Wednesday, January 29, 2020

Poking a hole through a firewall

Allowing highly critical network services such as Oracle (1521/tcp), MySQL (3306/tcp), MSSQL (1433/tcp) through firewalls to untrusted network are similar to poking a hole through a firewall.

For example, leaving the Oracle Listener port 1521 open to untrusted networks, allow the database to connect to the Internet or the Internet to connect with the database. This could introduce significant security vulnerabilities that hackers are likely to exploit. Hackers could enable even more port openings through the firewall, create multithreaded operating system server problems, and enable access to crucial information on databases behind the firewall.

If the database listener services are running without passwords or with weak credentials, then hackers can probe for critical details about the databases on which it is listening. These details include trace and logging information, banner information, and database descriptors and service names, enabling malicious and damaging attacks on the target databases.

When it comes to database traffic, it is always recommended to encrypt network traffic when transmitting over untrusted networks. For example you may  utilize Oracle Advanced Security to encrypt network traffic between clients, databases, and application servers.

Further I recommend to harden the host operating system of the database server by disabling all unnecessary operating system services. Many UNIX and Windows services are not necessary for most deployments. Such services include FTP, TFTP, TELNET, and so forth. For each disabled service, be sure to close both the UDP and TCP ports. Leaving either type of port enabled leaves the operating system vulnerable.

Finally It is generally not acceptable to allow all source addresses to access your server management ports (22 for Linux SSH and 3389 for Windows RDP) or database (1433 for SQL Server, 1521 for Oracle, and 3306 for MySQL). Be as specific as practical about who can reach these ports. When it is impractical to define source IP addresses for network management, you might consider another solution like a remote access VPN as a compensating control to allow the access required and protect your network.