Allowing highly critical network services such as Oracle (1521/tcp), MySQL (3306/tcp), MSSQL (1433/tcp) through firewalls to untrusted network are similar to poking a hole through a firewall.
For example, leaving the Oracle Listener port 1521 open to untrusted networks, allow the database to connect to the Internet or the Internet to connect with the database. This could introduce significant security vulnerabilities that hackers are likely to exploit. Hackers could enable even more port openings through the firewall, create multithreaded operating system server problems, and enable access to crucial information on databases behind the firewall.
If the database listener services are running without passwords or with weak credentials, then hackers can probe for critical details about the databases on which it is listening. These details include trace and logging information, banner information, and database descriptors and service names, enabling malicious and damaging attacks on the target databases.
When it comes to database traffic, it is always recommended to encrypt network traffic when transmitting over untrusted networks. For example you may utilize Oracle Advanced Security to encrypt network traffic between clients, databases, and application servers.
Further I recommend to harden the host operating system of the database server by disabling all unnecessary operating system services. Many UNIX and Windows services are not necessary for most deployments. Such services include FTP, TFTP, TELNET, and so forth. For each disabled service, be sure to close both the UDP and TCP ports. Leaving either type of port enabled leaves the operating system vulnerable.
Finally It is generally not acceptable to allow all source addresses to access your server management ports (22 for Linux SSH and 3389 for Windows RDP) or database (1433 for SQL Server, 1521 for Oracle, and 3306 for MySQL). Be as specific as practical about who can reach these ports. When it is impractical to define source IP addresses for network management, you might consider another solution like a remote access VPN as a compensating control to allow the access required and protect your network.
Poking a hole through a firewall
January 29, 2020 / by Kushan Sharma / with No comments /
Related Posts:
Configure Wireless Network: Edit /etc/network/interfeces of Ubuntu 14.04To discover the available wireless interfaces $sudo lspci |grep Wireless$sudo lspci |grep Network To discover the available wireless networks $sudo i… Read More
Configure wvdial.conf in Ubuntu 14.04I wanted to configure my Etisalat broadband connection with Ubuntu 14.04. Network Manager has already been uninstalled. In order to connect to the br… Read More
Whether to enable "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"Use of "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"is the standard recommendation in order to align with … Read More
Install and Use Nmap/Zenmap 6 in Ubuntu 14.04For the installation, you follow the steps listed below. If you don't have the alien command, install it with a command such as $sudo apt-get install… Read More
Firewalking with nmapFirewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet res… Read More
0 comments:
Post a Comment