The DBMS must utilize approved cryptography when passing authentication data for remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-61547	O121-C2-001200	SV-76037r1_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection. Logon/Account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information traversing the remote connection. Logon/Account information can be compromised if authentication data being passed over a public network is not secured via approved cryptography. This can result in unauthorized access to the database.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2015-12-21

Details

Check Text ( C-62419r1_chk )
Review settings to determine if DBMS is configured to accept remote connections. (Note that "remote" means "from outside the DoD Information Network (DoDIN)", and connections via approved Virtual Private Networks (VPNs) are considered to be inside the DoDIN.) If the DBMS is not configured to accept remote connections, this is not a finding. Check DBMS settings to determine whether the authentication data for remote connections is being encrypted with approved cryptography. If authentication data for remote connections is not being encrypted with approved cryptography, this is a finding. To check that network encryption is enabled and using site-specified encryption procedures, look in SQLNET.ORA located at $ORACLE_HOME/network/admin/sqlnet.ora. If encryption is set, entries like the following will be present: SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384) SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384) SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256) SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = requested SQLNET.CRYPTO_CHECKSUM_SERVER = required To list the supported encryption algorithms, crypto-checksums, and authentication methods, execute the adapters command (in Unix): $adapters ................................................................................ Installed Oracle Advanced Security options are: RC4 40-bit encryption RC4 56-bit encryption RC4 128-bit encryption RC4 256-bit encryption DES40 40-bit encryption DES 56-bit encryption 3DES 112-bit encryption 3DES 168-bit encryption AES 128-bit encryption AES 192-bit encryption AES 256-bit encryption MD5 crypto-checksumming SHA-1 crypto-checksumming Kerberos v5 authentication RADIUS authentication To obtain this information in Windows, open Oracle Net Manager. (Note that because of changes in Oracle licensing policy, it is no longer necessary to purchase Oracle Advanced Security to use network encryption and advanced authentication.)

Check Text ( C-62419r1_chk )

Review settings to determine if DBMS is configured to accept remote connections. (Note that "remote" means "from outside the DoD Information Network (DoDIN)", and connections via approved Virtual Private Networks (VPNs) are considered to be inside the DoDIN.) If the DBMS is not configured to accept remote connections, this is not a finding.

Check DBMS settings to determine whether the authentication data for remote connections is being encrypted with approved cryptography. If authentication data for remote connections is not being encrypted with approved cryptography, this is a finding.

To check that network encryption is enabled and using site-specified encryption procedures, look in SQLNET.ORA located at $ORACLE_HOME/network/admin/sqlnet.ora. If encryption is set, entries like the following will be present:
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = required

To list the supported encryption algorithms, crypto-checksums, and authentication methods, execute the adapters command (in Unix):
$adapters
................................................................................
Installed Oracle Advanced Security options are:
RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication
To obtain this information in Windows, open Oracle Net Manager.

(Note that because of changes in Oracle licensing policy, it is no longer necessary to purchase Oracle Advanced Security to use network encryption and advanced authentication.)

Fix Text (F-67463r1_fix)
If the database accepts remote connections but is not authenticating using approved cryptography, modify SQLNET.ORA to enable encryption, using an approved algorithm. The strength requirements are dependent upon data classification. For unclassified data, where cryptography is required: AES 128 for encryption SHA 256 for hashing NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows. AES 128 for Secret AES 256 for Top Secret SHA 256 for Secret SHA 384 for Top Secret National Security System is defined as: (OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). The following table summarizes the combinations of parameters for desired behavior on client and server: Desired behavior - Client Desired behavior - Server Encryption -------------------------- ------------------------- ----------- ACCEPTED REJECTED OFF REQUESTED REJECTED OFF REQUIRED REJECTED Connection fails REJECTED ACCEPTED OFF ACCEPTED ACCEPTED OFF REQUESTED ACCEPTED ON REQUIRED ACCEPTED ON REJECTED REQUESTED OFF ACCEPTED REQUESTED ON REQUESTED REQUESTED ON REQUIRED REQUESTED ON REJECTED REQUIRED Connection fails ACCEPTED REQUIRED ON REQUESTED REQUIRED ON REQUIRED REQUIRED ON Set the SQLNET.ORA to the site-specific requirements as in this example: SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384) SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384) SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256) SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = requested SQLNET.CRYPTO_CHECKSUM_SERVER = required

Fix Text (F-67463r1_fix)

If the database accepts remote connections but is not authenticating using approved cryptography, modify SQLNET.ORA to enable encryption, using an approved algorithm.

The strength requirements are dependent upon data classification.

For unclassified data, where cryptography is required:
AES 128 for encryption
SHA 256 for hashing

NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows.
AES 128 for Secret
AES 256 for Top Secret
SHA 256 for Secret
SHA 384 for Top Secret

National Security System is defined as:
(OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

The following table summarizes the combinations of parameters for desired behavior on client and server:

Desired behavior - Client Desired behavior - Server Encryption
-------------------------- ------------------------- -----------
ACCEPTED REJECTED OFF
REQUESTED REJECTED OFF
REQUIRED REJECTED Connection fails
REJECTED ACCEPTED OFF
ACCEPTED ACCEPTED OFF
REQUESTED ACCEPTED ON
REQUIRED ACCEPTED ON
REJECTED REQUESTED OFF
ACCEPTED REQUESTED ON
REQUESTED REQUESTED ON
REQUIRED REQUESTED ON
REJECTED REQUIRED Connection fails
ACCEPTED REQUIRED ON
REQUESTED REQUIRED ON
REQUIRED REQUIRED ON

Set the SQLNET.ORA to the site-specific requirements as in this example:

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = required