Tr us te d H o s t s
6-8 Oracle Secure Backup Installation and Configuration Guide
Automated mode is easier to use but is vulnerable to unlikely man-in-the-middle
attacks in which an attacker steals the name of a host just before you invite it to join
the domain. This attacker could use the stolen host identity to join the domain illicitly.
Manual mode is more difficult to use than automated mode, but is not vulnerable to
the same kinds of attacks.
In manual mode, the administrative server does not transmit identity certificate
responses to the host. Instead, you must carry a copy of the signed identity certificate
on physical media to the host and then use the obcm utility to import the certificate
into the wallet of the host. The obcm utility verifies that the certificate request in the
wallet matches the signed identity certificate. A verification failure indicates that a
rogue host likely attempted to masquerade as the host. You can reissue the mkhost
command after the rogue host has been eliminated from the network.
If you are considering manual certificate provisioning modes, then you must decide if
the extra protection provided is worth the administrative overhead. Automated mode
is safe in the single system and data center environments, because network
communications are usually isolated.
Automated mode is also safe in the vast majority of corporate network cases. The
corporate network is vulnerable to man-in-the-middle attacks only if attackers can
insert themselves into the network between the administrative server and the host
being added. This is the only place they can intercept network traffic and act as the
man in the middle. This is difficult without the assistance of a rogue employee.
Manual certificate provisioning mode is recommended if the host being added is
outside the corporate network, because communications with off-site hosts offer more
interception and diversion opportunities.
Trusted Hosts
In Oracle Secure Backup release 10.3 certain hosts in the administrative domain are
assumed to have a higher level of security, and are treated as having an implicit level
of trust. These hosts are the administrative server and each media server. These hosts
are classified by Oracle Secure Backup as trusted hosts. Hosts configured with only the
client role are classified as non-trusted hosts.
Many Oracle Secure Backup operations are reserved for use by trusted hosts, and fail
if performed by a non-trusted host. These operations include:
■ Use of obtar commands
■ Direct access to physical devices and libraries
■ Access to encryption keys
This policy provides an extra level of security against attacks that might originate from
a compromised client system. For example, consider an Oracle Secure Backup
administrative domain with host admin as the administrative server, host media as
See Also:
■ "Managing Certificates with obcm" on page 6-21
■ Oracle Secure Backup Reference for more information on the obcm
utility
See Also: "Choosing Secure Hosts for the Administrative and Media
Servers" on page 6-6
To Next Page
Loading...
Need help?
General