Anti-virus software on database servers?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Anti-virus software on database servers?

  1. #1
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Anti-virus software on database servers?

    I have a friend who's a database administrator is looking for guidance. He wants to know what the best practices are running anti-virus software on a database server.

    The situation he recently found himself into was the IT department installed McAfee on one of his Oracle database servers and he's concerned (feels) there's been a performance hit. Even worse the install had nothing excluded and was scanning all files, etc.

    I know that there is some AV software that have database server agents...least I've heard they do. But other than the file system I'm just wondering what the threat is and/or point of installing AV to scan the transactions for example.

    Anyone out there have some thoughts, tips, experience with this sort of thing?

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Well, how about an exambple. Lotus Notes is built on the dominoe database and you should certainly have some type of AV on it.

    I guess it depends on what the database is doing....

    Sry bad inet connection

    Norton has an interface for Oracle info store (or something) but it's the same premise...it's for mail.

    I see a pattern forming
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    There are two best-practice advices I can give you. They are,
    as usual, not the only truth, and can be debated. Also, there
    is a dependency on the specific system architecture, as korpdeath
    is pointing out.

    1. scan "on demand" rather than "scheduled".

    ie. scan, as data is created, modified and read (updated signatures).

    Implications: How does the data get to or is read from the database?
    Is the database exposed or is the data processed already "somewhere"
    else? I just want to point out that there is no need to scan the
    data twice if the primary scan (and path to the database servers)
    is trusted.

    2. scan from a dedicated av-server (or av-server farm).

    Personally I think, having the AV on the db-servers is a mediocre
    approach. If the resources are available, dedicate one (or more)
    server for scanning purposes. I found a paper illustrating what I
    mean[1]: look for "scanning pod".

    For more general information, I find this publication[2] a good read.

    Cheers

    [1] http://www.redbooks.ibm.com/redpapers/pdfs/redp4084.pdf
    [2] http://hosteddocs.ittoolbox.com/Database_Security.pdf
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    I think that sec_ware has some good points.

    I can only speak of my experience using Oracle database servers, where the server was only connected to its clients, so they were the primary attack vector. Sure, there are software updates to the server, but these should go through a dedicated malware scanning box first (we used to call them "sheep-dips" )

    Now, I am assuming that the AV on the clients is the same as on the server, so if anything does get through the client it will also get through the server, so duplicate scanning will achieve nothing and just waste resource. The client side is the key and you should have realtime scanning based on the traditional C.R.U.D matrix (create, read, update, delete).............OK you can forget the "delete"

    Now, given that AV is mostly reactive you then have to plan for the database server getting infected before the pattern/signature files are updated. This is probably better done from a dedicated machine, and can be done when the server is not in use, so performance is no longer an issue. If an infection is detected in the clients, the connection should be pulled, the clients cleaned and the server cleaned.

    There is no point in leaving uninfected clients attached to an infected server of course.

    I think that your friend needs to plan how to use the software a bit more thoroughly, in that regular scans should be done when the clients are not using it.

    Just my 0.02
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5

    Re: Anti-virus software on database servers?

    Originally posted here by ric-o
    I have a friend who's a database administrator is looking for guidance. He wants to know what the best practices are running anti-virus software on a database server.

    The situation he recently found himself into was the IT department installed McAfee on one of his Oracle database servers and he's concerned (feels) there's been a performance hit. Even worse the install had nothing excluded and was scanning all files, etc.

    I know that there is some AV software that have database server agents...least I've heard they do. But other than the file system I'm just wondering what the threat is and/or point of installing AV to scan the transactions for example.

    Anyone out there have some thoughts, tips, experience with this sort of thing?
    Use one -- it's another layer of defense against dumb admins browsing the web from the server (should never happen), or potentially catch something like Slammer down the line if the server ends up unpatched.

    However, it should also be configured to be unobtrusive -- scanning executables is about it IMO. You should already be really picky about what gets onto a server, and you absolutely don't want it trying to scan backups, transaction logs, the databases themselves etc.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    @tt!tud3 please check the original post, we are talking about an Oracle Database Server it should not be connected to the internet.

    The attack vector is going to be from clients, possibly via an applications server.

    People should not be uploading executables to it at all.

    Anything that gets to it should already have been scanned, so realtime scanning on the database server is a waste of resource. Unless you are saying that the clients/application servers cannot be trusted ?

    If that is the case then you have a problem elswhere that needs addressing. Database servers are not the place to do it, they are at the bottom of the food chain
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    One thing I have noticed...is some client side AV will scan network drives by default....

    So what you have is several users...scanning mapped drives to the server....I disable this.

    I am sure your database vendor has recommended procedures for this...as well as the AV software vendor....as to what files to scan...and what files\directories to exclude.

    I am not familiar with Oracle...

    Anything that gets to it should already have been scanned, so realtime scanning on the database server is a waste of resource.
    I totally agree...I do limited..scheduled scans on database servers.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    we are talking about an Oracle Database Server it should not be connected to the internet.
    Damn I am in trouble.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi RoadClosed

    Damn I am in trouble
    you sure am honeychile, time to check your CYA model old chap

    As Korpdeath and sec_ware pointed out, it all depends on your particular architecture and deployment.

    However, I was particularly commenting on:

    it's another layer of defense against dumb admins browsing the web from the server
    That should not even be possible from a database server.

    If, for whatever reason you really need to connect via the internet then at least use a secure VPN, stick a webserver or applications server inbetween, but don't leave it exposed. In my opinion, database servers should be in the background and out of the firing line. Hey, the more stuff you have to run on them on top of what their main functionality is the worse your performance is going to be?

    Yeah, Yeah, I know..............it isn't a perfect World, but, as Oscar Wilde observed:

    "We are all lying in the gutter, but some of us are looking up at the stars"



    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Thanks all for the replys and comments. Good discussion.

    Additional info and response to posts...
    * The db server is NOT directly on the Internet.
    * The db server is on it's own DMZ.
    * The web/app server (which is on the Internet) talking to it can only do so via specific db ports (via firewall rules of course).
    * The db server is not used to surf with and is tightly controlled by IT organization and only specific IT machines have console access (and FTP probably) to it.

    It sounds like the best advise is to install AV on it to protect it from any network-borne attacks...although those could only be possible from an IT admin's machine who is the only machine who has greater access (just RDP or VNC though). So the risk for network attack is pretty low.

    I think the only risk would be possibility via db writes...but how? Is there really a risk here?

    Anyone else have experience with AV on db servers?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides