Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: VPN to database?

RE: VPN to database?

From: DENNIS WILLIAMS <DWILLIAMS_at_lifetouch.com>
Date: Fri, 24 Oct 2003 09:29:26 -0800
Message-ID: <F001.005D43A1.20031024092926@fatcity.com>


Paul - We have some of the similar issues here (network/firewall/VPN/Oracle Net). Based on your description of your business, you probably have some competent network engineers on staff. My experience is that they routinely handle issues like this, and you probably won't need to get involved in the actual configuration. However, you should educate yourself in the security issues involved so you can participate intelligently in any discussions from the database point of view. As a starter, I am including two recent excellent postings to this list from Tim Gorman and Ian MacGregor. Just scroll down.

Dennis Williams
DBA
Lifetouch, Inc.
dwilliams_at_lifetouch.com

Sent: Thursday, August 07, 2003 10:25 AM To: Multiple recipients of list ORACLE-L

Sandro,

There is an excellent book on "Oracle Security" available online from
"http://www.sans.org". Concise, organized, and prioritized. Also, Newman
and Theriault's "Oracle Security Handbook" from Oracle Press is chock full of common sense...

Not sure what the question about "automating the migration of stored procedures" refers to. Could you provide more information? I don't think I understand the problem...

Storing password files on the database server is mainly an exercise in ensuring that OS security and file permissions properly implemented. If you cannot ensure that OS files are properly secured, then the entire Oracle database is at risk, not to mention files containing clear-text passwords. After all, one can view data within datafiles using programs other than the Oracle RDBMS...

The idea of creating production schemas/logins to separate object ownership from application/end-user access is excellent. To avoid using synonyms, consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA = <ownership-schema>" command being executed in an AFTER LOGON trigger in all accounts used for end-user access. It is a little-known but wonderfully manageable bit of functionality...

Hope this helps...

-Tim
-----Original Message-----
Sent: Wednesday, October 01, 2003 5:19 PM To: Multiple recipients of list ORACLE-L

Our security folks just sent me this.

Ian MacGregor
Stanford Linear Accelerator Center
ian_at_slac.stanford.edu

-----Original Message-----
Sent: Tuesday, September 30, 2003 1:35 PM To: NTBUGTRAQ_at_LISTSERV.NTBUGTRAQ.COM

I've posted the presentation I gave at OracleWorld last month. This presentation covers writing secure code in Oracle databases and Oracle Application Server. The topics covered include:

Managing state
Query parameters
Hidden fields
Cookies
Cross-site scripting
SQL Injection
PL/SQL Injection
Buffer overflows in EXTPROC
Resources

You can download the presentation at
http://www.appsecinc.com/techdocs/presentations.html under the heading
"Writing Secure Code in Oracle Presentation".

I welcome comments and criticisms.

Regards,
Aaron



Aaron C. Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
Phone: 212-420-9270
Fax: 212-420-9680
- Securing Business by Securing Enterprise Applications -

Sent: Friday, October 24, 2003 10:14 AM
To: Multiple recipients of list ORACLE-L

We are an Application Service Provider--we maintain a set of servers in a colocation facility and our customers use our application via the Web. Security is a paramount concern, of course, and only our Web server has a public IP address, with the application and database servers completely private.

We supply a number of standard reports, but most of our customers want some custom reports as well. We would like to give them access to our database, possibly over a VPN, but only if security can be maintained. I'd like to know if anyone has faced such a situation, and what kind of configuration (network/firewall/VPN/Oracle Net) might make such access possible.

TIA,



Paul Baumgartel
Transcentive, Inc.
www.transcentive.com

Do you Yahoo!?
The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Paul Baumgartel
  INET: treegarden_at_yahoo.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: DENNIS WILLIAMS
  INET: DWILLIAMS_at_LIFETOUCH.COM

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Fri Oct 24 2003 - 12:29:26 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US