The real issue is how you build an application based IDS within Oracle. We all love to think we "trust" the DB admin... oh yeah. It is not only an issue of big corporations in my opinion. This not eliminating basic security measures you need to have. Ofir -----Original Message----- From: Pete Finnigan [mailto:peteat_private] Sent: ו 21 ספטמבר 2001 23:29 To: LOGANALYSISat_private Subject: Re: [logs] Oracle IDS Hi Todd That's the difficulty I have come across time and time again. This is one of the main reasons that my design for an oracle IDS includes housing almost all of the IDS within a separate database. I know quite a bit about securing an oracle database and as this IDS database would be set up as part of the IDS install it should be more tied down than other databases (OK that's a bit big headed, sorry) including the database being monitored. This is one of the reasons why the code is in PL/SQL so it can be wrapped and the code used to extract data will be held in the IDS database and encrypted, using a compiled language could be more secure, but it would end up not being platform independant. The same rule will apply to the signatures. Of course there are issues with the DBA still being able to do things to the IDS database that he shouldn't because of having DBA access but we can secure, encrypt and hide as much as possible. The other issue of course is hiding the encryption key used. I will give it more thought!!, thanks for the comments cheers Pete In article <009501c142b3$631f9d40$020aff0c@tsg1>, todd glassey <todd.glasseyat_private> writes >The other issue is how to protect the DB from the DBA's that administer it. >They are actually the core link in the puzzle. > >Todd >----- Original Message ----- >From: <lbuchanaat_private> >To: <LOGANALYSISat_private> >Sent: Friday, September 21, 2001 7:21 AM >Subject: RE: [logs] Oracle IDS > > >> Hi, >> >> Ofir Arkin (OA) and Pete Finnigan (PF) posted messages partially quoted >> below. >> >> OA> Oracle security and IDS monitoring of the database is a VERY big issue >> OA> when we are talking about major corporations using Oracle as their >> OA> master DB of choice. >> >> Yes it is a big issue. Just purchasing Oracle, the machine to run it on, >> hiring and/or training staff, and customizing the database and tools is an >> investment with an uncertain payback. >> >> PF> ... if this is because there is a lack of interest in Oracle security >> PF> or because there is genuinely nothing out there. >> >> There is not much out there because of price of entry. Only organizations >> that have significant amounts of data generated by various IDS sensors >> would find it useful. My company developed something called Voyeur, and >> the current version uses Oracle. I am not certain what the status is of >> Voyeur as the people who developed it have left the company. It was >> orginally developed around MySQL, but MyQSL could not handle the volume of >> data that was generated by some of our clients. >> >> PF> ... i have decided to write an Oracle IDS myself. >> >> Go for it. >> >> PF> ... whether it will be free or commercial, ... >> >> Do both. I would suggest that you actually design your IDS to use both >> Oracle and MySQL (or similar database). The free version would only >> provide basic IDS functionality, and the commercial version would have >> value added features. >> >> PF> ... what features they feel would be important ... >> >> Feature number one would be security of the database. The collected >> information would be very valuable to any potential attacker. Severely >> limit access to the entire database. >> >> Feature number two would be to use the database for more than IDS. The >> collected information should be considered to be part of "corporate >> history". >> >> I don't know if I would want to use the database for realtime monitoring. >> Realtime monitoring should be done on the data prior to storage in the >> database. I would say the focus of the analysis on the database should be >> looking at time periods ranging from a couple of days to a few months. >> >> PF> Not sure about an interface ( GUI ) yet, maybe Java based. >> >> Java or HTTP. Both are platform independant and you have lots examples to >> draw upon. >> >> PF> The signatures will be easy to define and be stored in the >> PF> database encrypted. >> >> What is the point of encryption? Where is/are the decryption key(s) kept? >> >> Returning to the issue of free or commercial, you really need to decide >> this early on as this will influence key design and implementation >> decisions. If you decide on free, then use your own environment and needs >> to guide these decisions. Otherwise, you will need to consider a much >> wider set of issues on which to base your decisions about the design and >> implementation. >> >> Good luck & B Cing U >> >> Buck >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: loganalysis-unsubscribeat_private >> For additional commands, e-mail: loganalysis-helpat_private >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: loganalysis-unsubscribeat_private >For additional commands, e-mail: loganalysis-helpat_private > -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan@pentest-limited.com www.pentest-limited.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 17:41:12 PDT