Re: Firewalling Oracle

  • From: Robyn <robyn.sands@xxxxxxxxx>
  • To: "Oracle-L@Freelists. Org (E-mail)" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 11 Jan 2006 15:30:33 -0500


We're using ip checking selectively to protect a few of the more critical
applications.  The biggest problem I've noticed is that users make new
requests for connections but the old ones seldom get cleaned up.  Then a new
hire inherits a machine and has access to the world.

Our entire datacenter is moving next weekend with all new ip addresses, so
we just happen to be in the process of re-identifying all the necessary
addresses.  :(

If all DBA's happened to be OCD, this wouldn't have occurred ...

You also have to restart the listener for a new addition to be recognized,
and a few of our app servers die anytime there is even a brief network
interruption so new additions have to wait for a scheduled restart.

Seems to me it can serve a good purpose in the right environment.  If it's
allowed to get sloppy, it's not only difficult to cleanup, everyone and
their cousin ends up in the list anyway.

my 2 cents ... Robyn

On 1/11/06, Hostetter, Jay M <JHostetter@xxxxxxxxxxxxxxxxxxxx> wrote:
> Jared,
> >What problems did you run into with it?
> Forgetting to change it when an ip address changed.
> >Was it worth the trouble in your opinion?
> I was able to sleep better at night.
> We have two boxes that were briefly sitting outside of a firewall.  This
> is when I implemented the TCP.INVITED_NODES parameter.  Since that time,
> these boxes have been moved into a more secure area of the network.  But
> since they are outside our corporate firewall I left the parameter in
> place.  I've never really had any problems, except when the IP address of
> the invited nodes changed.  They were NATted addresses, so it took me a
> little while to figure out that it wasn't a firewall problem.
> Jay
>  ------------------------------
> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Jared Still
> *Sent:* Wednesday, January 11, 2006 2:09 PM
> *To:* Oracle-L Freelists
> *Subject:* Firewalling Oracle
> Hello,
> I'm curious how many folks have used the the TCP.VALIDNODE_CHECKING,
> TCP.EXCLUDED_NODES and/or TCP.INVITED_NODES parameters to restrict
> database access.
> What problems did you run into with it?
> Was it worth the trouble in your opinion?
> Thanks,
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> This e-mail message and any files transmitted with it are intended for the 
> use of the individual or entity to which they are addressed and may contain 
> information that is privileged, proprietary and confidential. If you are not 
> the intended recipient, you may not use, copy or disclose to anyone the 
> message or any information contained in the message. If you have received 
> this communication in error, please notify the sender and delete this e-mail 
> message. The contents do not represent the opinion of D&E except to the 
> extent that it relates to their official business.

Robyn Anderson Sands
email: Robyn.Sands@xxxxxxxxxx

Other related posts: