Re: Best Practice - Oracle Network thru Firewall

• From: "stephen booth" <stephenbooth.uk@xxxxxxxxx>
• To: tjambu_freelists@xxxxxxxxxxxx
• Date: Mon, 6 Mar 2006 22:48:09 +0000

On 06/03/06, Tony Jambu <tjambu_freelists@xxxxxxxxxxxx> wrote:
> Hi all
>
> Looking for best practice for allowing Oracle Network (functionality)
> thru a firewall.
>

I'd agree with Paul, best pracice is "Don't".

Given that you have to the only other things not already covered by
Paul I can think of are to ask if you can know the IP addresses of the
trusted clients, to suggest that you make sure you audit logins, use a
non-standard port for your listener and empahsise that you really need
to keep on top of security patches for Oracle.

If you know that your trusted clients will only be coming from certain
IP addresses then you can restrict connections to just those IP
addresses for your listener port.  Using a nonstandard port will help
a little in reducing the crackability of your database, they have to
find the port before they can try to exploit it, but not by much.

You might also want to look at Advanced Security Option.  I attended a
workshop recently on this where they went in the features.  Oracle,
through advenced security, now supports the use of digital
certificates and SecurID tags for authentication.  Not a cheap option
but the client might be ready to pay, or they might not.  if they're
not prepared to pay then at least they can't say you didn't give them
the option.

What ever you do it would be a good idea to make sure that you
document any and all security concerns and make the client aware of
them, to cover yourself.  Maybe get some professional indemity
insurance as well, just in case.  You don't want to be left carrying
the can for a client's bad decision.

Good security is like an onion, it's got plenty of layers so of they
get through one then they've still got work to do to get through the
next.  Hopefully by the time they're getting close to the database
they've been detected and counter measures have been deployed.

Stephen

--
It's better to ask a silly question than to make a silly assumption.

http://stephensorablog.blogspot.com/
--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Best Practice - Oracle Network thru Firewall
    • From: Tony Jambu

• References:
  • Best Practice - Oracle Network thru Firewall
    • From: Tony Jambu

Other related posts:

• » Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » RE: Best Practice - Oracle Network thru Firewall

1. Home
2. oracle-l
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---