Oracle and Arcserve
chuaby
I have been using an Oracle for quite some time but have not maintain
it before until now. My application vendor is not too familiar with
Norton Anti-virus and BrightStor ARCserve Backup Release 11 for
Windows, Agent for Oracle.
All i know was I'm being told to be careful when the database is
running with these 2 applications. May i know what are the things i
should not do with these applications ?
i mean, eg,
1) to backup database files, can the files be opened since i have the
"Agent for Oracle? Can i recover if index and data are active during
the backup session?
2) can the realtime Anti-virus be running as well ?
For some advice please.
Thank you
Boon Yiang
Howard J. Rogers
> Hi
>
> I have been using an Oracle for quite some time but have not maintain
> it before until now. My application vendor is not too familiar with
> Norton Anti-virus and BrightStor ARCserve Backup Release 11 for
> Windows, Agent for Oracle.
>
> All i know was I'm being told to be careful when the database is
> running with these 2 applications. May i know what are the things i
> should not do with these applications ?
>
> i mean, eg,
>
> 1) to backup database files, can the files be opened since i have the
> "Agent for Oracle? Can i recover if index and data are active during
> the backup session?
The short answer is probably yes. But the real answer is: you can never
trust a backup regime until you've actually tested it, under all sorts
of failure scenarios, and satisfied yourself that the backups taken with
this tool are usable for recovery.
I know it's not a 'click OK and all will be well' answer, but what
you'll have to do is to read up about backup and recovery principles
(http://tahiti.oracle.com has all the documentation online). Armed with
that understanding, you will be in a position to judge just what exactly
the vendor of this agent is claiming it is capable of doing for you.
And then you must test and verify, test and verify, test and verify
those claims until you are confident your data is safe under pretty much
any scenario you care to throw at it.
A lot of work, but rewarding, and very reassuring.
Anyone who tries to make life simple for you by supplying a quick answer
to your question will not be doing you any favours in the reassurance
stakes.
>
> 2) can the realtime Anti-virus be running as well ?
Realtime Antivirus protection, such as Norton Autoprotect, is not a good
idea on an Oracle server of any description, since it will steal memory
and CPU cycles from the database. If you care about performance, disable it.
Bear in mind, Norton Autoprotect is really designed to run on desktop
PCs where users are forever receiving email and loading documents and
executables from unknown sources. In that 'constant use' situation, a
'constant protection agent' is a good idea. But a server is not, one
hopes, receiving and opening email attachments all the time, or forever
having new software from dubious sources installed on it. It probably
lives behind a firewall, too. Of course, a periodic -but manual- running
of an antivirus scanning program might not be a bad idea in a
maintenance moment if you have one. But continual monitoring is not a
good idea for a production system, I think.
Whether or not there are specific adverse interactions between Oracle,
Norton and ARCServer, which is what your vendor might be getting at, I
couldn't say, however. I have run Oracle 8i and 9i on Windows desktop
machines with Norton Autoprotect running, and I've never encountered a
problem. But I've never thrown ARCServer into the mix.
Regards
HJR
Sybrand Bakker
Arcserve is a pain in the butt. If you want to use the GUI you will be
forced to use the Oracle 7 Agent and perform a conventional hot
backup.
Arcserve does support RMAN: ie you can the Arcserve tape driver from
RMAN. Arcserve doesn't integrate RMAN into the GUI, and if you choose
to use RMAN you need to run it from a Windoze task scheduler.
And they change the name of this product every few months, and I
should better remain silent about the CA support website. It is a
nightmare. PERIOD.
--
Sybrand Bakker, Senior Oracle DBA
G Dahler
"Sybrand Bakker" <gooid...@sybrandb.verwijderdit.demon.nl> a écrit dans le
message de
>
> Arcserve is a pain in the butt. If you want to use the GUI you will be
> forced to use the Oracle 7 Agent and perform a conventional hot
> backup.
> Arcserve does support RMAN: ie you can the Arcserve tape driver from
> RMAN. Arcserve doesn't integrate RMAN into the GUI, and if you choose
> to use RMAN you need to run it from a Windoze task scheduler.
> And they change the name of this product every few months, and I
> should better remain silent about the CA support website. It is a
> nightmare. PERIOD.
>
Totally agree on that. CA's support is a nightmare, and the product is a
total piece of crap. I wonder if some ex-msft engineers were used in the
process ? Or maybe it was developped offshore ?
