Securing Oracle Listeners against TNS Poison Attack by COST

The Oracle database component contains a vulnerability in the TNS listener service that has been referred to as (TNS Poison) in public discussions. The TNS listener service accepts unauthenticated remote registrations with the appropriate connect packet (COMMAND=SERVICE_REGISTER_NSGR). An unauthenticated attacker may be able to register a client using an already registered database’s instance name to perform a man-in-the-middle attack that allows the attack to sniff database traffic and inject database commands to the server. Joxean Koret was the first one to identify and provided code to produce man in middle attack by hacking the communication between client and DB server in 2008.

Oracle came with solution for this risk in 2012 April, as fix in code as well as securing listeners by COST (Class Of Secure Transports) and VNCR (Valid Node Checking for Registration). COST is supported solution for 10g to 11gR2 while from 11.2.0.4 onwards VNCR is alternate to COST. Cost is little bit complex setup using subset of Oracle’s advanced security which was allowed to use without license only to securing listeners. VNCR is easy to configure compared to COST.

The class of secure transports (COST) parameters specifies a list of transports that are considered secure for administration and registration of a particular listener. The COST parameters identify which transports are considered secure for that installation and whether the administration of a listener requires secure transports. COST will not affect client connections utilizing other protocols.

IPC protocol support is similar to BEQ protocol support in that it can only be used when the client program and the Oracle server are installed on the same system. IPC protocol support differs from BEQ protocol support in that it can be used with Oracle Shared Server configurations. IPC protocol support requires a listener for its operation.

Here are steps to configure COST in 11g database.

Step -1 Create wallet directories on each node (as root)

mkdir -p /etc/oracle/wallets/COST

chown -R oracle:dba /etc/oracle/wallets

Read more of this post

How Many SCAN Listeners?

Today we will explore little more about SCAN listeners. The common question comes in mind like: How many SCAN listeners could be configured in a multi-node RAC environment? , How many SCAN listeners would actually be required and how many would be enough? Etc.

Let’s find out the answers for these common queries.

I am assuming that by now most of DBAs are pretty comfortable with SCAN listeners; in case need detailed explanation then following URL would a good choice to visit here. As usual, awesome documentation from Oracle for SCAN in 11g as well as 12c releases.

Basically SCAN Listeners are introduced to create another connection handler on top of existing node listeners to overcome the failover and load balancing issues till 11gR1 architecture for RAC. Till 11gR1 Node listeners were defined on VIPs to facilitate NACK (Negative Acknowledgement) to resolve the issue of TCP timeouts.

Pre 11gR2 database environments, clients may take up to 2 minutes to decide (on TCP level) a node is down. This is purely because of the TCP Timeouts, which can differ from platform to platform. These 2 minutes are unacceptable, and it was a good thing of Oracle to understand and address this issue. Oracle designed a virtual IP address to be assigned to the public interface. Under normal circumstances, the VIP will be located to its designated NIC, and the listener will be bound to this VIP. Whenever there is a need to failover the VIP to another node in the cluster, when clients want to connect to this VIP (due to tns alias addresses pointing to this VIP), the VIP will immediately respond (because it has failed over and the TCP stack is running against it), and the client is able to get negative acknowledgement (NACK) confirming that no listener is active at its designated port. Within few seconds the client will know and fail over to the alternative address in its TNS alias. This makes failover a lot faster.

From 11gR2 onwards oracle enhanced the administration as well as availability of database from client’s perspective, load balancing etc by introducing SCAN (Single Client Access Name). With SCAN, clients could use SCAN-NAME (resolved by 3 VIPs, for default configuration) rather than list of all rac nodes in connect string. By default SCAN listeners (defined on SCAN VIPs) created as first point which co-ordinate with Node Listeners (defined on VIPs), so even if failure of node scan listener running on that node (if any) would be relocated to any surviving node while available SCAN listeners would be serving as normal.

In practice any complex environment designed with multi-tier architecture involving connection handling via connection pool mechanism. It reduces connectivity time for application or web based end users. Normally 3 SCANs are capable enough to handle hundreds of new connections in a span of few seconds. Still if you feel that default 3 SCAN listeners are not enough for your environment then you have an option to add few more scan listeners. GNS based dynamic IP scheme still has no way to change number of SCAN listeners in your environment. Today we will elaborate the process of adding one extra scan listener in our DNS based static IP configuration. Read more of this post

Pierre blog

Pierre Forstmann Oracle Database blog

flashdba

Oracle databases, storage and the high-performance world of flash memory

Future Veterans

Ramblings about Oracle

Ranjeet Srivastava

Smile! You’re at the best blog ever

Kevin Closson's Blog: Platforms, Databases and Storage

Platform, Database and Storage Topics

Real Life Database / SQL Experiences : An Oracle Blog from Vivek Sharma

Being an Oracle Professional, I like to share all my Real Life Performance Tuning Challenges and Experiences. The Content and Views on this site are my own and not necessarily those of Oracle. While, I write on my real life experiences, the resolutions mentioned are solely mine. Comments / Criticisms are always a welcome.

Frits Hoogland Weblog

IT Technology; Oracle, linux, TCP/IP and other stuff I find interesting

OraStory

Dominic Brooks on Oracle Performance, Tuning, Data Quality & Sensible Design ... (Now with added Sets Appeal)

ASM Support Guy

Just Another Crazy Oracle DBA

Exadata Certification

Just Another Crazy Oracle DBA

Carlos Sierra's Tools and Tips

Tools and Tips for Oracle Performance and SQL Tuning

Sangram keshari's Oracle Blog

The Fusion Middleware Administration & Database Administration Blog

Amit Saraswat

Just Another Crazy Oracle DBA

Oracle Scratchpad

Just another Oracle weblog

The Tom Kyte Blog

Just Another Crazy Oracle DBA

Hemant's Oracle DBA Blog

Just Another Crazy Oracle DBA

Uwe Hesse

about Database Technology

Richard Foote's Oracle Blog

Focusing Specifically On Oracle Indexes, Database Administration and Some Great Music