Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: restricting user access on IP level

RE: restricting user access on IP level

From: Sais, Gene <gsais_at_qode.com>
Date: Tue, 26 Sep 2000 09:04:48 -0400
Message-Id: <10631.117865@fatcity.com>


This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible.

------_=_NextPart_001_01C027BA.598AD066
Content-Type: text/plain;

        charset="iso-8859-1"

Put web server on seperate network segment dmz and db server on trusted segment. Put a firewall between the big-I and dmz and firewall between the dmz and trusted.

You can do this with firewall rules:

  1. allow http requests port 80 from any client browser to web server
  2. allow sqlnet requests port 1521 from web server on dmz to db server

Note, this can be done with 1 physical firewall.

Hope that helps.

Gene Sais
Ft Lauderdale

-----Original Message-----
From: Oliver Artelt [mailto:oli_at_md.transnet.de] Sent: Tuesday, September 26, 2000 9:11 AM To: Multiple recipients of list ORACLE-L Subject: Re: restricting user access on IP level

Yep!
This is a job for (my highly beloved) connection manager. Generic docu -> Server Networking and Security ->Net8 Administrator's Guide -> Architecture and Concepts ->Net8 Access Control (vsn 815)

oli

On Tue, 26 Sep 2000, nlzanen1_at_ey.nl wrote:
> Hi All,
>
>
>
> I would like to restrict a user from logging on to the database if he/she
> comes from an unknown IP address.
> Can this be done??
>
> Situation:
>
> Webserver with fixed IP-Address.
> People log on to the webserver which than spawns a proces that logs on to
> the database using a username/password with lots of privileges to retrieve
> the data requested by the user.
> I would not want anybody to use this username from any other machine
except
> this one webserver.
>
>
>
> TIA
>
>
> Jack
>
> ===================================================================
> De informatie verzonden met dit E-mail bericht is uitsluitend bestemd voor
> de geadresseerde. Gebruik van deze informatie door anderen dan de
> geadresseerde is verboden. Openbaarmaking, vermenigvuldiging, verspreiding
> en/of verstrekking van deze informatie aan derden is niet toegestaan.
> Ernst & Young staat niet in voor de juiste en volledige overbrenging van
de
> inhoud van een verzonden E-mail, noch voor tijdige ontvangst daarvan.
> ===================================================================
> The information contained in this communication is confidential and may be
> legally privileged. It is intended solely for the use of the individual or
> entity to whom it is addressed and others authorised to receive it. If you
> are not the intended recipient you are hereby notified that any
disclosure,
> copying, distribution or taking any action in reliance on the contents of
> this information is strictly prohibited and may be unlawful. Ernst &
> Young is neither liable for the proper and complete transmission of the
> information contained in this communication nor for any delay in its
> receipt.
> ===================================================================

-- 
---

Oliver Artelt, System- und Datenbankadministration
---------------------------------------------------------------
  cubeoffice GmbH & Co.KG # jordanstrasse 7 # 39112 magdeburg
telefon: +49 (0)391 6 11 28 10 # telefax: +49 (0)391 6 11 28 19
   email: oli@cubeoffice.de # web: http://www.cubeoffice.de
---------------------------------------------------------------
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Oliver Artelt
  INET: oli_at_md.transnet.de

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

------_=_NextPart_001_01C027BA.598AD066
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: restricting user access on IP level</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Put web server on seperate network segment dmz and db =
server on trusted segment.&nbsp; Put a firewall between the big-I and =
dmz and firewall between the dmz and trusted.</FONT></P>

<P><FONT SIZE=3D2>You can do this with firewall rules:</FONT>
</P>

<P><FONT SIZE=3D2>1. allow http requests port 80 </FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; from any client browser to web =
server</FONT>
<BR><FONT SIZE=3D2>2. allow sqlnet requests port 1521</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; from web server on dmz to db =
server</FONT>
</P>

<P><FONT SIZE=3D2>Note, this can be done with 1 physical =
firewall.</FONT>
</P>

<P><FONT SIZE=3D2>Hope that helps.</FONT>
</P>

<P><FONT SIZE=3D2>Gene Sais</FONT>
<BR><FONT SIZE=3D2>Ft Lauderdale</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Oliver Artelt [<A =
HREF=3D"mailto:oli_at_md.transnet.de">mailto:oli_at_md.transnet.de</A>]</FONT>=

<BR><FONT SIZE=3D2>Sent: Tuesday, September 26, 2000 9:11 AM</FONT>
<BR><FONT SIZE=3D2>To: Multiple recipients of list ORACLE-L</FONT>
<BR><FONT SIZE=3D2>Subject: Re: restricting user access on IP =
level</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>Yep!</FONT>
<BR><FONT SIZE=3D2>This is a job for (my highly beloved) connection =
manager. Generic docu -&gt; </FONT>
<BR><FONT SIZE=3D2>Server Networking and Security -&gt;Net8 =
Administrator's Guide -&gt; Architecture </FONT>
<BR><FONT SIZE=3D2>and Concepts -&gt;Net8 Access Control (vsn =
815)</FONT>
</P>

