Re: SQL*NET/orasrv security problem

From: B C Zygmunt <bzy_at_ornl.gov>
Date: Thu, 7 Apr 1994 11:59:57 GMT
Message-ID: <1994Apr7.115957.14246_at_ornl.gov>

In article ng7_at_hafro.is, gunnaro_at_hafro.is (Gunnar Orvarsson) writes:
> Hi.
>
> We are running Oracle/7 and SQL*NET's orasrv on a Unix server. We would
> like to be able to connect to our database as ops$<user> from other machines
> on our network without having to specify a password, that is we would like
> to be able to use connection commands like 'sqlplus /', given the correct
> value of the TWO_TASK environment variable. Setting REMOTE_OS_AUTHENT =
> true in the init<sid>.ora file, seems to makes this possible.
>
> This would be great, if we could allow connections from CERTAIN MACHINES
> MACHINES ONLY, i.e. those that are on our network or in our administrative
> domain. But unfortunantely, this doesn't seem to be the way orasrv works.
> Allowing this kind of access to workstations on our network seems to enable
> users with the same login name on ANY machine on the Internet to connect to
> our database.
>
> So my question is:
>
> Does anyone know a way to make orsrv allow connections from certain machines
> only? Are there any ways at all to prevent logins from machines from the
> outside (and staying on the Internet)? Might there exist some public domain
> security packages to take care of this?
>
> Best regards,
>
> --
> Gunnar Orvarsson Internet: gunnaro_at_hafro.is
> Hafrannsoknastofnunin/Fiskistofa Telephone: +354 1 697909
> (Marine Research Inst./Directorate of Fisheries) Fax: +354 1 697991
> Ingolfsstraeti 1, Reykjavik, Iceland Home phone: +354 1 813253

Our company has looked at this problem. There is apparently no way to make orasrv "selective" as to who can make connections. Our group is getting around this by putting a bridge in front of our database server that will only permit connections from certain machines.

I don't know of any public domain security packages that would handle this. I would imagine that, at some point, we will see a more secure SQL*Net product, but that will probably not be anytime soon.

Beverly

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+                                    +                             +
+  Beverly Cather Zygmunt            +  Phone: (615) 574-1007      +
+  Oak Ridge National Laboratory     +  email: zygmuntbc_at_ornl.gov  +
+  Building 4500N, MS 6274           +         bzy_at_ornl.gov        +
+  Oak Ridge, TN 37831-6274          +                             +
+                                    +                             +
+                                    +                             +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                                                                  +
+  "If you torture your data long enough, they will tell you what  +
+  you want to hear." -- James L. Mills                            +
+                                                                  +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Received on Thu Apr 07 1994 - 13:59:57 CEST

This message: [ Message body ]
Next message: GO.MSB_at_ISUMVS.IASTATE.EDU: "Re: SQL*NET/orasrv security problem"
Previous message: Clay Jackson: "Re: SQL*NET/orasrv security problem"
In reply to: Gunnar Orvarsson: "SQL*NET/orasrv security problem"
In reply to Gunnar Orvarsson: "SQL*NET/orasrv security problem"
Next in thread: GO.MSB_at_ISUMVS.IASTATE.EDU: "Re: SQL*NET/orasrv security problem"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message