu and, at the username prompt, type and execute /@prod and connect to the SQL command line utility without giving password. If James is logged on directly to the operating system on which PROD is running, he can still just type sqlplus / to access database.

In the scenario in the last section, the security danger is that James will walk away from his PC without locking his terminal. Anyone would then be able to access the database without knowing James’s username and password and have James’s privileges on the system.

The second security risk is that you trust a remote operating system over which you may have no control. All somebody needs to do is determine an Oracle user in your database who has the desired role – including DBA – with an account that has been IDENTIFIED EXTERNALLY. Then, the person creates an account with the same username as the privileged database account, executes SQL*Plus, and BLA,BLA,BLA. That person is in your database with the highest possible privileges and there is nothing you can do, except set REMOTE_OS_AUTHENT=false.

These two security risks are biggest headache considering in Oracle services and database administration. We cannot eliminate these kinds of risk factors if we use REMOTE_OS_AUTHENT parameter without having knowledge and create operating system authentication user login in Oracle database. If we need to set this security then during remote dba services, it should be monitored regularly and audited.

Oracle Advance Security - What is Kerberos Protocol

What is Kerberos?

Kerberos is named after the three-headed dob Cerberus, who guards the gates of the underworld in Greek mythology.

A network security system developed as part of project Athena at MIT. Kerberos is used to authenticate a user who is asking to use a particular network service.

Kerberos can be used to control the initial connection to a server or can be used to authenticate every single request and message passed between the client and the server. It grants tickets to a client to allow the use of a specific service and is secure even on a non-secure network.

Kerberos takes the following precautions:

• Passwords are never sent unencrypted over the network. This means that network snoopers cannot easily capture passwords.

• All Kerberos messages are timestamped so that they cannot be captured and replayed later; Kerberos does not accept old messages.

When you request access to a service-to access a file server, for example – Kerberos gives you a ticket, which is valid for access to the file server but not valid for any other service. When you try to connect to the database server, you send your ticket with the request. Once the database server knows who you are, the server decides whether to grant you access. Tickets also expire, and if your session lasts longer that the predefined time limit, you will have to re-authenticate yourself to Kerberos to get a new ticket.

The Kerberos method uses powerful cryptography so that a customer can confirm its identification to a hosting server (and vice versa) across an inferior system relationship. After a customer and hosting server has used Kerberos to confirm their identification, they can also secure all of their emails to guarantee comfort and information reliability as they go about their enterprise.

Kerberos is strong method of authentication for deploying high level of security of Oracle database. Of course, it is not sufficient to maintain single security on database server. Database DBA always recommends advance security of Oracle database server. Data security is major goal for every company and maintains high security of data is important security achievement for every Oracle specialist who is providing database support either remotely or onsite.