Why are we concerned about a "sniffer" behind the firewall?
By Greg Kelly-Oracle on Sep 28, 2009
Historically we had the view that properly configured firewalls and proxies would protect against intrusion. As direct attacks became more prevalent, technologies like Intrusion Protection Systems and Intrusion Detection Systems were introduced. However, as more and more "threat unaware" users are provided with access internally, the perimeter is disappearing. People take the work laptops home or on engagements and, without other controls, there is no limit on the sites they can access outside the corporate domain. In many cases people inside the domain have access to the Internet to "help" them work more efficiently. People are also using multiple email services. If you consider that after nearly 20 years of media coverage, people are still being caught by the 419, advance fee fraud, scams. In the corporate environment, even with constant internal notification, users will click on links they shouldn't, or visit those too good to be true malware sites, for example, "Turn your CD drive into a DVD burner and copy DVDs with this free software!" People have also learned to click the "Accept" or "OK" button on security or certificate notices without understanding the impact, other than they can keep going.
What is happening is that the owner of the malware site uploads the code after the browser user clicks "OK". This code can be binary that runs as a service or every time the workstation is started or BHO to run in every browser session. Once the code is running, it calls out to the malware site owners site on a "safe" port like 80 which is generally open outbound on most protected sites. This connection to port 80 opens a session for the malware site owner to control the target system which is inside the firewall and so the malware site owner can either automatically or manually upload additional code without the browser user being aware. The malware site owner also has the capability to scan the rest of the systems inside the firewall for other unprotected or susceptible systems.
This view of security compromise is known as de-perimeterization. The Jericho Forum from the Open Group has created awareness around this http://www.opengroup.org/jericho/deperim.htm
"... today's traditional approaches to securing a network boundary are at best flawed, and at worst ineffective"
This is a recent blog entry I posted - http://blogs.oracle.com/peopletools/2009/02/the_insidious_threat_the_hacke.html
Note: I do not have the link to the "Turn your CD drive into a DVD burner and copy DVDs with this free software!" site!
PeopleSoft Enterprise supports Oracle 9i [and above] Advanced Security Option
"... PeopleSoft is pleased to announce that PeopleSoft Enterprise now supports Oracle 9i Advanced Security Option (ASO). We have had numerous requests from customers for this support and have recently completed the testing necessary for us to certify the use of ASO with Enterprise applications. Customers interested in using ASO can do so with any version of PeopleTools that supports Oracle 9i (PT 8.1x, PT 8.2x, and PT 8.4x)."
Oracle Database Security Checklist
Project Lockdown - A phased approach to securing your database infrastructure
Oracle Adaptive Access Manager