Re: SQL*Net Security Question

From: Craig Harper <caharper_at_hooked.net>
Date: 1995/09/06
Message-ID: <42l2eg$80f_at_its.hooked.net>#1/1

kmelcher_at_ix.netcom.com (Kenneth Melcher) wrote:
>>
>>In article <42gi3h$rkj_at_ixnews2.ix.netcom.com>, kmelcher_at_ix.netcom.com
>>says...
>>>
>>>Does anyone have any suggestions on a way to restrict SQL*Net access
>>>to specific client machines or specific users?
>>>
>>>For instance, I would like for our DBA's to be able to access
>>>our servers via SQL*Net. They will always be connecting from their
>>>individual workstations using consistent userids. However, I
>>>do not want any other machines or users on the net to have access
>>>to the servers via SQL*Net.
>>>
>>>Any suggestions?
>>
>>Users need connect-privilegies to access the databases - so there
should
>>be no reason to limit the access to SQL*Net ?
>>
>Except in the case where you have security set up in such a fashion
>such that the only non-dba connections should be coming through a
>TP-monitor such as Tuxedo, which handles its own security functions.
>In our case, we want noone connecting via SQL*PLUS or any other
>mechanism other then Tuxedo with the exception of the DBAs. The
>problem is, SQL*Net poses a potential hole in the case where someone
>might discover a database userid/password and connect to the database
>without having to authenticate themselves to either the application or
>the operating system (O/S ids on the production system are restricted
>to tech support staff only). Hence, my desire to control access via
>SQL*net to only specific client machines (preferably) or specific
>O/S users.
>
>KM

I think that your problem can be solved by 1) not setting up the tnsnames file on the other workstations that are using tux. Unless they require the TNSNAMES file them selves. 2) Just a user name and password are not enough for Oracle and SQL*NET you have to have the correct IP address and instance name to connect to like "oracle.world" or something. It is true that If someone had these then they could use sql*net to gain access to the instance. Perhaps you should not allow the local variable to be used on the workstations, or any synonyms. That would add an additional level of security namely causing the user to enter in the correct name of the instance. Received on Wed Sep 06 1995 - 00:00:00 CEST

This message: [ Message body ]
Next message: Rick Wessman: "Re: SQL*Net Security Question"
Previous message: Christian Guenther: "SQL*Net Security Question"
Maybe in reply to: Kenneth Melcher: "SQL*Net Security Question"
In reply to Kenneth Melcher: "SQL*Net Security Question"
Next in thread: Rick Wessman: "Re: SQL*Net Security Question"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message