because you can happily pass oracle traffic from a web server or app server
through an appropriate firewall to oracle located on an internal network.
--
Niall Litchfield
Oracle DBA
Audit Commission UK
"Scott Watson" <scott.watson_at_videotron.ca> wrote in message
news:NqUf8.14573$QV2.754929_at_wagner.videotron.net...
> Sorry, but I would like to continue the thread about not putting oracle
> inside the DMZ.
>
> Can anyone say why you would not want it there. To me it sounds like a
good
> idea unless
> I am confused about the purpose of a DMZ.
>
>
> Thanks
> Scott.
>
> "Holger Marzen" <holger_at_marzen.de> wrote in message
> news:a5n8ia$igh$1_at_bluebell.marzen.de...
> > * On 28 Feb 2002 14:36:48 -0800, Relational DBA wrote:
> >
> > >> No big problem, but the machine is located in a DMZ - I cannot have
> > >> connections to other db servers or fancy clicky flashy enterprisy
> tools.
> > >
> > > I do not claim to be the biggest Information Security consultant of
> > > all times, but IMHO Oracle does not belong in the DMZ. I strongly
> > > recommend that you reconsider.
> >
> > That DMZ is not connected to the Internet. These zones are just to
> > separate one customer from another.
> >
> > >> Controlfiles and the rest of the operation system is backed up daily.
I
> > >> use rman without a repository and save the whole db (backup
database),
> > >> switch log and archive the logs (db is in log archive mode).
> > > Construct your backup/recovery strategy so that you eventually end up
> > > with a bunch of files. Just ftp them files to the place from where you
> > > can put 'em on tape/backup media. However, I suggest opening FTP
> > > access right before copying them files and closing it immediately
> > > after that.
> >
> > I never transfer files fith ftp because of security reasons. Scp is much
> > better.
> >
> > >> As I have read I cannot do a timestamp recovery with that data. Is
that
> > >> true? Can I do a complete recovery including the last database backup
> > >> and roll forward with all the available logs?
> > > The control file is where the information about last SCN is stored,
> > > along with a bunch'a other crap. If you overwrite it with an old one
> > > you won't be able to do point-in-time recovery with re-applying redo
> > > logs.
> >
> > Can I do a backup of the current controlfile? I could save this
> > together with the archived logs.
> >
> > >> Another question:
> > >> Would it be possible to mirror the online logs via NFS on another
> > >> machine, so I'd even could roll forward the data with the remaining
log
> > >> if the db machine completely blows up and has to be replaced and
> > >> reinstalled?
> > > NFS is by far not the most secure network service. There's a lengthy
> >
> > The NFS-server would be in the same DMZ.
> >
> > > list of known vulnerabilities. Allowing NFS is asking for some serious
> > > trouble. Besides, NFS is not a speed demon, so your performance will
> > > be sluggish. Try OS-level mirroring instead, and move them Oracle
> > > outt'a DMZ.
> >
> > I already do OS mirroring. But what if the machine melts down. Unlikely,
> > but I want to find out the best backup stragey (no data loss at all).
> > Saving archive logs to tape (or a safe place) is the out-of-the-box
> > stragegy and the amount of lost data is too high for that
> > application/customer. That's why I considered using NFS.
> >
> > But we have an external disk array. I think I should instruct Oracle to
> > have 2 logs in a set and have one copy on the local RAID and another on
> > the remote RAID.
> >
> >
> > --
> > Schluss mit dem Fluglärmterror der US-Luftwaffe im Naturpark
> > Saar-Hunsrück! 25 Jahre Triebwerksgedröhne, Tiefflüge, Luftkämpfe und
> > laute Transportflüge von früh bis nachts sind genug. Lernt *endlich*
> > euch zu benehmen. Zuviel verlangt?
>
>
Received on Sat Mar 02 2002 - 12:47:31 CST
