Re: Firewalling Oracle
- From: Robyn <robyn.sands@xxxxxxxxx>
- To: "Oracle-L@Freelists. Org (E-mail)" <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 11 Jan 2006 15:30:33 -0500
Jared,
We're using ip checking selectively to protect a few of the more critical
applications. The biggest problem I've noticed is that users make new
requests for connections but the old ones seldom get cleaned up. Then a new
hire inherits a machine and has access to the world.
Our entire datacenter is moving next weekend with all new ip addresses, so
we just happen to be in the process of re-identifying all the necessary
addresses. :(
If all DBA's happened to be OCD, this wouldn't have occurred ...
You also have to restart the listener for a new addition to be recognized,
and a few of our app servers die anytime there is even a brief network
interruption so new additions have to wait for a scheduled restart.
Seems to me it can serve a good purpose in the right environment. If it's
allowed to get sloppy, it's not only difficult to cleanup, everyone and
their cousin ends up in the list anyway.
my 2 cents ... Robyn
On 1/11/06, Hostetter, Jay M <JHostetter@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Jared,
>
> >What problems did you run into with it?
>
> Forgetting to change it when an ip address changed.
>
> >Was it worth the trouble in your opinion?
>
> I was able to sleep better at night.
>
> We have two boxes that were briefly sitting outside of a firewall. This
> is when I implemented the TCP.INVITED_NODES parameter. Since that time,
> these boxes have been moved into a more secure area of the network. But
> since they are outside our corporate firewall I left the parameter in
> place. I've never really had any problems, except when the IP address of
> the invited nodes changed. They were NATted addresses, so it took me a
> little while to figure out that it wasn't a firewall problem.
>
> Jay
>
> ------------------------------
> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Jared Still
> *Sent:* Wednesday, January 11, 2006 2:09 PM
> *To:* Oracle-L Freelists
> *Subject:* Firewalling Oracle
>
>
> Hello,
>
> I'm curious how many folks have used the the TCP.VALIDNODE_CHECKING,
> TCP.EXCLUDED_NODES and/or TCP.INVITED_NODES parameters to restrict
> database access.
>
> What problems did you run into with it?
>
> Was it worth the trouble in your opinion?
>
> Thanks,
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
>
>
>
>
>
> **DISCLAIMER
>
> This e-mail message and any files transmitted with it are intended for the
> use of the individual or entity to which they are addressed and may contain
> information that is privileged, proprietary and confidential. If you are not
> the intended recipient, you may not use, copy or disclose to anyone the
> message or any information contained in the message. If you have received
> this communication in error, please notify the sender and delete this e-mail
> message. The contents do not represent the opinion of D&E except to the
> extent that it relates to their official business.
--
Robyn Anderson Sands
email: Robyn.Sands@xxxxxxxxxx
Other related posts:
