• January 9, 2015

Descriptive vs. Non-descriptive Naming

Guest Author

I was working on something today and started to muse on names. By names, I mean things like host names, service names, database names, PDB names, listener names and so on. 

I started to mull over the question of the use of descriptive vs. non-descriptive naming and how this relates to security and vulnerability of Enterprise systems. 

A lot of environments that I've been in name their database instance with fairly descriptive names. For example prod, prd, prdactg and so on. The point is that the name makes it fairly clear that this is a production database. Similarly you see derivatives of test, dev (development) and so on.

Likewise, I've seen server hostnames that often give away their purpose. Again, they contain naming that indicates the server houses production databases or test databases and so on. I see a lot of RAC servers that are named this way. Maybe racprod01, racprod02 and so on. 

Even if the name does not directly indicate the purpose of the server or database, it may be that the pattern you use can help identify a set of production databases. For example, it might be that your naming standard is that all production databases will start with DB8 followed by some two digit number that distinguishes each server - ie: DB801, DB802 and so on. A good hacker will pick up on the pattern of you sequence order and figure out which sequences represent which kind of databases.

I think some name services the way they do, so that the service name will be easy to remember. I mean, it's hard to forget the host name prodlinux01 for a server or prod01 for a database, yet, it provides a set of clues for the hacker as to where the good stuff is.

In my mind, I think that all naming of hosts and databases should be non-descriptive. It should not follow any pattern that might indicate the use of that service. Even using easy to remember alias names which are resolved at the DNS or by the SCAN listener can give information away. If, for example, I provide a DNS address called prod01, which resolves to some nondescript system called host5a4 - I could use ping to easily ping the service name, and see what IP it resolves too. Thus, even an alias that does not directly connect to a service, can still provide a risk.

So, you might ask, what kind of standard should we use? I'll throw out a suggestion and we can see how it sets with you. I suggest that a randomized set of characters be used to produce a unique host name for each host. I suggest the same for each database. I would make these names at least 8 characters in length (Oracle recommends that you make the SID of a database no longer than 8 characters in length). 

While such a standard might make identifying a SID a bit more difficult, I suspect it might make a database more secure. Perhaps, in some environments the security concerns are not such that random naming is important. Given the number of breaches that we have seen in the past years, I suggest that some enterprises underestimate the importance of security. Even seemingly simple things can lead to your downfall.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.