1 2 Previous Next 19 Replies Latest reply: Jan 24, 2013 11:18 AM by jgarry RSS

    how to secure oracle database

    936666
      how to secure oracle database,
      I am having the oracle database which will be packed as package in a machine and will be delivered to client place , need to ensure that the client will not access the database by any means.

      Even he breaks the password (he should not break but despite client has broken the password) and went inside the database, he should not be able to see the databases Procedures ,views,functions and triggers.
      Can we Encrypt this,if so can client will be able to decrypt the same?

      Is there a way to secure the database from the client not to access the database.

      Thanks!
        • 1. Re: how to secure oracle database
          Niket Kumar
          If he is able to break password he can do anything....why do you want to give it to client if he will not use it... :-)
          • 2. Re: how to secure oracle database
            936666
            As i said earlier it is a package.The package consists of database and other codes installed in the system and given to client.
            • 3. Re: how to secure oracle database
              Niket Kumar
              oracle have a good password protection mechanism.... i have not heard anything like break password thing with oracle....so no need to worry....
              just check you have not hard coded the password in some code which can be track down by client....encrypt your code to make securities of passwords....
              • 4. Re: how to secure oracle database
                Girish Sharma
                Oracle provides high-end database security options like :

                Oracle Audit Vault and Database Firewall
                Oracle Advanced Security
                Oracle Database Vault
                Oracle Label Security
                Oracle Data Masking

                More details : http://www.oracle.com/us/products/database/security/overview/index.html

                Regards
                Girish Sharma
                • 5. Re: how to secure oracle database
                  Padma....
                  Procedures and functions can be encrypted by using a utility called wrap. And once done decrypting is not possible. So client would not be able to see the code of the same.

                  Either you can use wrap utility or a plsql package dbms_ddl.create_wrapped to wrap the code

                  regards,
                  Padma...
                  • 6. Re: how to secure oracle database
                    415289
                    Is there a way to secure the database from the client not to access the database.
                    use Oracle Advanced Security option
                    • 7. Re: how to secure oracle database
                      936666
                      So if that is the case how can i modify my procedure if there is any changes after the encryption.
                      There is no way to modify my stored procedure after encryption.

                      Thanks
                      • 8. Re: how to secure oracle database
                        Dave Rabone
                        You work with the plain text code in another database, create wrapped versions when ready, and install them on the target database.

                        However, wrap is reversible - just google pl/sql unwrap and see what you find. Version dependent of course.
                        • 9. Re: how to secure oracle database
                          936666
                          so how can i secure when there is an option to unwrap ,then there is no use in using the wrap right?
                          • 10. Re: how to secure oracle database
                            Girish Sharma
                            933663 wrote:
                            so how can i secure when there is an option to unwrap ,then there is no use in using the wrap right?
                            Yes, because when there is a lock there is a key, when there is wrap there is unwrap, when there is encrypt there is decrypt. We can not be rest assure for hack the code. I think you should think and explore above security options which are provided by Oracle itself which have lock and key by Oracle itself; which i have mentioned in my previous post.

                            You just think that if that is that much easy and cheap, then why Oracle have developed above options/features by expending many dollors..!!!

                            Regards
                            Girish Sharma
                            • 11. Re: how to secure oracle database
                              936666
                              Yes i too agree, but what is the guaranty that the database is secured.
                              If you use duplicate key to open than can i uninstall my database with no evidence of having it with log stored some where,but for this also how to ensure that the key supplied is a duplicate or not ??? :( :( :(
                              • 12. Re: how to secure oracle database
                                936666
                                If the user login as sqlplus / as sysdba then there is possible for him to change the existing password right?
                                so how to restrict the login under sqlplus / as sysdba.
                                Since under this login he can assign/modify the users and can easily access the data right how to stop loging as sqlplus / as sysdba
                                • 13. Re: how to secure oracle database
                                  Karan
                                  Modify the product_user_profile table as you want to restrict in sql*plus like you said, This way you can restrict for a user what you cant and can do something. If you want to stop sysdba from doing something, Please go for vault, it is best suited for these environments where you want to block sysdba as well.
                                  • 14. Re: how to secure oracle database
                                    Aman....
                                    Let me introduce a hard reality to you, there is nothing called secure. Anything and everything can be broken into if one knows how. So all you can do is to wrap your code, let it be shipped. If that's not what you want, you may want to put that logic in the application binaries and hope that the client won't break into them , which won't be an impossible thing too.

                                    Aman....
                                    1 2 Previous Next