VFX Computing, Inc.
Services Products Whitepapers Downloads Company Contact Us

NGS Squirrel for Oracle

NGS Squirrel for Oracle is a powerful database scanning tool for checking vulnerability assessments for Oracle. NGS provides several Squirrel tools for other databases as well.

With NGS Squirrel for Oracle, you can accurately and definitively find weaknesses in your Oracle databases. The application will then print out assessment reports in various formats including txt, rtf, html, and many more. Squirrel will then give you the ability to generate a "fix script" to make the necessary changes to your database to increase your security posture.

System File Configurations

Required: tnsnames.ora. Fix up the file to replicate the Oracle instance that you are trying to scan. Make sure that it matches exactly.

Optional: hosts.txt. Some times it works easier to use a hosts entry in this file if you cannot use your DNS server to find the Oracle server. Such issues come up when you are using Oracle installed on Windows where the Active Directory doesn't resolve the system name for you because NGS Squirrel might be installed on a machine that is not part of the Active Directory.

Also, if it is necessary to disable listener, open the listener.ora file and comment out the passwords_listener name and admin_restrictions_listener name parameters. Restart the listener, using the reload command (or stop and start) in lsnrctl for changes to take effect.

Application Configuration

Setup the Oracle authentication of the user, password and instance in the Scan Settings Authentication window. The username is the Oracle DBA. The password is the password to that account. The instance is the database you want to have scanned.

Next, setup the ODBC type. Choose ORACLE_HOME. Microsoft is your other option, still not sure why this item is here. But given that as of this update, NGS has yet to fix the help settings. This setting seems to be straight forward, but given there are two options, and the option defaults to Microsoft, it can be misleading.

In addition to the above steps, you may have to hard code the database to be scanned. For instance, if the listener is password protected, a hard coded instance would bypass the listener to check what databases are on the given server. Therefore, the hard code is the only way to scan Oracle without disabling the listener.

Todo / Notes / Caviats:

External Links:

© Copyright 1997-2012; VFX Computing, Inc.. All rights reserved.
Questions, Comments, Suggestions: webmaster@vfxcomputing.com