Re: Question re security

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Tue, 14 Jan 2014 10:18:50 +0000
Message-ID: <CABe10sZCaSdDvXcbiCO6s_gj6nRDaCdeWTet0uFQz1wLsVPZdA_at_mail.gmail.com>

I'm no security expert - You'll need the other Litchfield for that :) - but we have a similar setup here. There are several things which I believe apply here.

Principle of least privilege: The vast majority of workstations do not need direct access to sensitive resources, nor do the vast majority of application or database servers require direct access to non-related resources.
Ensuring you guard against the major risks. Inside attacks are by far the most common *cough*snowden*cough*.
If system a is compromised, then segmenting and separating it from system b makes it much less likely that system b will be compromised.

I don't have access to our bandwidth figures (and likely wouldn't share them on a public forum anyway), but my *expectation* is that bandwith and latency are not adversely affected by such a security setup - if they are then there would be an expectation that the network admins would work to reduce the latency/bandwidth hit - for example I know that on some firewalls SQL*Net packet inspection can be a significant CPU drain, in such a case one might choose not to implement packet inspection between known "whitelisted" hosts.

On the whole though I'd expect not to be able to move from "application system" to "application system" without encountering such barriers.

On Tue, Jan 14, 2014 at 7:51 AM, Nuno Souto <dbvision_at_iinet.net.au> wrote:

> Simple question, hopefully I'll get some answers! :)
> Because if I don't, some security "expert" heads will roll as a result...
>
> Who here has database servers, app servers, admin and dev workstations,
> each in its own subnet (4 subnets),
> with firewalls between each subnet,
> all inside the company's intranet?
>
> I'd just like to know why and what security expectations, imperatives,
> constraints/conditions are being addressed/resolved by such a setup?
>
> As well if you do, then what is the expected and measured network bandwidth
> AND latency between subnets, through the firewalls.
>
> "clickety-click grid control and hope for the best" dbas need not reply,
> thanking you very much...
>
>
> -- Cheers
> Nuno Souto
> dbvision_at_iinet.net.au
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Jan 14 2014 - 11:18:50 CET

This message: [ Message body ]
Next message: John Hallas: "RE: MV's monitoring"
Previous message: Nuno Souto: "Question re security"
In reply to: Nuno Souto: "Question re security"
Next in thread: Nuno Souto: "Re: Question re security"
Reply: Nuno Souto: "Re: Question re security"
Reply: david_at_databasesecurity.com: "Re: Question re security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message