11i: SQL*Net Encryption Now Certified - Finally

Oracle has finally certified the use of Advanced Security Option/Advanced Network Option for encryption of SQL*Net traffic between the database and application servers.  This certification had been promised for several years.

The Advanced Security Option (ASO) is an optional component of the Oracle Database and is an extra cost.  Advanced Networking Option (ANO) is the previous name of ASO in Oracle 8.0.x, which is also utilized in an Oracle Applications 11i configuration since Forms, Reports, and Concurrent Manager still use an 8.0.6.3 ORACLE_HOME.

This certification and encrypting of SQL*Net traffic is only relevant for highly secure implementations that require encryption of all network traffic.  The application servers and database should be solely contained in a secure data center, so encryption of this traffic only provides marginal benefits.  Of more concern is direct SQL*Net connections from application servers deployed in a DMZ and for administration (DBA's), ad-hoc querying, interfaces, and other direct SQL*Net connections.

Oracle has only certified the use of RC4 (40 or 128) rather than DES, 3DES, or AES.  RC4 is the best performing ASO encryption algorithm.  Implementations that want to comply with FIPS 140 are out of luck as only RC4 is supported.

Performance should be tested prior to implementing encryption in a production environment as the Forms SQL*Net traffic is "chatty" and could impact CPU utilization on both the database server and application servers, since RC4 is best performing for large packet sizes.

The biggest challenge to implementing encryption is the requirement of 11.5.10 and 11i.ATG.PF.H RUP3, where RUP3 is a minimum requirement for applying Critical Patch Updates.  Also, it does not appear that the AutoConfig templates support the changes to the SQLNET.ORA file for the 8.0.6.3 ORACLE_HOME, so these changes will have to be reimplemented each time after running AutoConfig.

Organizations with stringent security requirements would benefit from a limited deployment of encryption of all direct SQL*Net traffic from outside the data center, including application servers deployed in the DMZ.  This configuration would encrypt the most at risk traffic and eliminate any potential performance issues with encrypting all application server traffic.  ASO can be configured using the ACCEPTED and REQUESTED parameters to allow for some client connections to be encrypted.  This will not require encryption, but properly configured clients will then use encryption.

References:

Metalink Note ID 391248.1 "Encrypting EBS 11i Network Traffic using Advanced Security Option / Advanced Networking Option"

 Share this post