How to add and improve security for Oracle 11g Database which is open open publicly?

Question

I just inherited a legacy ERP system on my new job which has Oracle 11g database. ERP is based on Java and Oracle forms. It is so old that it needs IE to run and a specific JRE 8.121 requirement.

So with the current system, users can access the ERP outside the internal network by using the server's public IP. Oracle 11g DB's listener port is open and is forwarded from the router. This is my concern with this setup. It is very easy to connect to the database.

What are possible ways to improve this setup?

Answer 1

Soooo many things that could be done here...

1. Deploy Oracle Connection manager to reverse proxy your database connections: https://pmdba.wordpress.com/2013/12/01/deploying-an-oracle-11gr2-connection-manager/
2. Use a hardening checklist like the DISA Security Technical Implementation Guide for Oracle 11g: https://www.stigviewer.com/stig/oracle_database_11g_instance/, https://pmdba.wordpress.com/2020/03/03/how-to-complete-a-stig-review/
3. Apply all patch set updates for Oracle 11g, and if at all possible upgrade to Oracle 19c as soon as possible. Security patches for 11g will end later this year, and 19c will soon be the only long-term supported version. https://pmdba.wordpress.com/2020/04/28/top-stig-part-3-software-support/
4. Enable auditing and have some sort of monitoring or log file analysis in place so that you can be alerted to any abnormal behavior. https://pmdba.wordpress.com/2013/12/01/real-time-oracle-11g-log-file-analysis/

The keys are to make sure that your database is not directly accessible from a public network, to harden your infrastructure as much as you can, and to have some idea what users are doing at any given time. Don't forget to make sure that your backups are secure, too, and regularly tested/validated to make sure you can recover from them.