Re: Is the client IP address available

From: Billy Verreynne <vslabs_at_onwe.co.za>
Date: 2000/03/28
Message-ID: <8bqaic$fep$1_at_ctb-nnrp1.saix.net>#1/1


Kevin Wise wrote in message <8booah$ia6$1_at_schbbs.mot.com>...
>Is there any way to determine the IP address of the client from PL/SQL or
>Java? I am trying to write a trigger that records the IP address where
>certain changes are coming from. Thanks!

My guess is no. If you're lucky, the client may specify an ip address in the connection string that you can pick up in V$SESSIONS - e.g. Cognus' Impromptu tool used to do (still does?) this.

On NT for example, the domain (or workgroup) and NetBIOS name of the machine is specified (a feature of SQL*Net/Net8 on NT I believe).

But there are several problems doing this type of thing.

Not all clients specify the same type of connection strings, which renders the machine column in V$SESSION inconsistent. To access the V$SESSION table requires DBA privs which may not be a good idea to grant for the owner of the trigger.

Then there's the concept of using IP addresses - an ip address is very easily changed or spoofed. This can not be used to try and identify the machine who originated the change in data in Oracle. A better "address" is the physical Mac address of the network card. But even then, it is very easy to walk into the office, slap in a network card from home into the PC and then change Oracle data to your heart's content without the slightest fear in being traced.

IMHO, logging ip addresses may seem like a good idea, but it a waste of time and resources and seldom achieve anything. Especially if the plan is to use this for auditing and security purposes. It is really not difficult hitting a target machine with a DoS attack and then spoofing that machine's IP address. Even ordinary users in your organisation can do this by simply downloading the right "tools" from the web (speaking here from personal experiences).

Remember, that Oracle provides extensive security. It's a good idea to use it. The operating system Oracle runs on (be it NT or Unix) also provides security. Use it. If network security is critical, then use a firewall to protect your servers. If you need a middle layer between the client and the server, then use 3 tier architecture and an application server that plays cop.

Security is often an afterthought in database design and client-server implementations. And to be honest (without knowing the details of why you want to do this), recording ip addresses -sounds- to me a lot like a mere security afterthought.

My crazed thoughts on the subject anyway... :-)

regards,
Billy Received on Tue Mar 28 2000 - 00:00:00 CEST

Original text of this message