Re: sqlnet over Internet

From: Richard Hoffbeck <rwh_at_visi.com>
Date: 1997/10/08
Message-ID: <MPG.ea5aab6fec8cd279896a0_at_fw2.mwcia.org>#1/1

[This followup was posted to comp.databases.oracle.misc and a copy was sent to the cited author.]

In article <60vffa$g5f$1_at_tst.hk.super.net>, sswan_at_hk.super.net says...
> I once asked Oracle support this question and they replied that
> it's impossible across Firewall. They reason is that the listener
> though listens a well known port (1521?), the server process
> so forked listens on some random port number. It is hard to restrict
> traffic by random port number and allowing only 1521 simply doesn't
> work!
>
> If anyone has implemented such solution across firewall, please kindly
> share your experience with us.

If you're running multi-threaded server the only game in town is one of the Oracle proxies -- I know that TIS Gauntlet has one and I think that Firewall-1 provides one as well. With mts, you contact the listeners on a well known port and it passes you off to one of the other server processes that is currently running. If you want to proxy this type of connection, you need to know enough about sql*net so you can track this change and of course Oracle doesn't provide a lot of information on the nitty-gritty of sql*net.

From the little I've read about it, Oracle's thin-client Java class should have enough information to figure out what is going on during this process; although, I suspect that disassembling the jdbc class probably violates the license agreement.

If you aren't running mts, then you can use a standard plug type proxy to pass through the firewall. In our case, we put linux boxes running ssh at our remote sites and use ssh's ability to redirect packets to access our internal services. Works like a charm and by placing the normal filtering restrictions on the tunnel box, it is fairly secure as well. I've also used plug-gw from TIS's fwtk with no problems, but of course you don't get the encryption that you'd have with ssh.

--rick

-- 
+-----------------------------------------------------------------+
| Richard Hoffbeck <rwh_at_visi.com>             phone: 612.897.6442 |
| Mn Worker's Compensation Insurer's Assoc    fax:   612.897.6495 |
| 7760 France Ave, Suite 640                                      |
| Minneapolis, MN 55435                                           |
|                                                                 |
| Finger rwh_at_visi.com for PGP key :                               |
|  Fingerprint = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B  |
+-----------------------------------------------------------------+

Received on Wed Oct 08 1997 - 00:00:00 CEST

This message: [ Message body ]
Next message: Winryder: "Re: sqlnet over Internet"
Previous message: Winryder: "Re: sqlnet over Internet"
Maybe in reply to: Billy Verreynne: "Re: sqlnet over Internet"
In reply to S S Wan: "Re: sqlnet over Internet"
Next in thread: Winryder: "Re: sqlnet over Internet"
Reply: Winryder: "Re: sqlnet over Internet"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message