♦️Oracle 19c Network Security & Sniffing Test Scenario
Alireza Kamrani
In this post I provided a sample to increase security network between Clients and Oracle Server by setting on sqlnet.ora file to encrypt data transfer.
And finally I will use the Wireshark utility that listens to the network to see if the data is actually encrypted.
I’m making the examples in the 19c database version on Oracle Virtual Box or Vmware Workstation. The Virtual Box network setting works in the Host-only state.
Let’s start watching the network in Wireshark,
Connect to the database with SQL Developer and run a query,
SQL>select name from v$database;
Name
------
Testdb
Let’s come back to the Wireshark program and examine the results.
As you can see in the picture, the query we run has not made any encryption on the network. So the query that we run clearly shows what it is.
This is not a safe situation at all.
Now let’s encrypt the traffic between the client and the server by changing the “sqlnet.ora” parameters on the client side.
The client side sqlnet.ora file should look like this,
The server-side file should look like this,
Let’s start monitoring the network with Wireshark and connect to SQL Developer and run a query,
select name from v$database;
As shown in the picture, the query appears encrypted after the query we run. When we look at the traffic in the Wireshark program as before, the query executed on the client side became encrypted.
After you close the connection, let’s search all .trc files on the client. The trace file created at the time of the connection will tell us whether the connection is encrypted.
Look for the word “encryption” in these file.
This result indicates that the data is encrypted over the network with the AES128 algorithm and data integrity is ensured by the SHA1 algorithm.
Here I present some information about encryption settings:
Configuring for Network Encryption
The configuration for Network Encryption is defined in the “sqlnet.ora” file on the client and server side. Before configuring, Oracle Net installation must be done on both the server and client side.
Configuration can be done by replacing the file “sqlnet.ora” with the text editor or with the netmgr program.
Two separate parameters are used on the server side.
SQLNET.ENCRYPTION_SERVER = [accepted | rejected | requested | required ]
SQLNET.ENCYRPTION_TYPES_SERVER = (algorithm name)
The parameters used by the client side,
SQLNET.ENCRYPTION_CLIENT = [ accepted | rejected | requested | required ]
SQLNET.ENCYRPTION_TYPES_CLIENT = ( algorithm name )
The SQLNET.ENCRYPTION_SERVER and SQLNET.ENCRYPTION_CLIENT parameters are parameters that determine whether to encrypt the client and the server.
This parameter can take the following values,
- REJECTED
- ACCEPTED
- REQUESTED
- REQUIRED
The default value is ACCEPTED.
REJECRED : This means that the client and server will never establish an encrypted connection.
ACCEPTED : It means that the client and the server can establish an encrypted connection if there is a request to establish an encrypted connection.
REQUESTED : It means that the client and the server want to establish an encrypted connection.
REQUIRED : It means that the client or server is necessarily trying to establish an encrypted connection. The client and server cannot establish a connection when a connection is requested withouth password.
📍Can we use multiple security algorithms?
In any network connection, both the client and server can support multiple encryption algorithms and integrity algorithms.
When a connection is made, the server selects which algorithm to use, if any, from those algorithms specified in the sqlnet.ora files.The server searches for a match between the algorithms available on both the client and the server, and picks the first algorithm in its own list that also appears in the client list. If one side of the connection does not specify an algorithm list, all the algorithms installed on that side are acceptable.
The connection fails with error message ORA-12650 if either side specifies an algorithm that is not installed.
Encryption and integrity parameters are defined by modifying a sqlnet.ora file on the clients and the servers on the network.
You can choose to configure any or all of the available encryption algorithms, and either or both of the available integrity algorithms.
Only one encryption algorithm and one integrity algorithm are used for each connect session.
Note:Oracle Database selects the first encryption algorithm and the first integrity algorithm enabled on the client and the server. Oracle recommends that you select algorithms and key lengths in the order in which you prefer negotiation, choosing the strongest key length first.
📍Are clients side configuration is mandatory?
Oracle Database servers and clients are set to ACCEPT encrypted connections out of the box. This means that you can enable the desired encryption and integrity settings for a connection pair by configuring just one side of the connection, server-side or client-side.
So, for example, if there are many Oracle clients connecting to an Oracle database, you can configure the required encryption and integrity settings for all these connections by making the appropriate sqlnet.ora changes at the server end.
You do not need to implement configuration changes for each client separately.
More info:
Best Regards,
Alireza Kamrani.
