UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A DBMS providing remote access capabilities must utilize organization-defined cryptography to protect the confidentiality of data passing over remote access sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61549 O121-C2-001300 SV-76039r1_rule Medium
Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN). Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Cryptography provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection. Databases that accept remote connections must use approved cryptography to prevent disclosure of data being passed via a nonsecure network. If approved cryptography is not used, data can be intercepted or compromised.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2015-12-21

Details

Check Text ( C-62421r1_chk )
Review settings to determine if DBMS is configured to accept remote connections. (Note that "remote" means "from outside the DoD Information Network (DoDIN)", and connections via approved Virtual Private Networks (VPNs) are considered to be inside the DoDIN.) If the DBMS is not configured to accept remote connections, this is not a finding.

Check DBMS settings to determine whether the authentication data for remote connections is being encrypted with approved cryptography. If authentication data for remote connections is not being encrypted with approved cryptography, this is a finding.

To check that network encryption is enabled and using site-specified encryption procedures, look in SQLNET.ORA located at $ORACLE_HOME/network/admin/sqlnet.ora. If encryption is set, entries like the following will be present:

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = required

To list the supported encryption algorithms, crypto-checksums, and authentication methods, execute the adapters command (in Unix):
$adapters
................................................................................
Installed Oracle Advanced Security options are:
RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication
To obtain this information in Windows, open Oracle Net Manager.

(Note that because of changes in Oracle licensing policy, it is no longer necessary to purchase Oracle Advanced Security to use network encryption and advanced authentication.)
Fix Text (F-67465r2_fix)
If the database accepts remote connections but is not using approved cryptography for data transmission, modify SQLNET.ORA to enable encryption, using an approved algorithm.

The strength requirements are dependent upon data classification.

For unclassified data, where cryptography is required:
AES 128 for encryption
SHA 256 for hashing

NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows.
AES 128 for Secret
AES 256 for Top Secret
SHA 256 for Secret
SHA 384 for Top Secret

National Security System is defined as:
(OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

The following table summarizes the combinations of parameters for desired behavior on client and server:

Desired behavior Desired behavior Encryption
- Client - Server
---------------- ---------------- ------------
ACCEPTED REJECTED OFF
REQUESTED REJECTED OFF
REQUIRED REJECTED Connection fails
REJECTED ACCEPTED OFF
ACCEPTED ACCEPTED OFF
REQUESTED ACCEPTED ON
REQUIRED ACCEPTED ON
REJECTED REQUESTED OFF
ACCEPTED REQUESTED ON
REQUESTED REQUESTED ON
REQUIRED REQUESTED ON
REJECTED REQUIRED Connection fails
ACCEPTED REQUIRED ON
REQUESTED REQUIRED ON
REQUIRED REQUIRED ON

Set the SQLNET.ORA to the site-specific requirements as in this example:

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = required