Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Best Practice - Oracle Network thru Firewall

Re: Best Practice - Oracle Network thru Firewall

From: Tony Jambu <tjambu_freelists_at_yahoo.com.au>
Date: Tue, 07 Mar 2006 08:01:47 +1100
Message-Id: <7.0.1.0.2.20060307075651.05118758@yahoo.com.au> 





Hi Paul



The decision to allow external users to use direct Oracle Network 
was taken by the business long ago and we have to live with that.



Using SSH is an option but that would mean quiet a fair bit of 
maintaining the accounts and guiding the users on how to use the 
program like Putty.   The OS is UNIXes and already have SSH on it.
Thanks for the offer of help.



All our databases are EE edition so CMAN is not an issue.  Has anyone use CMAN
to do this?



ta


tony




At 02:31 AM 7/03/2006, Paul Drake wrote:


>On 3/6/06, Tony Jambu <<mailto:tjambu_freelists_at_yahoo.com.au>tjambu_freelists_at_yahoo.com.au> wrote:

>Hi all

>

>Looking for best practice for allowing Oracle Network (functionality) 

>thru a firewall.

>

>Scenario

>Client wants to allow external clients to access information in the internal network 

>as well as internal client having access to databases in the DMZ.

>

>                               Trusted Clients

>                                      |

>                            DMZ       v

>External --->  FW (ext) >-------->FW (Int)------>Internal dbs

>

>                            DMZ


>               FW (ext) ----dbs<---FW (Int)<----- Int Users

>

>

>basically client wants to access database in the DMZ 

>and allow clients to access some information in the internal corporate database.

>

>Other than explicitly allowing port say 1521 across the Internal FW to specific internal/DMZ servers, what other options are there? 

>

>1.  Oracle Connection Manager?

>2.  Proxy servers (like 3rd party ODBC server)? 

>

>Basically, what I am looking at is to stop someone from directly accessing the listeners at the servers.  (Yes the listeners have been hardened) 

>

>Any bright ideas or suggestions?  Y our help is much appreciated.

>

>

>ta

>tony

>

>

> 

>Tony,

>

>A "best practice" would be to disallow such connections. 

>Next best would be for such users to connect (securely) to an app server in the DMZ.

>If "direct access" to the Oracle server needs to be supported, do so via a VPN.

>If no existing VPN is available, use OpenSSH. The users will be able with the use of port forwarding (with an ssh client such as putty) to use (fat) Oracle client tools against the remote database and still get dedicated server sessions (unlike with using dispatchers). This will require that they be able to authenticate against the remote Oracle server operating system, or its domain. 

>

>There are other options, just none that I would consider to be a best practice.

>AFAIK, CMAN is an enterprise edition only feature.

>

>What OSes are in this environment - as the Oracle server might already have an OpenSSH dæmon running on it. If its a win32 OS, Cygwin will help. 

>

>Let me know if you need help setting up.

>

>Paul

>

>





--
http://www.freelists.org/webpage/oracle-l


Received on Mon Mar 06 2006 - 15:01:47 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US