Return-Path: X-Original-To: oracle-l@orafaq.com Delivered-To: oracle-l@orafaq.com Received: from puck1183.startdedicated.com (localhost [127.0.0.1]) by puck1183.startdedicated.com (Postfix) with ESMTP id 87B591960380 for ; Fri, 27 May 2016 15:29:28 +0200 (CEST) Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by puck1183.startdedicated.com (Postfix) with ESMTPS for ; Fri, 27 May 2016 15:29:28 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 249353EC8C; Fri, 27 May 2016 09:29:15 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at turing.freelists.org Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJCLqrTuqm3m; Fri, 27 May 2016 09:29:15 -0400 (EDT) Received: from turing.freelists.org (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 725223EC5E; Fri, 27 May 2016 09:29:02 -0400 (EDT) Received: with ECARTIS (v1.0.0; list oracle-l); Fri, 27 May 2016 09:27:40 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 12B9B3EBB2 for ; Fri, 27 May 2016 09:27:40 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJq9St0ve0x7 for ; Fri, 27 May 2016 09:27:40 -0400 (EDT) Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id D69663EBAC for ; Fri, 27 May 2016 09:27:39 -0400 (EDT) Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id ECACAA09 for ; Fri, 27 May 2016 13:27:38 +0000 (UTC) Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tX0zz1hiR3VY for ; Fri, 27 May 2016 08:27:38 -0500 (CDT) Received: from mail-io0-f200.google.com (mail-io0-f200.google.com [209.85.223.200]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id C2D7A9EE for ; Fri, 27 May 2016 08:27:38 -0500 (CDT) Received: by mail-io0-f200.google.com with SMTP id 85so184767420ioq.3 for ; Fri, 27 May 2016 06:27:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9/sr2oEsiWdPjua4qNTXwYHe7yKqOm2aeh2ro+EskIs=; b=Utv0v1RLOVPNjpnTK3JE8rd+LukPinEdkmMURFMk5zyH9nz5wfNuKdOz+Ytb46SJuY MvclxDyqEXQXYteQSTm8CMF36gaqPlCUOdWUEWUS0vW/vur99CJlmhoBB8f7Ec1gRLGb MnFK0TY+wyftFLb6m8kuWcrOTE3YDGUAjFN/szqQ1/OuFE31+kyCgl0ts5MaUKVHnXin LdHDBKczovsVyEGRvZSG2cuysmDDYdgZJZIYlbiG7QDUyl6pJb74Ds1iClLPEW3afo7h xjPjeEobz3iSD/ahr0zw64GMZ7Uu3UdQn2tKbyp3TbzPXP32KQlPTCjlCYrjQYjqvKqK KAVQ== X-Gm-Message-State: ALyK8tLZM000S5ZM7n52UnOGGLdyEnF0kwE+C1IuOjHiaxBb3qil5XhDoqQ3YQEdbHoeRSeXKu/0Ky2Sf9Rnpb7WH9ENDX3y37sCkFxeT3N4G/k/gk0EMBL8JtEln5Yg4WzU251DP6U+otej2zGIYcKzNTQRrRU= X-Received: by 10.107.181.68 with SMTP id e65mr13641751iof.196.1464355658484; Fri, 27 May 2016 06:27:38 -0700 (PDT) X-Received: by 10.107.181.68 with SMTP id e65mr13641737iof.196.1464355658337; Fri, 27 May 2016 06:27:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.28.201 with HTTP; Fri, 27 May 2016 06:27:08 -0700 (PDT) In-Reply-To: References: From: Andy Wattenhofer Date: Fri, 27 May 2016 08:27:08 -0500 Message-ID: Subject: Re: Safe access to just 1 or 2 databases on RAC cluster via VPN? To: dmann99@gmail.com Cc: "oracle-l@freelists.org" Content-Type: multipart/alternative; boundary=001a11444130d71f850533d2def3 X-archive-position: 65115 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: watt0012@umn.edu Precedence: normal Reply-To: watt0012@umn.edu List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l --001a11444130d71f850533d2def3 Content-Type: text/plain; charset=UTF-8 Have you looked at Oracle Connection Manager? Andy On Fri, May 27, 2016 at 7:30 AM, David Mann wrote: > > I have a customer that is requesting to add IP addresses of all nodes in a > cluster to their VPN so they can access a subset of databases on the > cluster. > > If they were the only organization that had databases on that cluster I > wouldn't have an issue - but there are other databases on there that have > nothing to do with their workflow. > > In the past I would usually work to get them on their own isolated machine > or cluster so the VPN endpoints could be added to their b2b VPN and they > would only have access to systems which only housed their data. I don't > have that option in this case. > > I was thinking about setting up a listener for them on another port which > was only configured for their subset of databases... And block access to > the general scan listener already set up on the cluster. Would this afford > any protection to attempts to connect to other databases on the cluster? Or > better to approach this from a firewall configuration standpoint? > > -- > Dave Mann > General Geekery | www.brainio.us > Database Geekery | www.ba6.us | @ba6dotus | http://www.ba6.us/rss.xml > -- Andy --001a11444130d71f850533d2def3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Have you looked at Oracle Connection Manager?

Andy

On Fri, May 27, 2016 at 7:30 AM, David Mann <dmann99@gmail.com&g= t; wrote:
I have a customer that is requesting to add IP addresses of al= l nodes in a cluster to their VPN so they can access a subset of databases = on the cluster.=C2=A0

If they were the only organi= zation that had databases on that cluster I wouldn't have an issue - bu= t there are other databases on there that have nothing to do with their wor= kflow.=C2=A0

In the past I would usually work to g= et them on their own isolated machine or cluster so the VPN endpoints could= be added to their b2b VPN and they would only have access to systems which= only housed their data. I don't have that option in this case.=C2=A0

I was thinking about setting up a listener for them= on another port which was only configured for their subset of databases...= And block access to the general scan listener already set up on the cluste= r. Would this afford any protection to attempts to connect to other databas= es on the cluster? Or better to approach this from a firewall configuration= standpoint?=C2=A0

--
Dave Mann
General Geekery | www.brainio.us
Database Geekery | www.ba6.us | @ba6dotus | http://www.ba6.us/rss.xml



--
Andy
--001a11444130d71f850533d2def3-- -- http://www.freelists.org/webpage/oracle-l