1. Security Guide for Oracle Exadata
  2. Security Features of Oracle Exadata Database Machine
  3. Considerations for a Secure Environment
  4. Network Security Considerations

2.10.2 Network Security Considerations

Before Oracle Exadata arrives at your location, network security considerations should be discussed.

The following considerations are based on Oracle best practices for Oracle Exadata.

  • The use of intrusion prevention systems on database servers to monitor network traffic flowing to and from Oracle Exadata. Such systems enable the identification of suspicious communications, potential attack patterns, and unauthorized access attempts.

  • The use of application and network-layer firewalls to protect information flowing to and from Oracle Exadata. Filtering network ports provides the first line of defense in preventing unauthorized access to systems and services.

    Network-level segmentation using Ethernet virtual local area networks (VLANs) and host-based firewalls enforce inbound and outbound network policy at the host level. Using segmentation allows fine-grained control of communications between components of Oracle Exadata. Oracle Exadata Storage Servers include a configured software firewall by default. The database servers can be configured with a software firewall.

  • The use of encryption features such as Oracle Advanced Security to encrypt traffic to Oracle Data Guard standby databases.

The security of the data and system is diminished by weak network security. Oracle recommends the following guidelines to maximize your Ethernet network security:

  • Configure administrative and operational services to use encryption protocols and key lengths that align with current policies. Cryptographic services provided by Oracle Exadata benefit from hardware acceleration, which improves security without impacting performance.

  • Manage and separate switches in Oracle Exadata from data traffic on the network. This separation is also referred to as "out-of-band."

  • Separate sensitive clusters from the rest of the network by using virtual local area networks (VLANs). This decreases the likelihood that users can gain access to information on these clients and servers.

  • Use a static VLAN configuration.

  • Disable unused switch ports, and assign an unused VLAN number.

  • Assign a unique native VLAN number to trunk ports.

  • Limit the VLANs that can be transported over a trunk to only those that are strictly required.

  • Disable VLAN Trunking Protocol (VTP), if possible. If it is not possible, then set the management domain, password and pruning for VTP. In addition, set VTP to transparent mode.

  • Disable unnecessary network services, such as TCP small servers or HTTP. Enable only necessary network services, and configure these services securely.

  • Network switches offer different levels of port security features. Use these port security features if they are available:

  • Lock the Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If a switch port is locked to a particular MAC address, then super users cannot create back doors into the network with rogue access points.

  • Disable a specified MAC address from connecting to a switch.

  • Use each switch port's direct connections so the switch can set security based on its current connections.

Related Topics

Parent topic: Considerations for a Secure Environment