Re: Best Practice - Oracle Network thru Firewall

• From: "Paul Drake" <bdbafh@xxxxxxxxx>
• To: tjambu_freelists@xxxxxxxxxxxx
• Date: Mon, 6 Mar 2006 10:31:51 -0500

On 3/6/06, Tony Jambu <tjambu_freelists@xxxxxxxxxxxx> wrote:
>
> Hi all
>
> Looking for best practice for allowing Oracle Network (functionality)
> thru a firewall.
>
> *Scenario
> *Client wants to allow external clients to access information in the
> internal network
> as well as internal client having access to databases in the DMZ.
>
>                                Trusted Clients
>                                       |
>                             DMZ       v
> External --->  FW (ext) >-------->FW (Int)------>Internal dbs
>
>                             DMZ
>                FW (ext) ----dbs<---FW (Int)<----- Int Users
>
>
> basically client wants to access database in the DMZ
> and allow clients to access some information in the internal corporate
> database.
>
> Other than explicitly allowing port say 1521 across the Internal FW to
> specific internal/DMZ servers, what other options are there?
>
> 1.  Oracle Connection Manager?
> 2.  Proxy servers (like 3rd party ODBC server)?
>
> Basically, what I am looking at is to stop someone from directly accessing
> the listeners at the servers.  (Yes the listeners have been hardened)
>
> Any bright ideas or suggestions?  Y our help is much appreciated.
>
>
> ta
> tony
>


Tony,

A "best practice" would be to disallow such connections.
Next best would be for such users to connect (securely) to an app server in
the DMZ.
If "direct access" to the Oracle server needs to be supported, do so via a
VPN.
If no existing VPN is available, use OpenSSH. The users will be able with
the use of port forwarding (with an ssh client such as putty) to use (fat)
Oracle client tools against the remote database and still get dedicated
server sessions (unlike with using dispatchers). This will require that they
be able to authenticate against the remote Oracle server operating system,
or its domain.

There are other options, just none that I would consider to be a best
practice.
AFAIK, CMAN is an enterprise edition only feature.

What OSes are in this environment - as the Oracle server might already have
an OpenSSH dæmon running on it. If its a win32 OS, Cygwin will help.

Let me know if you need help setting up.

Paul

• References:
  • Best Practice - Oracle Network thru Firewall
    • From: Tony Jambu

Other related posts:

• » Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » Re: Best Practice - Oracle Network thru Firewall
• » RE: Best Practice - Oracle Network thru Firewall

1. Home
2. oracle-l
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---