Oracle 19c Network Security & Sniffing Test Scenario
0 likes65 views
This document discusses a method to secure network communication between clients and Oracle 19c databases by configuring the sqlnet.ora file for data encryption. It details a step-by-step process to test and confirm that data is encrypted during transmission using the Wireshark utility. The document also explains the parameters required for encryption settings on both client and server sides, emphasizing that configuration can be done on either side to enable secure connections.
![As shown in the picture, the query appears encrypted after the query we run. When we look at
the tra
ffi
c in the Wireshark program as before, the query executed on the client side became
encrypted.
After you close the connection, let’s search all .trc
fi
les on the client. The trace
fi
le created at the
time of the connection will tell us whether the connection is encrypted.
Look for the word “encryption” in these
fi
le.
This result indicates that the data is encrypted over the network with the AES128 algorithm and
data integrity is ensured by the SHA1 algorithm.
Here I present some information about encryption settings:
Con
fi
guring for Network Encryption
The con
fi
guration for Network Encryption is de
fi
ned in the “sqlnet.ora”
fi
le on the client and server
side. Before con
fi
guring, Oracle Net installation must be done on both the server and client side.
Con
fi
guration can be done by replacing the
fi
le “sqlnet.ora” with the text editor or with the
netmgr program.
Two separate parameters are used on the server side.
SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required ]
SQLNET.ENCYRPTION_TYPES_SERVER = (algorithm name)
The parameters used by the client side,
SQLNET.ENCRYPTION_CLIENT = [ accepted | rejected | requested | required ]
SQLNET.ENCYRPTION_TYPES_CLIENT = ( algorithm name )
The SQLNET.ENCRYPTION_SERVER and SQLNET.ENCRYPTION_CLIENT parameters are
parameters that determine whether to encrypt the client and the server.
This parameter can take the following values,
• REJECTED
• ACCEPTED
• REQUESTED
• REQUIRED
The default value is ACCEPTED.](https://image.slidesharecdn.com/oracle19cnetworksecuritysniffingtestscenario-240726132226-18bb5b44/85/Oracle-19c-Network-Security-Sniffing-Test-Scenario-3-320.jpg)
Oracle 19c Network Security & Sniffing Test Scenario
- 1. ♦Oracle 19c Network Security & Sni ffi ng Test Scenario♦ Alireza Kamrani 07/26/2024 In this post I provided a sample to increase security network between Clients and Oracle Server by setting on sqlnet.ora fi le to encrypt data transfer. And fi nally I will use the Wireshark utility that listens to the network to see if the data is actually encrypted. I’m making the examples in the 19c database version on Oracle Virtual Box or Vmware Workstation. The Virtual Box network setting works in the Host-only state. Let’s start watching the network in Wireshark, Connect to the database with SQL Developer and run a query, SQL>select name from v$database; Name ------ Testdb Let’s come back to the Wireshark program and examine the results.
- 2. As you can see in the picture, the query we run has not made any encryption on the network. So the query that we run clearly shows what it is. This is not a safe situation at all. Now let’s encrypt the tra ffi c between the client and the server by changing the “sqlnet.ora” parameters on the client side. The client side sqlnet.ora fi le should look like this, The server-side fi le should look like this, Let’s start monitoring the network with Wireshark and connect to SQL Developer and run a query, select name from v$database;
- 3. As shown in the picture, the query appears encrypted after the query we run. When we look at the tra ffi c in the Wireshark program as before, the query executed on the client side became encrypted. After you close the connection, let’s search all .trc fi les on the client. The trace fi le created at the time of the connection will tell us whether the connection is encrypted. Look for the word “encryption” in these fi le. This result indicates that the data is encrypted over the network with the AES128 algorithm and data integrity is ensured by the SHA1 algorithm. Here I present some information about encryption settings: Con fi guring for Network Encryption The con fi guration for Network Encryption is de fi ned in the “sqlnet.ora” fi le on the client and server side. Before con fi guring, Oracle Net installation must be done on both the server and client side. Con fi guration can be done by replacing the fi le “sqlnet.ora” with the text editor or with the netmgr program. Two separate parameters are used on the server side. SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required ] SQLNET.ENCYRPTION_TYPES_SERVER = (algorithm name) The parameters used by the client side, SQLNET.ENCRYPTION_CLIENT = [ accepted | rejected | requested | required ] SQLNET.ENCYRPTION_TYPES_CLIENT = ( algorithm name ) The SQLNET.ENCRYPTION_SERVER and SQLNET.ENCRYPTION_CLIENT parameters are parameters that determine whether to encrypt the client and the server. This parameter can take the following values, • REJECTED • ACCEPTED • REQUESTED • REQUIRED The default value is ACCEPTED.
- 4. REJECRED : This means that the client and server will never establish an encrypted connection. ACCEPTED : It means that the client and the server can establish an encrypted connection if there is a request to establish an encrypted connection. REQUESTED : It means that the client and the server want to establish an encrypted connection. REQUIRED : It means that the client or server is necessarily trying to establish an encrypted connection. The client and server cannot establish a connection when a connection is requested withouth password. 📍 Can we use multiple security algorithms? In any network connection, both the client and server can support multiple encryption algorithms and integrity algorithms. When a connection is made, the server selects which algorithm to use, if any, from those algorithms speci fi ed in the sqlnet.ora fi les.The server searches for a match between the algorithms available on both the client and the server, and picks the fi rst algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable. The connection fails with error message ORA-12650 if either side speci fi es an algorithm that is not installed. Encryption and integrity parameters are de fi ned by modifying a sqlnet.ora fi le on the clients and the servers on the network. You can choose to con fi gure any or all of the available encryption algorithms, and either or both of the available integrity algorithms. Only one encryption algorithm and one integrity algorithm are used for each connect session. Note:Oracle Database selects the fi rst encryption algorithm and the fi rst integrity algorithm enabled on the client and the server. Oracle recommends that you select algorithms and key lengths in the order in which you prefer negotiation, choosing the strongest key length fi rst. 📍 Are clients side con fi guration is mandatory? Oracle Database servers and clients are set to ACCEPT encrypted connections out of the box. This means that you can enable the desired encryption and integrity settings for a connection pair by con fi guring just one side of the connection, server-side or client-side. So, for example, if there are many Oracle clients connecting to an Oracle database, you can con fi gure the required encryption and integrity settings for all these connections by making the appropriate sqlnet.ora changes at the server end. You do not need to implement con fi guration changes for each client separately. More info: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/con fi guring-network- data-encryption-and-integrity.html Best Regards, Alireza Kamrani.