Hey all, > The risk for an external threat is pretty much minimized through a set of > security layers such as the Firewall, anti-virus, etc. Without seeing a specific environment I'd tend to disagree; better to be more cautious than not. If the database in question is connected to a web or application server then there's the potential for SQL injection; there's potential for exploitation of flaws in the app environment itself (struts, anyone? OAS?); and host of other issues that can relegate the firewall to an expensive box with pretty flashing lights. In this day and age, anyone that thinks a firewall offers sufficient protection should open a newspaper and read about all the database security breaches taking place. Do you really think those orgs weren't using firewalls? As far as WAFs are concerned - they can be bypassed by a moderate to skilled attacker. I know it's a pain but the best strategy really is keeping your patches up to date and reducing your attack surface. Cheers, David -- //www.freelists.org/webpage/oracle-l