<P><FONT SIZE=3D2>oli</FONT>
</P>

<P><FONT SIZE=3D2>On Tue, 26 Sep 2000, nlzanen1_at_ey.nl wrote:</FONT>
<BR><FONT SIZE=3D2>&gt; Hi All,</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; I would like to restrict a user from logging on =
to the database if he/she</FONT>
<BR><FONT SIZE=3D2>&gt; comes from an unknown IP address.</FONT>
<BR><FONT SIZE=3D2>&gt; Can this be done??</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; Situation:</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; Webserver with fixed IP-Address.</FONT>
<BR><FONT SIZE=3D2>&gt; People log on to the webserver which than =
spawns a proces that logs on to</FONT>
<BR><FONT SIZE=3D2>&gt; the database using a username/password with =
lots of privileges to retrieve</FONT>
<BR><FONT SIZE=3D2>&gt; the data requested by the user.</FONT>
<BR><FONT SIZE=3D2>&gt; I would not want anybody to use this username =
from any other machine except</FONT>
<BR><FONT SIZE=3D2>&gt; this one webserver.</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; TIA</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; Jack</FONT>
<BR><FONT SIZE=3D2>&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>&gt; De informatie verzonden met dit E-mail bericht =
is uitsluitend bestemd voor</FONT>
<BR><FONT SIZE=3D2>&gt; de geadresseerde. Gebruik van deze informatie =
door anderen dan de</FONT>
<BR><FONT SIZE=3D2>&gt; geadresseerde is verboden. Openbaarmaking, =
vermenigvuldiging, verspreiding</FONT>
<BR><FONT SIZE=3D2>&gt; en/of verstrekking van deze informatie aan =
derden is niet toegestaan.</FONT>
<BR><FONT SIZE=3D2>&gt; Ernst &amp; Young staat niet in voor de juiste =
en volledige overbrenging van de</FONT>
<BR><FONT SIZE=3D2>&gt; inhoud van een verzonden E-mail, noch voor =
tijdige ontvangst daarvan.</FONT>
<BR><FONT SIZE=3D2>&gt; =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>
<BR><FONT SIZE=3D2>&gt; The information contained in this communication =
is confidential and may be</FONT>
<BR><FONT SIZE=3D2>&gt; legally privileged. It is intended solely for =
the use of the individual or</FONT>
<BR><FONT SIZE=3D2>&gt; entity to whom it is addressed and others =
authorised to receive it. If you</FONT>
<BR><FONT SIZE=3D2>&gt; are not the intended recipient you are hereby =
notified that any disclosure,</FONT>
<BR><FONT SIZE=3D2>&gt; copying,&nbsp; distribution or taking any =
action in reliance on the contents of</FONT>
<BR><FONT SIZE=3D2>&gt; this information is strictly prohibited and may =
be unlawful. Ernst &amp;</FONT>
<BR><FONT SIZE=3D2>&gt; Young is neither liable&nbsp; for the proper =
and complete transmission of the</FONT>
<BR><FONT SIZE=3D2>&gt; information contained in this communication nor =
for any delay in its</FONT>
<BR><FONT SIZE=3D2>&gt; receipt.</FONT>
<BR><FONT SIZE=3D2>&gt; =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>
</P>

<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>---</FONT>
</P>

<P><FONT SIZE=3D2>Oliver Artelt, System- und =
Datenbankadministration</FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
</FONT>
<BR><FONT SIZE=3D2>&nbsp; cubeoffice GmbH &amp; Co.KG # jordanstrasse 7 =
# 39112 magdeburg</FONT>
<BR><FONT SIZE=3D2>telefon: +49 (0)391 6 11 28 10 # telefax: +49 (0)391 =
6 11 28 19</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; email: oli_at_cubeoffice.de # web: <A =
HREF=3D"http://www.cubeoffice.de" =
TARGET=3D"_blank">http://www.cubeoffice.de</A></FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
</FONT>
<BR><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Please see the official ORACLE-L FAQ: <A =
HREF=3D"http://www.orafaq.com" =
TARGET=3D"_blank">http://www.orafaq.com</A></FONT>
<BR><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Author: Oliver Artelt</FONT>
<BR><FONT SIZE=3D2>&nbsp; INET: oli_at_md.transnet.de</FONT>
</P>

<P><FONT SIZE=3D2>Fat City Network Services&nbsp;&nbsp;&nbsp; -- (858) =
538-5051&nbsp; FAX: (858) 538-5051</FONT>
<BR><FONT SIZE=3D2>San Diego, =
California&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Public Internet =
access / Mailing Lists</FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
-----</FONT>
<BR><FONT SIZE=3D2>To REMOVE yourself from this mailing list, send an =
E-Mail message</FONT>
<BR><FONT SIZE=3D2>to: ListGuru_at_fatcity.com (note EXACT spelling of =
'ListGuru') and in</FONT>
<BR><FONT SIZE=3D2>the message BODY, include a line containing: UNSUB =
Received on Tue Sep 26 2000 - 08:04:48 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US