Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Application authorization for a database user

Re: Application authorization for a database user

From: DA Morgan <damorgan_at_psoug.org>
Date: Mon, 27 Mar 2006 11:49:10 -0800
Message-ID: <1143488942.696464@yasure.drizzle.com> 





krichine_at_juno.com wrote:


> You can not disable local connectivity. If someone is already on your

> database server, they can always use sqlplus or other client to fake

> out whatever application name you are expecting and connect to the

> database (assuming they would otherwise be able to connect to the

> database were it not for your access control).




Well yes and no. You are correct that what is sent to Oracle can be
spoofed. So a check for PROGRAM = 'MS Access' can be fooled rather
easily.



But if you only allow connections from specific IP addresses with
specific a specific tool then someone trying to spoof would need to
get it perfect, including case, the first time or they'd be caught.
And, more importantly, they would need to know what and how you were
checking which would be impossible in a secure environment.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)


Received on Mon Mar 27 2006 - 13:49:10 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US