Re: Make a database accessible over the internet

Marcus Ilgner wrote:

> Hello everyone,
>
> I'm currently evaluating methods for making our database accessible from
> the outside (->Internet) (for e.g. field staff).
> The Oracle Security Guide states that poking a hole through the firewall
> on port 1521 isn't (obviously) a good idea, which, I guess, applies
> whether the listener is password protected or not.
> So I have currently considered the following approaches:
> 1) set up a VPN to connect the external PC to the Intranet.
> 2) use TCPS in combination with a certificate/wallet as a listener
> protocol and let the TCPS listener port through the firewall.
> 3) use an application level proxy to additionally tighten security (<- but
> I couldn't find one)
>
> I searched the Internet and found that Oracle works somewhat like FTP,
> i.e. it uses a randomly negotiated port for a reconnect, which would make
> approach No 2 unusable if not the firewall was also equipped with a
> special plugin, which I couldn't find either.
>
> So my question is if you can explicitly recommend one approach (or a
> combination) over the other. Maybe you could also help me out with some
> discussion URL on that topic or such, as I couldn't discover a helpful one.
>
> Greetings and many thanks
> Marcus
>

There is a "port forwarding" feature available with the SSH (secure shell) family of commands. Try searching Google "ssh port forwarding oracle", you'll find plenty of links.

It's been a few years since I last used it, but it does work with Oracle if set up properly, your firewall only needs to allow SSH (port 22) IIRC. Depending on your platform, it may already be bundled with the OS, you may have to download and compile SSH yourself, or buy a commercial package.

HTH, --Mark Bole Received on Mon Sep 13 2004 - 10:14:46 CDT