Scrambling sqlnet data



Following on from my post about changes in advanced security licencing here is how to activate sqlnet encryption (with minimal effort) and demonstrating that the data is actually scrambled over the network.

It's a common audit finding that the data is not encrypted over the network as anyone with a packet sniffer can easily 'see' what data is being returned from the database.

To start this test lets create a table with a secret bit of data in it:

SQL> create table system.demo(col1 varchar2(4000));

Table created.

SQL> insert into system.demo values ('Top Secret');

1 row created.

SQL> commit;

Commit complete.

SQL>


Installing a packet sniffer now we can then see what can be read from the network traffic (and this is very easy to do if you are on the same subnet as the machine you want to view for the data for - nothing other than this software is required).

I installed wireshark as it's easy to use and I'm familiar with it : http://www.wireshark.org/download.html

I chose the portable apps version for this demo.


Firing up the program and then running a select over sqlplus (we have to know our source and destination as there can be a lot of output) we can see in the screenshot below that line 16 is the data being returned from oracle and it is in 'plain text' (we can see Top Secret spread over a couple of lines of the trace at the bottom of the screen).



If we now add the following parameter to the sqlnet.ora of the client

SQLNET.ENCRYPTION_CLIENT = REQUIRED

And then create a completely new connection we will now see that the data is scrambled and there is no security risk here.


There are loads of different algorithms to choose from and there are also checksumming options for this also. The above sqlnet change just chooses all the defaults.

Again - please check licencing before going ahead with this.......


0 comments:

Post a Comment