1

I heard database links are bad for organizations to use. Why is it bad for security?

wolφi
  • 8,091
  • 2
  • 35
  • 64
Jordan Ardakanian
  • 79
  • 2
  • 6
  • 1
    What is a database link? – greenapps Oct 03 '16 at 21:16
  • @greenappsIts what helps you to connec from one server to the other – mfredy Oct 03 '16 at 21:27
  • 3
    The biggest security risk with database links is incompetence. An inept setup may, for example, grant DBA privileges to all public users. In some large organizations, to prevent such situations (which are much more likely to be caused by incompetence than by deliberate malfeasance), there is a blanket prohibition of db links. Period, end of discussion. Quite common. –  Oct 03 '16 at 21:51
  • Encrypted data transfer between remote databases is something to think of. But the same applies for client server connections. – sers Oct 04 '16 at 08:18

2 Answers2

6

Where did you hear this?

Database links, like any tool, have their uses and misuses. There is nothing inherently insecure about using a database link. But there are certainly plenty of ways to architect a system using database links that is insecure.

A database link lets you connect one database to another. Broadly speaking, you can define the database link so that it connects to the remote database as a specific fixed user on the remote database or you can define the database link so that it connects to the remote database as the current user. Those configurations have different issues.

If you use a fixed user, you have to be careful that the users that can access the local database link ought to have access to whatever privileges the remote database user has. If you use a relatively powerful account to create the database link but then give access to that link to relatively low-privilege users, that can certainly be a security issue. It can also be challenging to identify situations of concern where this has taken place because no single database has the whole picture. If user Bob on database A has read-only access to a couple of tables but there is a public database link on A that connects to database B as a highly privileged user, someone that compromises Bob's account the ability to execute commands on B as that highly privileged user. Of course, you can mitigate these issues by not creating database links as highly privileged users, taking care when creating public database links, creating private database links when the fixed user is going to have privileges that you don't want to grant to everyone, etc.

If you use current user database links, then the user Bob on database A connects to database B as Bob and has whatever privileges Bob does on database B. In general, that is likely to be easier to secure. It's at least much harder to unintentionally do something stupid. The downside to this approach, however, is that Bob would need to keep his password synchronized on both databases or the database link won't work. That generally involves developing a bit of infrastructure to allow Bob to reset his password on all databases (or use some sort of external authentication) which is a bit of work to set up and maintain. Occasionally, it will also limit what security measures the DBA can configure when you have a mixed environment. When you upgraded database A to 11.2, for example, you probably wouldn't want to enable case-sensitive passwords until database B was similarly upgraded. If you have lots of database links between lots of systems on very different upgrade schedules, this sort of thing might be concerning.

Justin Cave
  • 227,342
  • 24
  • 367
  • 384
1

Some years back there was a significant bug where the "System Change Number" could be pushed ahead on a database and this would follow through to any database connected via a database link, resulting in a cascade of failures. Depending on how risk averse the organisation is, it can be a sensible precaution to keep databases isolated from each othe and reduce the effect of any 'outbreak'.

"Where this vulnerability gets interesting is that the SCN is synchronized to the highest SCN when two databases are connected via a database link. Therefore, it is possible to increase a database to the near maximum SCN through a database link, which will cascade through to all other interconnected databases. The result can be ORA-600 errors and potentially database crashes on the database with the lower SCN."

https://www.integrigy.com/oracle-security-blog/critical-oracle-database-bug-system-change-number-scn-cve-2012-0082

Gary Myers
  • 34,963
  • 3
  • 49
  • 74