Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: how to link Apache and Oracle?

Re: how to link Apache and Oracle?

From: Billy Verreynne <vslabs_at_onwe.co.za>
Date: 19 Feb 2004 21:43:07 -0800
Message-ID: <1a75df45.0402192143.622482ff@posting.google.com> 





gmuldoon <gmuldoon_nospam_at_scu.edu.au> w



> Agreed. Putting in a firewall doesn't mean you're secure.  But it can be 

> one of a number of measures which somewhat mitigate certain risks.  




Agree.



> > If those applications reside in Oracle, what is compromised? Only the

> > web server. 

> 

> And the machine itself that it runs on.




Exactly my point. Which is why it is so dangerous using any form of
application-based CGIs (e.g. Perl, PHP, ASP, JSP etc)  on that web
server.



And which is why I argue that it is safer to treat the web server as a
dumb Oracle client, with no application code residing at web server
side - having that code in PL/SQL in Oracle instead.



> If you run a single box with both Apache (either standalone or Oracle-

> supplied) and Oracle and are attacked using an Apache-based exploit, it 

> can be used to bring the whole box to a grinding halt.




Again, so what? If the web server is compromised, how does this impact
the security and integrity of my data and applications in Oracle?



We can protect data and apps in Oracle against SQL*Plus access. I.e.
the client has the full blown SQL and PL/SQL language at his disposal
to access the data and applications in Oracle. Oracle provides
everything from resource usage profiles to FGAC and label security -
even full integration with LDAP.



If we can do that to a SQL*Plus client, we can do all that also for a
web server that is an Oracle client - provided there are NO
application code on that server, as that needs to be secured in
Oracle.



So with the web server compromised, what does the hacker gain?
Nothing. Accept the ability  to use the web server as a wall for his
graffiti.



> We have a farm of Apache app servers and, more critically, a number of 

> internal fat client apps all talking to a "single" (actually a load-

> balanced setup) data server.




Yeah... whatever. Simply proves in my mind again that the app tier
proponents have no clue as to what load balancing means when dealing
with data processing platforms. And that is *exactly* what you deal
with when you use a database server.



> If one Apache server machine goes belly-up, I want the database there 

> for the others.




That is called redundancy - not load balancing.


--
Billy


Received on Thu Feb 19 2004 - 23:43:07 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US