Joel Garry
> Bear in mind, Norton Autoprotect is really designed to run on desktop
> PCs where users are forever receiving email and loading documents and
> executables from unknown sources. In that 'constant use' situation, a
> 'constant protection agent' is a good idea. But a server is not, one
> hopes, receiving and opening email attachments all the time, or forever
> having new software from dubious sources installed on it. It probably
> lives behind a firewall, too. Of course, a periodic -but manual- running
> of an antivirus scanning program might not be a bad idea in a
> maintenance moment if you have one. But continual monitoring is not a
> good idea for a production system, I think.
Have to totally disagree. I saw new server with no AV, no mail,
behind firewall with up-to-date virus protection, get hit within one
day by WelchiaB. Remember, companies with distributed networks and
people syncronizing mail with the outside world have plenty of holes,
and modern worms have some pretty sophisticated engineering.
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Oh, after deinfecting and installing up-to-date virus protection,
WelchiaB came back. It seems to do that commonly, but at least the AV
catches it.
It was difficult to distinguish what was wrong with the server _next_
to it, until its new hard drive actually failed. And people wonder
why I diss the Wintel juggernaut.
jg
--
@home.com is bogus. "Please review the trace files and you will see
the VERY VERY BAD SQL statements issued by the Portal, they are long,
nasty and done way too many times, for example, we think the most
offending code is SELECT 'x' FROM ... used to check for table and
object privileges, this gets called simultaneously by the Paralle Page
Engine and it is a design problem with Oracle Portal and it WON'T
SCALE AT ALL!!! " - quote from Oracle consultants in an old bug
Howard J. Rogers
> "Howard J. Rogers" <h...@dizwell.com> wrote in message news:<40ab5429$0$31680$afc3...@news.optusnet.com.au>...
>
>>Bear in mind, Norton Autoprotect is really designed to run on desktop
>>PCs where users are forever receiving email and loading documents and
>>executables from unknown sources. In that 'constant use' situation, a
>>'constant protection agent' is a good idea. But a server is not, one
>>hopes, receiving and opening email attachments all the time, or forever
>>having new software from dubious sources installed on it. It probably
>>lives behind a firewall, too. Of course, a periodic -but manual- running
>>of an antivirus scanning program might not be a bad idea in a
>>maintenance moment if you have one. But continual monitoring is not a
>>good idea for a production system, I think.
>
>
> Have to totally disagree.
With what? I didn't say "no AV". I said "no continuous AV, but periodic
manual scans".
I don't know whether your comments therefore still apply.
Regards
HJR
Steve
products they've destroyed ( hint... ex Ingres dba :)
My main point, and I've asked before, is why on earth are your database
servers visible? The office network, and all incoming email, and really
everything apart from port 1521 *should* be disconnected from these servers.
It's stupid to have to av protect database servers. You should put a
proper security plan into action. Let's face it, we've got enough to do
without worrying about the outside workd as well!
Steve.
Joel Garry
> Joel Garry wrote:
> > "Howard J. Rogers" <h...@dizwell.com> wrote in message news:<40ab5429$0$31680$afc3...@news.optusnet.com.au>...
> >
> >>Bear in mind, Norton Autoprotect is really designed to run on desktop
> >>PCs where users are forever receiving email and loading documents and
> >>executables from unknown sources. In that 'constant use' situation, a
> >>'constant protection agent' is a good idea. But a server is not, one
> >>hopes, receiving and opening email attachments all the time, or forever
> >>having new software from dubious sources installed on it. It probably
> >>lives behind a firewall, too. Of course, a periodic -but manual- running
> >>of an antivirus scanning program might not be a bad idea in a
> >>maintenance moment if you have one. But continual monitoring is not a
> >>good idea for a production system, I think.
> >
> >
> > Have to totally disagree.
>
> With what? I didn't say "no AV". I said "no continuous AV, but periodic
> manual scans".
>
> I don't know whether your comments therefore still apply.
Well, unless by periodic manual scans you mean you have someone
sitting at every server 24/7 manually scanning, you must have missed
the point. .doc viruses are trivial to create and defend, but
infrastructure attacks are not, and are much more dangerous. Anything
less than continuous monitoring inevitably leads to downtime. And
there is still a problem even with companies dedicated to watching
such attacks propagate and stopping them. Unix is certainly not
immune to such things, but there are large economic, social and
political incentives to go after Windows servers, ie, spammers
harvesting, criminals blackmailing, and who knows what political
motivations. And some of the worst attacks have been kids trying to
implement the long-discredited notion of a "good virus" that removes
the "bad virus."
Sit down with a network admin sometime and count the knocks on your
door.
jg
--
@home.com is bogus.
