Re: Not able to connect to Oracle database through VPN
Date: Fri, 8 Feb 2008 12:12:57 -0800 (PST)
On Feb 8, 2:13 pm, Frank van Bortel <frank.van.bor..._at_gmail.com> wrote:
> Charles Hooper wrote:
> > I firewall my VPN:
> > (Oracle Server)-(Firewall)-(VPN Server)-(Firewall)-(Internet)
> > Why? So that I can control the type of traffic flowing through the
> > VPN based on port and protocol and the requesting client. Such a
> > setup helps control the damage a remote system can do to the corporate
> > network, as well as control what the computers on the corporate
> > network can do to damage the remote system.
> > Charles Hooper
> > IT Manager/Oracle DBA
> > K&M Machine-Fabricating, Inc.
> Not in my book - you just run VPN server in the DMZ, and have a
> classic, triangular firewall setup. My understanding of
> your description does not match the picture.
> What I was wondering about would be depicted as:
> (Oracle)-(fw)-([VPN+fw])-(fw)-(VPN client)-(oracle client)
> Your description of your setup, I would depict as
> (Oracle)-([VPN+fw])-(VPN client)-(oracle client)
> whereas you depict
> That would be equivalent to
> intranet-(fw)-(DMZ)-fw-internet, a classic setup.
> Your firewall would be open to specific VPN port and protocol
> combinations (UDP:500, proto 50 and 51) - correct?
> Frank van Bortel
I attempted to simplify in the description, completely throwing out the default route to the Internet. Sorry if this caused confusion. It would be more accurate to picture it like this: (Oracle Server)-(Switch)-(Firewall)-(Switch)-(Firewall)-(Internet)
| | | | (VPN Server) (Internet) (Firewall) | (VPN client+oracle client)
In the above, the left-most firewall performs routing for the VPN clients, so that the replies to the VPN clients are not sent unencrypted back out on the Internet through the default route, as the VPN clients are not on the same subnet as the LAN (to the left of the first firewall). The firewall to the right of the VPN server also performs routing of sorts (more specifically DNATting) to redirect the inbound packets to the VPN server. Toss in VPN clients using dynamic IP addresses, and sitting behind a NATting firewall, and there is potential mass chaos. Just as a warning, the above is not a complete description of how I have the VPN setup configured. My opinion is, don't make things like this any easier than they need to be...
If you read what the OP posted as this:
Then, I agree (mostly). Having a firewall on the VPN server provides the opportunity to filter the packets incoming from the remote client station before the packets hit the internal firewall, and potentially "mark" the packets as safe to pass through.
IT Manager/Oracle DBA
K&M Machine-Fabricating, Inc. Received on Fri Feb 08 2008 - 14:12:57 CST