Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: VPN to database?

RE: VPN to database?

From: Paul Baumgartel <treegarden_at_yahoo.com>
Date: Mon, 27 Oct 2003 10:29:25 -0800
Message-ID: <F001.005D4B33.20031027102925@fatcity.com> 





Never mind, I see that it is.  Thanks.


--- Paul Baumgartel <treegarden_at_yahoo.com> wrote:


> Jared,

> 

> Is that the book from sans.org?

> 

> Thanks,

> 

> Paul

> 

> 

> --- Jared Still <jkstill_at_cybcon.com> wrote:

> > Yes, I will ditto the recommendation for Pete Finnigan's book.

> > 

> > Jared

> > 

> > On Fri, 2003-10-24 at 10:29, DENNIS WILLIAMS wrote:

> > > Paul - We have some of the similar issues here

> > (network/firewall/VPN/Oracle

> > > Net). Based on your description of your business, you probably

> have

> > some

> > > competent network engineers on staff. My experience is that they

> > routinely

> > > handle issues like this, and you probably won't need to get

> > involved in the

> > > actual configuration. However, you should educate yourself in the

> > security

> > > issues involved so you can participate intelligently in any

> > discussions from

> > > the database point of view. As a starter, I am including two

> recent

> > > excellent postings to this list from Tim Gorman and Ian

> MacGregor.

> > Just

> > > scroll down.

> > > 

> > > Dennis Williams

> > > DBA


> > > Lifetouch, Inc.

> > > dwilliams_at_lifetouch.com 

> > > 

> > > Sent: Thursday, August 07, 2003 10:25 AM

> > > To: Multiple recipients of list ORACLE-L

> > > 

> > > 

> > > Sandro,

> > > 

> > > There is an excellent book on "Oracle Security" available online

> > from

> > > "http://www.sans.org".  Concise, organized, and prioritized. 

> Also,

> > Newman

> > > and Theriault's "Oracle Security Handbook" from Oracle Press is

> > chock full

> > > of common sense...

> > > 

> > > Not sure what the question about "automating the migration of

> > stored

> > > procedures" refers to.  Could you provide more information?  I

> > don't think I

> > > understand the problem...

> > > 

> > > Storing password files on the database server is mainly an

> exercise

> > in

> > > ensuring that OS security and file permissions properly

> > implemented.  If you

> > > cannot ensure that OS files are properly secured, then the entire

> > Oracle

> > > database is at risk, not to mention files containing clear-text

> > passwords.

> > > After all, one can view data within datafiles using programs

> other

> > than the

> > > Oracle RDBMS...

> > > 

> > > The idea of creating production schemas/logins to separate object

> > ownership

> > > from application/end-user access is excellent.  To avoid using

> > synonyms,

> > > consider the functionality of the "ALTER SESSION SET

> CURRENT_SCHEMA


> > =

> > > <ownership-schema>" command being executed in an AFTER LOGON

> > trigger in all

> > > accounts used for end-user access.  It is a little-known but

> > wonderfully

> > > manageable bit of functionality...

> > > 

> > > Hope this helps...

> > > 

> > > -Tim

> > > -----Original Message-----

> > > Sent: Wednesday, October 01, 2003 5:19 PM

> > > To: Multiple recipients of list ORACLE-L

> > > 

> > > 

> > > Our security folks just sent me this.

> > > 

> > > Ian MacGregor

> > > Stanford Linear Accelerator Center

> > > ian_at_slac.stanford.edu 

> > > 

> > > -----Original Message-----

> > > Sent: Tuesday, September 30, 2003 1:35 PM

> > > To: NTBUGTRAQ_at_LISTSERV.NTBUGTRAQ.COM

> > > 

> > > 

> > > I've posted the presentation I gave at OracleWorld last month.

> This

> > > presentation covers writing secure code in Oracle databases and

> > Oracle

> > > Application Server. The topics covered include:

> > > 

> > > Managing state

> > > Query parameters

> > > Hidden fields

> > > Cookies

> > > Cross-site scripting

> > > SQL Injection

> > > PL/SQL Injection

> > > Buffer overflows in EXTPROC

> > > Resources

> > > 

> > > You can download the presentation at

> > > http://www.appsecinc.com/techdocs/presentations.html under the

> > heading

> > > "Writing Secure Code in Oracle Presentation".

> > > 

> > > I welcome comments and criticisms.

> > > 

> > > Regards,

> > > Aaron

> > > _______________________________

> > > Aaron C. Newman

> > > CTO/Founder

> > > Application Security, Inc.

> > > www.appsecinc.com

> > > Phone: 212-420-9270

> > > Fax: 212-420-9680

> > > - Securing Business by Securing Enterprise Applications -

> > > 

> > > 

> > > Sent: Friday, October 24, 2003 10:14 AM

> > > To: Multiple recipients of list ORACLE-L

> > > 

> > > 

> > > We are an Application Service Provider--we maintain a set of

> > servers in

> > > a colocation facility and our customers use our application via

> the

> > > Web.  Security is a paramount concern, of course, and only our

> Web

> > > server has a public IP address, with the application and database

> > > servers completely private. 

> > > 

> > > We supply a number of standard reports, but most of our customers

> > want

> > > some custom reports as well.  We would like to give them access

> to

> > our

> > > database, possibly over a VPN, but only if security can be

> > maintained. 

> > > I'd like to know if anyone has faced such a situation, and what

> > kind of

> > > configuration (network/firewall/VPN/Oracle Net) might make such

> > access

> > > possible.

> > > 

> > > TIA,


> > > 

> > > 

> > > 

> > > =====

> > > Paul Baumgartel

> > > Transcentive, Inc.

> > > www.transcentive.com

> > > 

> > > __________________________________

> > > Do you Yahoo!?

> > > The New Yahoo! Shopping - with improved product search

> > > http://shopping.yahoo.com

> > > -- 

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.net

> > > -- 

> > > Author: Paul Baumgartel

> > >   INET: treegarden_at_yahoo.com

> > > 

> > > Fat City Network Services    -- 858-538-5051

> http://www.fatcity.com

> > > San Diego, California        -- Mailing list and web hosting

> > services

> > >

> >

> ---------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and

> in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You

> may

> > > also send the HELP command for other information (like

> 



=== message truncated ===






Do you Yahoo!?


Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Paul Baumgartel
  INET: treegarden_at_yahoo.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Mon Oct 27 2003 - 12:29:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US