Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: VPN to database?

RE: VPN to database?

From: Jared Still <jkstill_at_cybcon.com>
Date: Fri, 24 Oct 2003 15:29:32 -0800
Message-ID: <F001.005D43E3.20031024152932@fatcity.com> 





Yes, I will ditto the recommendation for Pete Finnigan's book.



Jared



On Fri, 2003-10-24 at 10:29, DENNIS WILLIAMS wrote:


> Paul - We have some of the similar issues here (network/firewall/VPN/Oracle

> Net). Based on your description of your business, you probably have some

> competent network engineers on staff. My experience is that they routinely

> handle issues like this, and you probably won't need to get involved in the

> actual configuration. However, you should educate yourself in the security

> issues involved so you can participate intelligently in any discussions from

> the database point of view. As a starter, I am including two recent

> excellent postings to this list from Tim Gorman and Ian MacGregor. Just

> scroll down.

> 

> Dennis Williams

> DBA


> Lifetouch, Inc.

> dwilliams_at_lifetouch.com 

> 

> Sent: Thursday, August 07, 2003 10:25 AM

> To: Multiple recipients of list ORACLE-L

> 

> 

> Sandro,

> 

> There is an excellent book on "Oracle Security" available online from

> "http://www.sans.org".  Concise, organized, and prioritized.  Also, Newman

> and Theriault's "Oracle Security Handbook" from Oracle Press is chock full

> of common sense...

> 

> Not sure what the question about "automating the migration of stored

> procedures" refers to.  Could you provide more information?  I don't think I

> understand the problem...

> 

> Storing password files on the database server is mainly an exercise in

> ensuring that OS security and file permissions properly implemented.  If you

> cannot ensure that OS files are properly secured, then the entire Oracle

> database is at risk, not to mention files containing clear-text passwords.

> After all, one can view data within datafiles using programs other than the

> Oracle RDBMS...

> 

> The idea of creating production schemas/logins to separate object ownership

> from application/end-user access is excellent.  To avoid using synonyms,

> consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA =

> <ownership-schema>" command being executed in an AFTER LOGON trigger in all

> accounts used for end-user access.  It is a little-known but wonderfully

> manageable bit of functionality...

> 

> Hope this helps...

> 

> -Tim

> -----Original Message-----

> Sent: Wednesday, October 01, 2003 5:19 PM

> To: Multiple recipients of list ORACLE-L

> 

> 

> Our security folks just sent me this.

> 

> Ian MacGregor

> Stanford Linear Accelerator Center

> ian_at_slac.stanford.edu 

> 

> -----Original Message-----

> Sent: Tuesday, September 30, 2003 1:35 PM

> To: NTBUGTRAQ_at_LISTSERV.NTBUGTRAQ.COM

> 

> 

> I've posted the presentation I gave at OracleWorld last month. This

> presentation covers writing secure code in Oracle databases and Oracle

> Application Server. The topics covered include:

> 

> Managing state

> Query parameters

> Hidden fields

> Cookies

> Cross-site scripting

> SQL Injection

> PL/SQL Injection

> Buffer overflows in EXTPROC

> Resources

> 

> You can download the presentation at

> http://www.appsecinc.com/techdocs/presentations.html under the heading

> "Writing Secure Code in Oracle Presentation".

> 

> I welcome comments and criticisms.

> 

> Regards,

> Aaron

> _______________________________

> Aaron C. Newman

> CTO/Founder

> Application Security, Inc.

> www.appsecinc.com

> Phone: 212-420-9270

> Fax: 212-420-9680

> - Securing Business by Securing Enterprise Applications -

> 

> 

> Sent: Friday, October 24, 2003 10:14 AM

> To: Multiple recipients of list ORACLE-L

> 

> 

> We are an Application Service Provider--we maintain a set of servers in

> a colocation facility and our customers use our application via the

> Web.  Security is a paramount concern, of course, and only our Web

> server has a public IP address, with the application and database

> servers completely private. 

> 

> We supply a number of standard reports, but most of our customers want

> some custom reports as well.  We would like to give them access to our

> database, possibly over a VPN, but only if security can be maintained. 

> I'd like to know if anyone has faced such a situation, and what kind of

> configuration (network/firewall/VPN/Oracle Net) might make such access

> possible.

> 

> TIA,


> 

> 

> 

> =====

> Paul Baumgartel

> Transcentive, Inc.

> www.transcentive.com

> 

> __________________________________

> Do you Yahoo!?

> The New Yahoo! Shopping - with improved product search

> http://shopping.yahoo.com

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Paul Baumgartel

>   INET: treegarden_at_yahoo.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: DENNIS WILLIAMS

>   INET: DWILLIAMS_at_LIFETOUCH.COM


> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Oct 24 2003 - 18:29:32 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US