Paul Drake
test this out on a test box first.
back up the databases and OS config files.
put the oracle server in a separate subnet, and implent a security
policy on the router in between networks. block everything inbound
below 1024, except for ssh from trusted hosts.
stop the server service, unbind netbios from TCP/IP.
remove the server from the domain, put it in its own workgroup not
named "WORKGROUP".
apply a security policy template from cis.org.
keep stopping services until a netstat -n shows only the oracle tns
listener ports (did it on a test box).
this will impact your ability to backup the server, and some antivirus
products have dependencies upon services.
One site that I know of had to re-enable services when they went from
McAfee to TrendMicro, as a local staging server is used that needs
access to the drives via unc names, hence the server service was
required.
Here are a few references:
Norberg, Stefan, Securing Windows NT/2000 Servers for the Internet,
O'Reilly, 2001
http://www.oreilly.com/catalog/securwinserv/
Finnigan, Pete, Oracle Security Step-by-Step v1.0, SANS Press, 2003
http://store.sans.org/
Theriault, Marlene, Newman, Aaron, Oracle Security Handbook, Osborne,
2001
http://shop.osborne.com/cgi-bin/osborne/0072133252.html
Various, Securing Windows 2000 Step-by-Step v1.5, SANS Press, 2001
http://store.sans.org/
Internet Security Systems, Windows 2000 Security Technical Reference,
Microsoft Press, 2000
Windows Security Scoring Tool Implementation Guide, Center for
Internet Security v2.1.3, 2002
http://www.cis.org
Secure Configuration Guide for Oracle 9i R2
http://otn.oracle.com
hth.
Pd
Steve
Hi Paul,
I _think_ you're agreeing with me? Thanks for the references, although
most of my customers are more interested in Solaris, HP-UX, Linux and TRU64!
My main point was 'why are these Oracle database servers visible to the
internet?' If you're making any of the data public, it is surely on your
terms, via some middleware.
If your server is not visible, then you don't need antivirus software.
Why should it be? It's a database server, and doesn't need even to
receive email.
If you've got problems with integrating with the office backup, then
install a local tape drive/provide one way access to a SAN.
I know that the points I'm making are much simpler and far more obvious
when you're looking after a large Oracle site, but if your business is
data driven ( as most are ), then what cost is the loss of its core?
I know that this approach works, as I've implemented it in a number of
companies already, including some using Windoze servers. It's all about
priorities, and hoping to change those of the customer _before_ the
catastrophe occurs.
Steve
Connor McDonald
Although.... there's two typical virus patterns - 1 comes in on email, 1
attacks an open port.
Oracle servers shouldn't be checking email, and open ports...well, what
were you thinking having open ports :-)
--
Connor McDonald
Co-author: "Mastering Oracle PL/SQL - Practical Solutions"
ISBN: 1590592174
web: http://www.oracledba.co.uk
web: http://www.oaktable.net
email: connor_...@yahoo.com
Coming Soon! "Oracle Insight - Tales of the OakTable"
"GIVE a man a fish and he will eat for a day. But TEACH him how to fish,
and...he will sit in a boat and drink beer all day"
------------------------------------------------------------
Joel Garry
Well, yeah, but the typical AV product doesn't distinguish between
viruses and worms for the user.
>
> Oracle servers shouldn't be checking email, and open ports...well, what
> were you thinking having open ports :-)
OK, once you bring in the open port argument, you have to deal with
two possible situations: Someone is manually responsible for
configuring the ports, or a program is responsible. As regards the
latter, someone programmed the program.
So either way, there _will_ be error. It only takes one error
anywhere on a network, _including places configurable by users_. And
given that virus writers now working with spammers can get into a
network through mere email (without even clicking on it) or web
browsing (must have java enabled these days to do anything useful),
the error can come from anywhere. http://www.sans.org/top20/ - Most
places have not even bothered looking at such a list until something
happens.
Note also that router manufacturers have been compromized, and check
out the last question at
http://download-west.oracle.com/docs/cd/B10464_02/web.904/b10381/faq.htm#sthref1778
So you have to run AV on Windows servers if your business accesses the
outside world. If it doesn't, well, I think the Amish are hiring :-)
jg
--
@home.com is bogus. "Linux has been the victim of fewer attacks than
Windows because (1) it actually is more secure, but also (2) most
attackers think hitting Windows offers a bigger bang for the buck so
Windows simply gets attacked more. As I did 20 years ago, I still
fervently believe that the only way to make software secure, reliable,
and fast is to make it small. Fight Features." - Andy Tanenbaum
steve
(in article <40AE0E...@yahoo.com>):
Er actually you missed infections by visiting web sites.
also keep in mind that oracle now has a mailer that sits inside the oracle
database. not to mention Java mail package which you can also load into the
oracle server.
