| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Is the client IP address available
Check with Oracle8i (8.1.6) Supplied Packages Reference for the UTL_TCP
package.
Eugene.
Billy Verreynne <vslabs_at_onwe.co.za> wrote in message
news:8bqaic$fep$1_at_ctb-nnrp1.saix.net...
> Kevin Wise wrote in message <8booah$ia6$1_at_schbbs.mot.com>...
> >Is there any way to determine the IP address of the client from PL/SQL or
> >Java? I am trying to write a trigger that records the IP address where
> >certain changes are coming from. Thanks!
>
>
> My guess is no. If you're lucky, the client may specify an ip address in
the
> connection string that you can pick up in V$SESSIONS - e.g. Cognus'
> Impromptu tool used to do (still does?) this.
>
> On NT for example, the domain (or workgroup) and NetBIOS name of the
machine
> is specified (a feature of SQL*Net/Net8 on NT I believe).
>
> But there are several problems doing this type of thing.
>
> Not all clients specify the same type of connection strings, which renders
> the machine column in V$SESSION inconsistent. To access the V$SESSION
table
> requires DBA privs which may not be a good idea to grant for the owner of
> the trigger.
>
> Then there's the concept of using IP addresses - an ip address is very
> easily changed or spoofed. This can not be used to try and identify the
> machine who originated the change in data in Oracle. A better "address" is
> the physical Mac address of the network card. But even then, it is very
easy
> to walk into the office, slap in a network card from home into the PC and
> then change Oracle data to your heart's content without the slightest fear
> in being traced.
>
> IMHO, logging ip addresses may seem like a good idea, but it a waste of
time
> and resources and seldom achieve anything. Especially if the plan is to
use
> this for auditing and security purposes. It is really not difficult
hitting
> a target machine with a DoS attack and then spoofing that machine's IP
> address. Even ordinary users in your organisation can do this by simply
> downloading the right "tools" from the web (speaking here from personal
> experiences).
>
> Remember, that Oracle provides extensive security. It's a good idea to use
> it. The operating system Oracle runs on (be it NT or Unix) also provides
> security. Use it. If network security is critical, then use a firewall to
> protect your servers. If you need a middle layer between the client and
the
> server, then use 3 tier architecture and an application server that plays
> cop.
>
> Security is often an afterthought in database design and client-server
> implementations. And to be honest (without knowing the details of why you
> want to do this), recording ip addresses -sounds- to me a lot like a mere
> security afterthought.
>
> My crazed thoughts on the subject anyway... :-)
>
> regards,
> Billy
>
>
>
Received on Tue Mar 28 2000 - 09:13:56 CST
 |
 |