Security concern from a newbie--please help to explain

Installation and support for Oracle DB on CentOS.
Post Reply
Paddyman
Posts: 6
Joined: 2007/03/03 06:37:07

Security concern from a newbie--please help to explain

Post by Paddyman » 2007/03/03 07:41:03

Hello,
I am very new to the Linux world and CentOS in particluar. I would like to install CentOS 4.4 in my Desktop at home and then install oracle9i on it for practice purposes. In the cause of reading the online HOWTO, I came across about 2 articles clearly stipulating that the Firewall, SELinux and Automatic DHCP must be disable.

http://www.idevelopment.info/data/Oracle/DBA_tips/Linux/LINUX_12.shtml#Installing%20CentOS%204.0%20Enterprise%20Linux

Now my question is: I am using a cable modem to access the internet and I am using my Desktop frequently to access the Internet too. Would this not be too much of a risk for me to bear?
Will I still be protected from hackers (in and out bound protection)or worms, viruses etc if I disable the Firewall, SELinux and Automatic DHCP? My question might sound stupid or silly to professionalsor people who are familier with Linux security but I'm just being cautious and careful therby learning some thing new.
I would really much appreciate any body's time for any explanation in the aformentioned concerned.
Thank you all.

pjwelsh
Posts: 2598
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Security concern from a newbie--please help to explain

Post by pjwelsh » 2007/03/03 20:23:13

Great question! Frequently, we are faced with this kind of delima. Oracle is not the only software that would rather you just disable SELinux than helping to keep it active. Having said that, the "targeted" policy does NOT enable full MAC (maditory access control). Instead, you end up with some programs that will fall under SELinux suppervision (like httpd). So, that make it better for other things like Oracle. See info on SELinux for RHEL4 at http://linux.web.cern.ch/linux/scientific4/docs/rhel-selg-en-4/

Many times the firewalling can be kept in place *IF* you know a bit more about what the is wanting to do. Sometimes you can *just* run the app bound to "localhost" and not have to worry about extra rules. So, if you can bind Oracle to localhost or to your inside interface, you are in pretty good shape still. Naturally, you should minimize the outward facing daemons/apps that could be subverted. So, you will need to get familiar with the "netstat" command. Commands like "netstat -tP" will shown you (t)CP bound programs and the (P)rocess name and PID along with it. This info can be used to help add firewall rules. YMMV.

tessian
Posts: 3
Joined: 2007/01/23 15:30:41
Contact:

Re: Security concern from a newbie--please help to explain

Post by tessian » 2007/03/12 16:58:23

Some people may disagree with me on this, but from an Information Security perspective I've always told people that software firewalls are not necessary if you have a hardware firewall (routers all come with a basic hardware firewall). This, coupled with the security features of a router (PC's connected to router cannot be seen or reached through the internet unless software on that PC initiates contact) make software firewalls more of a hassle than they are worth.

Now that I said this, I will also mention that my experience with software firewalls is almost purely from a Windows environment. I have very little experience with SELinux or Linux firewalls, but I choose not to use it either because most software hates it.

Thought I'd also mention that Automatic DHCP has no impact on security, on or off. Just means if you turn it off you'll have to statically assign an IP.

Just thought I'd throw my opinion in, coming from someone in the info security field.

Post Reply

Return to “CentOS 4 - Oracle Installation and Support”