Howard J. Rogers
"steve" <m...@me.com> wrote in message
> > Oracle servers shouldn't be checking email, and open ports...well, what
> > were you thinking having open ports :-)
> >
>
> Er actually you missed infections by visiting web sites.
I'm sure I missed all sorts of possible sources of infection. Alll of which
tend to require user activity of some sort. None of which would therefore
apply to a server.
> also keep in mind that oracle now has a mailer that sits inside the oracle
> database.
"Mailer". Hmmm.... One who mails. Not one who *receives* mails, opens them
and executes their attachments. Bit of a different issue.
>not to mention Java mail package which you can also load into the
> oracle server.
Whatever. We could go round the maypole on this one for ever.
I have 8 servers here that do not have any continuous antivirus monitoring
(weekly full scans, however, do take place). I have a proxy server that is
the only way out to the rest of the world, and it's anti-virused up to its
eyeballs, firewalled, and monitors everything on the (very slow telephone!)
wire in real time. Every client machine is similarly encumbered. I haven't
had anything affect those servers yet (3 years and counting).
YMMV, of course. And if you wanted to implement auto-protect to give added
peace of mind and, who knows, added actual protection, then go ahead and do
it (but don't claim "it can't do any harm", because the best auto-protect
tools take 5% or more of CPU time, which isn't nothing and is therefore
something: a direct cost you need to be aware of).
Regards
HJR
Joel Garry
> "steve" <m...@me.com> wrote in message
> > > Oracle servers shouldn't be checking email, and open ports...well, what
> > > were you thinking having open ports :-)
> > >
> >
> > Er actually you missed infections by visiting web sites.
>
> I'm sure I missed all sorts of possible sources of infection. Alll of which
> tend to require user activity of some sort. None of which would therefore
> apply to a server.
Actually, I've found when dealing with O support they often want files
uploaded from the server. I realize that one can share the given
directory to another computer and upload while networked from there,
but that opens the server up to the outside-the-server. Anyways, I
usually upload directly from the server, and I bet most people do.
I'm sure O is better secured than most sites, but once you are looking
at them, you are doing user activity. Not to mention looking at cdos
while keeping an eye on OUI ;-)
>
> > also keep in mind that oracle now has a mailer that sits inside the oracle
> > database.
>
> "Mailer". Hmmm.... One who mails. Not one who *receives* mails, opens them
> and executes their attachments. Bit of a different issue.
Good point. But I still see people wanting to upload data from mail.
>
> >not to mention Java mail package which you can also load into the
> > oracle server.
>
> Whatever. We could go round the maypole on this one for ever.
>
> I have 8 servers here that do not have any continuous antivirus monitoring
> (weekly full scans, however, do take place). I have a proxy server that is
> the only way out to the rest of the world, and it's anti-virused up to its
> eyeballs, firewalled, and monitors everything on the (very slow telephone!)
> wire in real time. Every client machine is similarly encumbered. I haven't
> had anything affect those servers yet (3 years and counting).
(as an aside, f-prot seems to be a little more proactive than the big
US vendors.)
>
> YMMV, of course. And if you wanted to implement auto-protect to give added
> peace of mind and, who knows, added actual protection, then go ahead and do
> it (but don't claim "it can't do any harm", because the best auto-protect
> tools take 5% or more of CPU time, which isn't nothing and is therefore
> something: a direct cost you need to be aware of).
I think some of the difference in mileage in what you and Connor are
saying v. what I've seen may result from whether there is a division
of labor between the OS install and the O install. Since I seem to
attract Windows problems, and have plenty of O and *ix stuff to do, I
don't want to be responsible for Windows installs, and in most places
there is someone else responsible for it who knows much more about it
than I. Oddly enough, the larger the place, it seems more likely that
someone less experienced will do this. The smaller the place, the
more likely someone busy and rushed will do this. Kind of the
downside of the old saw "If you want something done quickly, give it
to a busy person."
I'd be willing to go halfway and say "always put in AV until someone
signs off on a security audit for the server." And of course, the AV
vendors can screw up too, although they appear to have better QC than
most, perhaps due to the "low" level of coding they have to deal with
daily.
But for myself, being noticeably paranoid about it doesn't seem to be
paranoid enough.
jg
--
@home.com is bogus.
"God has a big eraser." - sign on church.
It made me imagine a 16-ton Pink Pearl coming down Terry Gilliam style
on a spammer. *splorch*