Skip to Main Content
  • Questions

  • Security of data pulled thru TNS and database links

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Duke.

Asked: October 19, 2009 - 2:32 pm UTC

Last updated: October 26, 2009 - 2:50 pm UTC

Version: 10.2.0.4.0

Viewed 1000+ times

You Asked

I've heard that our corporate security team disallows confidential data from being pulled through a database link between 2 databases. Instead they recommend secure FTP of a flat file.

I'm pretty ignorant about security, since I normally just work "inside" the database. I read this
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:4018622135475
but it didn't seem to help.

Can you point me to some references to confirm/refute the idea that data isn't/can't-be securely transmitted from one Oracle database?

Thanks!

and Tom said...

Data going over the wire is sent in the clear (except for your password)

If you turn on sqlnet tracing and run a few queries (see network admin guide for tracing, it is all documented) you would see your sql going over and your data coming back - in clear text.

Anyone with a sniffer could see it.

To prevent that - to make it so that you could not sniff it - we need to encrypt it.


see
http://docs.oracle.com/cd/B19306_01/network.102/b14266/toc.htm

and in particular:
http://docs.oracle.com/cd/B19306_01/network.102/b14268/asointro.htm#sthref35


I'm not sure that writing sensitive data to a flat file (pretty easy to transport that puppy around and do what you will with it - say - EMAIL IT to your yahoo account or something) to ftp it really solves anything

network sniffing - can be hard
taking a flat file and emailing it - trivial

and you would need physical access to both servers - something most DBA's shouldn't have in the first place.

seems to solve a problem (encrypt on the wire) while introducing 50 more...

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Use IPSec or VPNs to protect data excahnge

Luigi D. Sandon, October 25, 2009 - 9:56 am UTC

Besides Oracle Advanced Security, you could set up IPsec or a VPN to protect the data. The difference is that OAS will protect data from one database to the other one, while IPSec or a VPN will protect data between the network adapters, or the VPN endpoints.
I agree exchanging data using files is more dangerous, and SFTP requires an SFTP server to be setup also, increasing, not reducing, the attack surface. It looks to me the "old sysamdin" approach, setting up a SFTP server is easy, while setting up IPSec and VPNs is more work. This way they leave the burden of exporting data, sending data, reimporting data to the db developer, instead of exploiting available technologies to protect the data path.

The CRYPTO-Keeper says...

Duke Ganote, October 26, 2009 - 11:35 am UTC

So is the gist? There are several means of transmitting encrypted data.

1) if dblnk points to a remote account that only accesses encrypted data, then the encrypted data can be securely pulled through TNS. Encryption could occur through DBMS_OBFUSCATION_TOOLKIT in 8i and 9i, or DBMS_CRYPTO in 10g and later. The data is then de-crypted by the receiving system.

2) 10gR2 offers an means of "transparently" encrypting the network data transmissions, which you referenced.

3) Luigi D. Sandon suggests a secure IP or VPN.

BTW, I also found this reference in Oracle Magazine:
https://asktom.oracle.com/Misc/oramag/on-injecting-and-comparing.html
Tom Kyte
October 26, 2009 - 2:50 pm UTC

change #1 to read


if dblnk points to a remote account that only accesses APPLICATION encrypted data

so as to not confuse that with transparent data encryption
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.