Re: Best Practice - Oracle Network thru Firewall

  • From: Tony Jambu <tjambu_freelists@xxxxxxxxxxxx>
  • To: "Paul Drake" <bdbafh@xxxxxxxxx>
  • Date: Tue, 07 Mar 2006 08:01:47 +1100

Hi Paul

The decision to allow external users to use direct Oracle Network 
was taken by the business long ago and we have to live with that.

Using SSH is an option but that would mean quiet a fair bit of 
maintaining the accounts and guiding the users on how to use the 
program like Putty.   The OS is UNIXes and already have SSH on it.
Thanks for the offer of help.

All our databases are EE edition so CMAN is not an issue.  Has anyone use CMAN
to do this?

ta
tony


At 02:31 AM 7/03/2006, Paul Drake wrote:
>On 3/6/06, Tony Jambu 
><<mailto:tjambu_freelists@xxxxxxxxxxxx>tjambu_freelists@xxxxxxxxxxxx> wrote:
>Hi all
>
>Looking for best practice for allowing Oracle Network (functionality) 
>thru a firewall.
>
>Scenario
>Client wants to allow external clients to access information in the internal 
>network 
>as well as internal client having access to databases in the DMZ.
>
>                               Trusted Clients
>                                      |
>                            DMZ       v
>External --->  FW (ext) >-------->FW (Int)------>Internal dbs
>
>                            DMZ
>               FW (ext) ----dbs<---FW (Int)<----- Int Users
>
>
>basically client wants to access database in the DMZ 
>and allow clients to access some information in the internal corporate 
>database.
>
>Other than explicitly allowing port say 1521 across the Internal FW to 
>specific internal/DMZ servers, what other options are there? 
>
>1.  Oracle Connection Manager?
>2.  Proxy servers (like 3rd party ODBC server)? 
>
>Basically, what I am looking at is to stop someone from directly accessing the 
>listeners at the servers.  (Yes the listeners have been hardened) 
>
>Any bright ideas or suggestions?  Y our help is much appreciated.
>
>
>ta
>tony
>
>
> 
>Tony,
>
>A "best practice" would be to disallow such connections. 
>Next best would be for such users to connect (securely) to an app server in 
>the DMZ.
>If "direct access" to the Oracle server needs to be supported, do so via a VPN.
>If no existing VPN is available, use OpenSSH. The users will be able with the 
>use of port forwarding (with an ssh client such as putty) to use (fat) Oracle 
>client tools against the remote database and still get dedicated server 
>sessions (unlike with using dispatchers). This will require that they be able 
>to authenticate against the remote Oracle server operating system, or its 
>domain. 
>
>There are other options, just none that I would consider to be a best practice.
>AFAIK, CMAN is an enterprise edition only feature.
>
>What OSes are in this environment - as the Oracle server might already have an 
>OpenSSH dæmon running on it. If its a win32 OS, Cygwin will help. 
>
>Let me know if you need help setting up.
>
>Paul
>
>

Other related posts: