Re: Question re security

From: Paresh Yadav <yparesh_at_gmail.com>
Date: Fri, 17 Jan 2014 16:25:31 -0500
Message-ID: <CAPXEL0LNpWQvdJs0mMxwXEn1hFOQRcqLU0ZK1NkLmWjSVXAOrQ_at_mail.gmail.com>

On spoofing the IP address, other than DOS attack (which in itself is serious enough) can the attacker cause any other damage? I believe no as they won't be able to make a database connection etc. From http://en.wikipedia.org/wiki/IP_address_spoofing "The machine that receives spoofed packets will send a response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response.".

I am curious to know as we are looking at a situation where one of the suggestion is to limit access by permitted IP address list alone.

Thanks
Paresh
416-688-1003

On Fri, Jan 17, 2014 at 2:12 PM, Guillermo Alan Bort <cicciuxdba_at_gmail.com>wrote:

> A couple of years ago when we were migrating a bunch of databases to a new
> datacenter and upgrading everything to 11.2 we started a discussion about
> securing the listener by filtering the set of IP addresses from which the
> listener would accept connections. In the end we decided that the firewall
> was protection enough. The netowrks were pretty well segmented and only the
> app server subnet had access to the listener (and a terminal server from
> which us DBAs could run TOAD). We had OEM on the app server subnet. This
> was a clear three-tier environment where the app servers where just service
> providers and we had tier one apps consuming those services and facing the
> web through reverse proxies and stuff like that. We were pretty happy with
> security, but my question for the experts is whether it is worth the effort
> of defining and maintaining a list of valid ip addresses for the listener.
> Much like changing the port it seems that it would be only too easy for a
> "hacker" to just spoof a valid IP address (any hacker worth their salt
> should be able to do so in a few seconds... if they know what IP address to
> spoof, that is... but obscurity is not security...)
>
> cheers
>
> Alan.-
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Jan 17 2014 - 22:25:31 CET

This message: [ Message body ]
Next message: Dba DBA: "Re: Active Session History count(*) vs. sum(time_waited)"
Previous message: keydana_at_gmx.de: "Re: Direct SGA access problem because of structs' changing start addresses (e.g., x$ksmsp)"
In reply to: Guillermo Alan Bort: "Re: Question re security"
Next in thread: Nuno Souto: "Re: Question re security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message