Encrypting Oracle Net Traffic

I've gotten some questions about encryption of the Oracle Net data thru the network and thought that I would post some information. The following contains information that I got from a conversation with Oracle Support.

Without encryption, (using the Oracle Advanced Security Option OAS or network encryption) the data leaving the server or client via Oracle Net will be transmitted in the clear. And, although switched and routed networks in the industry today minimize eavesdropping on broadcast data, the possibility of eavesdropping still exists without encryption. Everything beyond the local zone, data center and DMZ (or secured zone) to the outside should be encrypted by your routers. Additionally, physical security prevents entry to the secured zones.

These days, to actually sniff packets from a routed/switched network, a network analyst needs to shadow a port in a router to even hookup a packet capturing tool like a Network General (<====OLD COMPANY) Sniffer. However, it is possible to shadow/mirror a router port at any router along the path of traffic and reach some clear text data from within the packets as long as the data is not encrypted using the OAS and as long as another method of encryption has not yet been employed along the traffic path.

Physical security and Human Resources screening are more important to companies than worrying about Oracle Net traffic to the listener port.

Bottom line:

I can’t imagine the expertise required to find and enter a secured zone network much less creating a shadow port. Sounds like something from Mission Impossible to me. If you have some network paths which are not encrypted, then install Oracle Advanced Security (OAS) which comes free with the Oracle Enterprise Edition software.