Re: Accessing Oracle DB Over Internet

From: Mark D Powell <>
Date: Sat, 9 Feb 2008 09:13:40 -0800 (PST)
Message-ID: <>

On Feb 9, 10:24 am, "Vladimir M. Zakharychev" <> wrote:
> On Feb 9, 6:08 pm, Charles Hooper <> wrote:
> > On Feb 9, 7:04 am, Michael42 <> wrote:
> > > Hello,
> > > Is it possible to connect to an Oracle 10g database over the Internet
> > > via SQLPlus or Java app from a client system (assuming my local
> > > firewall permits the listener port I use)?
> > > If this is possible how can it be made secure?
> > > Thanks for your comments,
> > > m42
> > Yes, it is possible to connect to an Oracle database over the
> > Internet.  However, it probably is not a good idea to expose the
> > Oracle database server's listener port directly to the Internet.  A
> > better approach would be to use the security and data encryption
> > provided by a VPN to act as a gate keeper to the Oracle database
> > server's listener port, and to obscure the actual data submitted by
> > the client and the return data from the database.
> > You might take a look at the recent thread "Not able to connect to
> > Oracle database through VPN" in this group for some ideas for how a
> > VPN server fits into the configuration with firewalls.
> > Charles Hooper
> > IT Manager/Oracle DBA
> > K&M Machine-Fabricating, Inc.
> Adding to this excellent reply: you can use SSH tunneling for this:
> SSH will handle authentication, authorization and traffic encryption,
> similar to what VPNs do. For you it will took as if the database
> listener is listening on your *local* machine, SSH will forward this
> local port to the remote side (and this forwarding may even span
> several hops, depending on configuration.) If the remote listener is
> on Windows, make sure shared sockets are enabled and active on the
> listener host (search for USE_SHARED_SOCKET for more details on this
> feature,) so that all TNS traffic uses single shared port and no port
> redirects are done by the listener as this will not work (same issue
> as with VPNs.)
> Regards,
>    Vladimir M. Zakharychev
>    N-Networks, makers of Dynamic PSP(tm)
> Hide quoted text -
> - Show quoted text -

Two good replies. I would just like to add that you should not run your applications on the same server as the database but rather you should run your applications from an application server. You put one set of security measures between the application server and the internet and if necessary or desired you put a second set of measures between the application server and the database server.

In a setup like the avove if you want to use sqlplus you generally have to be able to sign into the application server and run it from there. Or you have to have the ability to connect directly to the database server and work from there. Only the DBA's and System Administrators should have access to the database server. No one else and nothing runs there.

IMHO -- Mark D Powell -- Received on Sat Feb 09 2008 - 11:13:40 CST

Original text of this message