Re: Question re security

  • From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
  • To: Nuno Souto <dbvision@xxxxxxxxxxxx>
  • Date: Tue, 14 Jan 2014 10:18:50 +0000

I'm no security expert - You'll need the other Litchfield for that :) - but
we have a similar setup here. There are several things which I believe
apply here.

1) Principle of least privilege: The vast majority of workstations do not
need direct access to sensitive resources, nor do the vast majority of
application or database servers require direct access to non-related
resources.

2) Ensuring you guard against the major risks. Inside attacks are by far
the most common *cough*snowden*cough*.

3) If system a is compromised, then segmenting and separating it from
system b makes it much less likely that system b will be compromised.

I don't have access to our bandwidth figures (and likely wouldn't share
them on a public forum anyway), but my *expectation* is that bandwith and
latency are not adversely affected by such a security setup - if they are
then there would be an expectation that the network admins would work to
reduce the latency/bandwidth hit - for example I know that on some
firewalls SQL*Net packet inspection can be a significant CPU drain, in such
a case one might choose not to implement packet inspection between known
"whitelisted" hosts.

On the whole though I'd expect not to be able to move from "application
system" to "application system" without encountering such barriers.




On Tue, Jan 14, 2014 at 7:51 AM, Nuno Souto <dbvision@xxxxxxxxxxxx> wrote:

> Simple question, hopefully I'll get some answers!  :)
> Because if I don't, some security "expert" heads will roll as a result...
>
> Who here has database servers, app servers, admin and dev workstations,
> each in its own subnet (4 subnets),
> with firewalls between each subnet,
> all inside the company's intranet?
>
> I'd just like to know why and what security expectations, imperatives,
> constraints/conditions are being addressed/resolved by such a setup?
>
> As well if you do, then what is the expected and measured network bandwidth
> AND latency between subnets, through the firewalls.
>
> "clickety-click grid control and hope for the best" dbas need not reply,
> thanking you very much...
>
>
> -- Cheers
> Nuno Souto
> dbvision@xxxxxxxxxxxx
> --
> //www.freelists.org/webpage/oracle-l
>
>
>


-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 01-2014