First Steps To Secure Your New ATP Database
Shut The Stable Door Before The Horse Bolts
Photo by Georg Bommeli on Unsplash
Table of contents
Introduction
Isn’t it amazing that we live in a time when Oracle will give us free access to their flagship ATP database? With a few clicks in the OCI portal, we can create up to two Autonomous instances, preconfigured with Oracle APEX and accessible in SQL Developer via a wallet. Database upgrades and patching will all be handled for you, along with APEX and ORDS upgrades. We also get up to two Compute instances, along with Object Storage. As developers, we can quickly get our hands on the latest database technology to develop solutions for our companies and customers.
While these tools are free, we must protect them and the data in them from malicious attacks. You may not think that this applies to you if you don’t have anything worth protecting in your systems – but even if that’s the case, your cloud network could be hijacked as a vehicle to attack a third party. In the Cloud, we’re all responsible for security. It’s much easier to shut the stable doors before the horse bolts.
The ADMIN Password
Before you get started logging into APEX and running DDL in the database, you need to take some rudimentary steps to secure access. You can ensure that the ADMIN password entered when creating the ATP database is of sufficient length and complexity.
Oracle requires that the password be 12 to 30 characters and contain at least one uppercase letter, one lowercase letter, and one number. That makes sense based on the chart below, but as you can see, longer is better. Make sure your ADMIN password is sufficiently complex (please don’t embed 123 at the end) and random to deter brute-force attacks.
Network Access - Day 1
You should restrict access to APEX and the ATP database to internet locations you trust.
All IP addresses on the internet are constantly probed for vulnerabilities by third parties.
If you’re the only one planning to use the database, you can lock it down to your IP address, or you can add a list of trusted addresses. Hopefully, you have a static IP address from your internet provider, in which case you can work out what the IP address is using a website such as https://www.iplocation.net.
If your IP address isn’t static, or you think you will be using the database from additional locations while traveling, you can sign up for a VPN (or configure your own using OpenVPN) that will give you a consistent IP address for you or your team.
Add entries to the Access Control List for your trusted IP addresses:
You can verify that this prevents access to APEX and the database from untrusted IP addresses:
Summary
Congratulations - you've successfully secured access to your Always Free ATP instance. Your database is only accessible from trusted IP addresses, and you can have fun developing using APEX applications and extensions.
As development proceeds, you may want your APEX applications to be available to a wider audience. In a follow-up blog, I’ll show you how to enable access to APEX traffic from the public internet while maintaining restricted access to the database.