8 Replies Latest reply: Aug 20, 2012 3:22 PM by 956095 RSS

    Security requirement for Oracle on AIX

    956095
      Hello experts,

      We are identifying options to enhance security for our infrastructure. We are currently using Oracle on AIX following are the version details.

      IBM AIX, 6.1
      Oracle Apps 11.5.10
      Database: 10.g

      The application is accessed only within the intranet and via vpn.

      Will there be a requirement for an antivirus? If yes are there any recommended products?
      Will there be a requirement for a host intrusion detection system? If yes are there any recommended products?

      Are there any other recommendations that you would like to advice.

      Thanks
        • 1. Re: Security requirement for Oracle on AIX
          929328
          Hello, 953092 ,
          The information security problem is very important when using Intranet a even more, when using VPS. Usually VPS connection can give you good encription but when working with databases you can't totally rely on it.
          Let's answer your questions in parts:

          1) As for antivirus, I think you need it. You should use some products from Positive technologies ( http://www.ptsecurity.com/ ) They have MaxPatrol security complex and SpiderGuard virus scanner. Choose what you want, they are both certified to work with Oracle.

          2) IDS is really useful and you may need it. As you are using IBM AIX maybe you should better use Real Secure Server Sensor from IBM ( http://www-03.ibm.com/systems/power/software/aix/security/solutions/iss.html ) or just use an Open Source IDS SNORT: ( http://www.snort.org/ )

          If you have any questions, ask.
          Kirill Babeyev
          • 2. Re: Security requirement for Oracle on AIX
            956095
            Hello Kirill.Babeyev,

            Thank you very much for your reply.

            I am currently at difference of opinion with the oracle admin team as they feel that Antivirus is not required for AIX OS.

            1) Are there any other AV products those you can recommend for Oracle database and application servers running on AIX?
            2) I have read in certain forums that AV is not recommended for database servers as it will have performance implications. AV application will try to do "on access scan" for all items being fetched during database transactions. What is your opinion?
            3) What is the performance implication on the data base if host intrusion prevention is running on the server?
            4) Could you provide real-time example of product name version of AV and HIDS running for servers running Oracle on AIX?
            5) Could you provide some useful document links regarding information security in Oracle?

            Regards,
            • 3. Re: Security requirement for Oracle on AIX
              Srini Chavali-Oracle
              Antivirus is typically nor required for Unix systems - they may interfere with how the database or the application operates.

              http://www-03.ibm.com/systems/power/software/aix/security/feature/antivirus.html

              HTH
              Srini
              • 4. Re: Security requirement for Oracle on AIX
                956095
                Hello Srini,

                what measures would you suggest to provide necessery security controls for Oracle running on AIX ?

                regards,
                • 5. Re: Security requirement for Oracle on AIX
                  Srini Chavali-Oracle
                  Depends on what your business/technical requirements are. Antivirus is typically not deployed in Unix.

                  HTH
                  Srini
                  • 6. Re: Security requirement for Oracle on AIX
                    929328
                    Hi, 953092,
                    Let's answer your questions in parts:
                    1) The AV products for AIX OS: http://www-03.ibm.com/systems/power/software/aix/security/feature/antivirus.html
                    http://www.symantec.com/region/jp/techsupp/enterprise/savf/30unix/aix.pdf
                    http://www.trendmicro.com/cloud-content/us/pdfs/business/ebooks/eb_real-time-publishers-esapt.pdf

                    Speaking about database AV you should not run an anti-virus scanner on a database server. Virus scanners usually ruin the I/O of the server, because they have sequential access on a file, but Oracle accesses file in random.

                    2) Yes. You've read the right forums. See above.

                    3) They don't usually affect on performance but the have some disadvantages:
                    a) False Alarms
                    b) Limited ability to analyze the source information
                    c) Encrypted packets are not processed by the intrusion detection software
                    d) Provides information based on the network address that is associated with the IP packet that is sent into the network

                    4) We don't have any complex product with AV and HIDS but you can use different products together.
                    http://www-03.ibm.com/systems/power/software/aix/security/

                    5) See here:
                    http://www.oracle.com/us/products/database/056892.pdf
                    http://www.oracle.com/technetwork/topics/security/whatsnew/index.html
                    (Here are ton's of security info from Oracle)

                    If you have any questions, ask.
                    Kirill Babeyev
                    • 7. Re: Security requirement for Oracle on AIX
                      956095
                      Hi Kirill Babeyev,

                      Thank you for the response.
                      1)     I went through the 3 links you have provided. What I find is; they mention about AV requirement for specific usage of AIX ( mail server / web server). The environment we are talking about is different from what these AV products are meant for. Correct me if I am wrong.
                      a.     Could you give a real-time example( something that you had worked on, or heard to have been in place) of an AV product used on AIX servers used as Oracle DB and App server?
                      b.     Similarly, with regards to HIDS, on AIX servers used as Oracle DB and App server could you give a real-time example( something that you had worked on, or heard to have been in place) ?

                      4) & 5) These links are very helpful, I will go through all these.

                      Regards,
                      • 8. Re: Security requirement for Oracle on AIX
                        956095
                        Hello Srini,

                        Thank you for the response.
                        I will give a brief of the requirement. Let me know if you need more detail.
                        Oracle server running database and application is hosted internally. They are accessed from within the corporate network and through VPN. They do not run any security software to protect itself from threats arising from internal sources or from a compromised PC connected via vpn. Since these servers run business application they are of utmost important and should be provided adequate security controls.
                        Following are the version information.
                        IBM AIX, 6.1
                        Oracle Apps 11.5.10
                        Database: 10.g

                        Regards,