Hello! This is Dennis MacNeil. After 10 years working with Java technology and developers, I�ve changed my focus to databases and security. Today, I am a product marketing director for database security products, including Oracle Advanced Security, Oracle Database Vault and the upcoming Oracle Audit Vault. For my first blog entry about database security, I�d like tell you about some of the security enhancements currently included with Oracle 11g beta default configuration.
An important aspect of Oracle Software Security Assurance is the Secure Configuration Initiative. Originally called "security by default", this initiative has been ongoing since Oracle8i to make it easier for customers to install and configure the Oracle database with an enhanced security posture. Enhancements over the years have included locking and expiring of default accounts on install, optional installation of the sample schemas, and changes to the default role connect.
As Chad Hughes explained in his recent blog entry, Oracle�s configuration hardening initiative is designed to enable more secure deployment of Oracle products by non-security experts while maintaining backward compatibility and support for other Oracle and third-party applications. Oracle 11g, currently released in beta form, is planned to incorporate a number of secure configuration enhancements. With Oracle 11g beta, Oracle plans to introduce the option for customers to choose between a 10g-like configuration (if they are concerned with backward compatibility) and a security-enhanced configuration. The enhancements in the secure configuration provided by Oracle 11g beta are planned to fall into three categories:
1) New default audit settings
2) New password management mechanisms
3) New access control capabilities
As opposed to previous releases of the Oracle database where general database auditing was "off" by default, logging is intended to be enabled by default with the Oracle Database 11g beta secure configuration. Notable performance improvements are planned to be introduced to reduce the performance degradation typically associated with auditing.
With Oracle 11g beta, passwords are expected to also become case sensitive. This and other changes should result in better protection against brute force attacks and password guessing scenarios. For example, in addition to limiting the number of failed login attempts to 10 (default configuration in 10gR2), Oracle 11g beta�s planned default settings should expire passwords every 180 days, and limit to seven the number of times a user can login with an expired password before disabling access.
Oracle 11g beta default configuration is planned to also introduce improved security for several utl* packages, such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, etc. These packages no longer allow default access to ports. Note that SYS and XDB schemas specifically remain excluded from this kind of restriction. As a result of this change, database administrators are expected to be able to specify what network services (network hosts and ports) database users are allowed to access when using the packages.
As previously indicated, customers, who may be concerned about implementing the enhanced default configuration of 11g beta should be able to choose a 10gR2-like configuration during the initial setup, in order to test backward compatibility with other applications and validate its compliance with their existing security policies.
Though more secure configurations by default can help organizations enhance their security posture, they do not replace sound security practices throughout the IT infrastructure. Additional security activities such as periodic security audits, ongoing monitoring of network transactions, and timely application of the Critical Patch Updates are critical requirements to minimize risk. To help customers meet these objectives, the Resource Library located on the Oracle Software Security Assurance site provides links to numerous technical security resources such as the database security checklist.
There are a lot of other really interesting security related features expected to included in Oracle 11g, I�ll tell you more about them in future blog entries.
"The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle�s products remains at the sole discretion of Oracle."
