RE: Simple question (I think)

  • From: "Peter McLarty" <Peter_McLarty@xxxxxxxxxxxxxxxxxxxxx>
  • To: <zanenj@xxxxxxxxxxxxxxxx>
  • Date: Thu, 3 Aug 2006 12:18:23 +1000

You should just need to allow 1521 or whatever your listener is on. Depending 
on your firewall some have Oracle ports in them to proxy your connection 
across. 
 
This is not all that uncommon and the only system as far as your firewall is 
concerned that is getting to your database is the DMZ system. 1521 and nearly 
everything else should be still blocked on the external side of your DMZ
 
Good rule of thumb don't allow an untrusted system to access right across the 
DMZ over your firewall. You have limited trust of the DMZ server so you provide 
it with limited access. 
 
You want to give the connection limited access to the schema as well to reduce 
the likelihood of damage if your external system connects badly. i.e. has been 
compromised.
 
If you can encrypt the traffic across the wall to the db server that can be good
 
Technet has a fair amount about security so that is likely worth a read may not 
provide specifics but may help you with your firewall admin
 
Cheers
 
Peter
 
 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx on behalf of Jared Still
Sent: Thu 3/08/2006 4:22 AM
To: zanenj@xxxxxxxxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: Simple question (I think)



On 8/2/06, Zanen, dhr. J.A. (Jack) van <zanenj@xxxxxxxxxxxxxxxx> wrote: 

        Hi All,
        
        This is what needs to be done:
        We have a website in a DMZ that needs to access data in our databases
        that are behind a firewall.
        I have never had to deal with DMZ, firewall issues before, so I ask 
this 
        list for some advice


Neither have I.

Which is why I would start with MetaLink Note 152133.1.



        SECOND question.
        
        Is this a good way to go through the firewall? Or are there issues with
        this way of doing it. Furthermore hwo did you solve this.



Poking holes in your firewall is not generally considered a good practice. 

See the note I mentioned, then do further searches on MetaLink.



-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 08-2006