Re: which ports oracle uses and/or which ports to close on a switch?

andreyNSPAM_at_bookexchange.net (NetComrade) writes:

> My company is trying to increase security, and they think that they
> should close down some ports.
>
> Now, I know that besides using the 1520, 1521 or whatever other ports
> you use for the listener, Oracle also assigns random Port numbers for
> connections (at least in MTS mode)... But is there are a range of port
> numbers Oracle uses? Can we close down any ports?
>
> Is SQL*net firewall proxy the only way to go? Metalink has some docs,
> but they seem to be a bit outdated (1995)

Are all your users connecting from outside the firewall, or just a handful?

What I'm accustomed to seeing -- though this is in a particular field -- is hundreds of connections from some middle tier application like a web server from within the firewall, plus a handful of connections from developers or DBAs. In that situation you can have the connections from the outside connections bypass MTS using a dedicated connection which does not need an additional port.

The option goes in tnsnames.ora in the CONNECTION_DATA, add a (SRVR=DEDICATED). I'm sorry I don't have the snipped any more but it's been posted here before.

I would strongly suggest closing 1521 and proxying these connections in via SSH or some other encrypted and authenticated layer. There are TCP session hijacking attacks that allow any user on the network to take over an unencrypted TCP session. You don't want to be speaking raw TNS over the internet to your production servers.

-- 
greg