Network encryption is one of the most important security hardening strategies to be adopted in any enterprise infrastructure. It will ensure confidential data transmitted over the wire is encrypted and will prevent malicious attacks in man-in-the-middle form intended for data exfiltration. Network encryption guarantees that data exchanged between the clients (Application) and Database System or indeed between any two endpoints should be securely transmitted and transparently decrypted without fear of prying eyes. Moreover, compliance with mandatory laws like HIPAA dictates or highly recommends to implement tools of encryption of in-transit and/or at-rest data as protection from theft or malicious attacks. Oracle RDBMS Enterprise Edition offers out-of-the-box solutions to encrypt and secure over-the-wire data, and this article will compare two of these options that can be implemented in any Oracle database infrastructure.
It is important to note that Network Encryption Option is part of the Oracle Enterprise Edition and doesn’t require Oracle Advanced Security Option.
In this article, I will explore four topics related to network encryption in Oracle 18c release:
- Native Network Encryption
- Encryption using Transport Layer Security (TLS)
- Scanning database listener ports using nmap
- Comparison between Native Encryption and TLS
Native Network Encryption
Native Network Encryption can be configured by updating the sqlnet.ora configuration file on the database server side, with the following parameters as an example:
SQLNET.ENCRYPTION_SERVER = required SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)
The parameter ENCRYPTION_SERVER has the following options:
REQUESTED – to enable the security service if the client allows it
REQUIRED – to enable the security service and disallow the connection if the client is not enabled for the security service
ACCEPTED – to enable the security service if required or requested by the client
REJECTED – to disable the security service, even if required by the client
The following table describes the outcome of negotiations on encryption and integrity levels between the client and server settings:
To check that encryption is effectively taking place, execute the following SQL query on the database server side:
SQL> select network_service_banner from v$session_connect_info where sid in (select distinct sid from v$mystat);
As shown above, in the picture, AES256 encryption algorithm has been configured for Network Encryption setup.
Encryption Using Transport Layer Security (TLS)
The following are summary steps to setup network encryption using TLS through orapki utility on the database server. Execute these commands as the database software owner OS user:
cd $ORACLE_HOME mkdir $ORACLE_HOME/tns_wall orapki wallet create -wallet "$ORACLE_HOME/tns_wall" -pwd emad_1_2 -auto_login_local
I will generate a self-signed certificate (of course, it’s highly recommended to use a certificate from CA authority) and add it to the wallet using the following command:
orapki wallet add -wallet "$ORACLE_HOME/tns_wall" -pwd emad_1_2 -dn "CN=dbcert" -keysize 1024 -self_signed -validity 180
This certificate can be exported to be used on the client side after a wallet has been created on the client system. Execute the following command to export the self-signed certificate:
orapki wallet export -wallet "$ORACLE_HOME/tns_wall" -pwd emad_1_2 -dn "CN=dbcert" -cert /tmp/db-export-certificate.crt
Add the following to the sqlnet.ora file of the client:
WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_HOME/tns_wall) ) ) SQLNET.AUTHENTICATION_SERVICES = (TCPS,NTS,BEQ) SSL_CLIENT_AUTHENTICATION = FALSE SSL_CIPHER_SUITES=(SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA)
Update the database server listener.ora file ADDRESS_LIST with the following entry where the protocol specified is TCPS and proposed port number is 1777:
(ADDRESS = (PROTOCOL = TCPS)(HOST = 0.0.0.0)(PORT = 1777))
Starting with Oracle 19c, you can configure both encryption settings at the same time in the database server level. In the past, “ORA-12696 Double Encryption Turned On” error is thrown if you attempt to configure both “Native Encryption” & “SSL/TLS”. You can set new parameters in the sqlnet.ora file SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS parameter to TRUE. This setting ignores the SQLNET.ENCRYPTION_CLIENT or SQLNET.ENCRYPTION_SERVER when a TCPS client side configuration is used if either of these two parameters is set to REQUIRED.
Scanning Database Listener Ports Using Nmap
Nmap is a famous port scanner utility. Install nmap in your Linux Server by executing the following command as root:
yum install nmap
After installation you can start exploring, for example, you can execute the following nmap command with -sS flag which is the faster and stealthier way to scan ports of the most popular network port protocol (TCP):
nmap -sS 127.0.0.1
Here I am using my local host IP address, and as expected, the default port 1521 was listed.
This nmap command will Increases the verbosity level (provide more information) about the open TCP ports in the server:
nmap -sV 127.0.0.1
As shown above, port 1777 (listener port configured with SSL Encryption) is not listed!
So, TCPS port was not detected by nmap which illustrates that using SSL for network encryption adds extra security capability. An attacker using nmap utility will not be able to detect that the destination server is hosting an Oracle database system service.
Comparison Between Native Encryption and TLS
This article covered the topic of network encryption which is important to implement to secure and harden any organization’s IT infrastructure, as compliance requirements are one of the key motivators. There are two network encryption setups in an Oracle database system: Native Encryption, and Encryption using TLS certificate. It is highly recommended for Oracle database systems known to host confidential data to implement rigorous security measures. While native network encryption will protect data in-flight, TLS/SSL network encryption is the best approach.
About the Author
Emad Al-Mousa is a Senior System Analyst at Saudi Aramco and has been working with Oracle technologies since 2006. He is an expert with the Oracle Database platform in different areas such as Security, High Availability, and Performance Tuning. In addition, he is an expert with Oracle Spatial technology for GIS Systems. Emad has multiple Oracle Database certifications, and the first Saudi National to be awarded with Oracle ACE.