Re: Question re security
From: Guillermo Alan Bort <cicciuxdba_at_gmail.com>
Date: Fri, 17 Jan 2014 17:12:41 -0200
Message-ID: <CAJ2dSGQy-mVAqR7zKTU5katJsOei0bzbhbJmHzFkpf+6mqw-uA_at_mail.gmail.com>
A couple of years ago when we were migrating a bunch of databases to a new datacenter and upgrading everything to 11.2 we started a discussion about securing the listener by filtering the set of IP addresses from which the listener would accept connections. In the end we decided that the firewall was protection enough. The netowrks were pretty well segmented and only the app server subnet had access to the listener (and a terminal server from which us DBAs could run TOAD). We had OEM on the app server subnet. This was a clear three-tier environment where the app servers where just service providers and we had tier one apps consuming those services and facing the web through reverse proxies and stuff like that. We were pretty happy with security, but my question for the experts is whether it is worth the effort of defining and maintaining a list of valid ip addresses for the listener. Much like changing the port it seems that it would be only too easy for a "hacker" to just spoof a valid IP address (any hacker worth their salt should be able to do so in a few seconds... if they know what IP address to spoof, that is... but obscurity is not security...)
Date: Fri, 17 Jan 2014 17:12:41 -0200
Message-ID: <CAJ2dSGQy-mVAqR7zKTU5katJsOei0bzbhbJmHzFkpf+6mqw-uA_at_mail.gmail.com>
A couple of years ago when we were migrating a bunch of databases to a new datacenter and upgrading everything to 11.2 we started a discussion about securing the listener by filtering the set of IP addresses from which the listener would accept connections. In the end we decided that the firewall was protection enough. The netowrks were pretty well segmented and only the app server subnet had access to the listener (and a terminal server from which us DBAs could run TOAD). We had OEM on the app server subnet. This was a clear three-tier environment where the app servers where just service providers and we had tier one apps consuming those services and facing the web through reverse proxies and stuff like that. We were pretty happy with security, but my question for the experts is whether it is worth the effort of defining and maintaining a list of valid ip addresses for the listener. Much like changing the port it seems that it would be only too easy for a "hacker" to just spoof a valid IP address (any hacker worth their salt should be able to do so in a few seconds... if they know what IP address to spoof, that is... but obscurity is not security...)
cheers
Alan.-
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Jan 17 2014 - 20:12:41 CET
