Re: IP address based access control to Oracle (SCO Unix)

Martin Ouwehand wrote in message <36791d4d.0_at_epflnews.epfl.ch>...
>We have an Oracle DB running on a SCO Unix server. The data being
>confidential we'd like to restrict the access to the DB to a restricted
>number of machines. By playing with the network (routers, etc.) this
>is easy for machines which are not on the same subnet as the Oracle
>server, but this solution doesn't work for local clients.
>
>Is there a way to configure the Oracle DB in such a way that it'll
>refuse requests except from a given list of clients, based on their
>IP address and/or DNS name ?

First, you may introduce some restrictions with SQL*Net2 or SQL*Net8. Declare in protocol.ora file:

tcp.validnode_checking=yes
tcp.invited_nodes=(<IP1>,<IP2>,...,<IPn>)

and reload listener. It has some weak points. First of all, someone may easilly assign itself permitted IP while node originally owning is offline. "Offlining" of that node may be done in some ways: simply by power down or by wide sorts of DoS attacks. In fact it provides no authentication for connecting node.
If you want to achieve much better restrictions use Advanced Networking Option or connect to SQL*Net listener via third-party tunneling/authentication software.

Regards,
--
Piotr Kolodziej pkol_at_otago.gda.pl
Just my private opinion. Received on Thu Dec 17 1998 - 10:07:23 CST