We have a very highly confidential environment.
The "BA" (does this stands for business audit?) auditor runs a tool that will diplay security vulnerabilities in our systems.
One of the listed output is "http". The auditor suggested to disable or disallow http services as this is hackable? Is this true?
If http is not allowed, what will happen to our dbconsole(EM) , database vault, and our ASO-TDE (advance security option: transparent data encryption)?
Are there ways to manage or run them in CLI? Can you share your security implementation about these tools?
Thanks a lot,
So ..what is EM made for then?
By the way I am asking also if EM is mandatory in configuring and managing of Database Vault and ASO-TDE.
EM is meant for making things simple and since it's a GUI, things are very simple when to be done by it. But other than that, I believe using EM is also helpful when you are managing a large data center and you can't afford to hop from one terminal window to another. Though EM is not mandatory but having it won't hurt provided you are not just doing a button click but are also aware that what is going on behind the scene.
HTTPS means that the data that is sent is encrypted. However, it is pretty unlikely that the auditor is concerned about someone sniffing the HTTP traffic from Enterprise Manager. It is much more likely that the auditor is concerned with the attack surface of the machine. Any service is potentially vulnerable to attack so keeping the number of services running on a machine to a minimum means that there are fewer services that an attacker can compromise. Whether it is serving HTTP or HTTPS, a web server will be potentially vulnerable to attack and will be one more component that needs to be patched and managed from a security perspective.
You are confusing the service with the wire protocol. Sybrand's comments are valid.
A properly implemented HTTPS is secure. This means communication between client and server, over HTTPS, is secure.
However, a client and a server are the parties using HTTPS. And the server, and/or client, can be insecure.
For example, the server uses client authentication (via the client's certificate). The client is insecure and bad hacker stole the client's wallet with certificate. Bad hacker can now pretend to be the client - and the server will not know the difference as bad hacker provides valid client certificates for communication, and can encrypt and decrypt communication with the server.
HTTPS is always preferable over HTTP. (even google.com now defaults to HTTPS)
For production, or operational management, communication, HTTPS should be mandatory.
So even if OEM is used internally, if it is used for managing production operations, it should be HTTPS. (your organisation has already been penetrated and your LAN traffic is already compromised - ask the USA, ask the Chinese...)
So when the audit scanning tool saw the http server being up....and "flagged" it as vulnerable, it saw the http and not https? Had we use the https then the auditors scanning tool would have not flag it?
So I can recommend not to shutdown the http server but to use https instead?
My assumption is yes on both questions - that HTTP is flagged as a potential vulnerability, and HTTPS not.
And no, it is not a "simple" matter of enabling HTTPS. HTTPS uses certifcates to authenticate the party talking via HTTPS. A certificate request for this party needs to be generated. The request given to a Root Authority to sign. The signed certificate imported. And the trusted certificate for that signed certificate then needs to be exported and given to the other party to import as a trusted certificate (including the root authority's trusted certificate chain).
It is not a trivial configuration change of disabling one service/protocol and enabling another.