Educause Security Discussion mailing list archives

Re: ODBC Access to Oracle

From: Steve Niedzwiecki <steven () PRINCETON EDU>
Date: Wed, 15 Aug 2018 14:29:04 +0000

George,

We disallow direct ODBC access to any central Oracle databases from campus workstations.  Where there is business need 
to do that, usually for 2-tier legacy apps, we've setup bastion host terminal servers (with MFA) which reside in our 
DMZ firewall zones and run the ODBC client app there.  This allows us to maintain our requirement that only hosts in 
the DMZ firewall zone can directly access database servers in our trust firewall zone.

Steve


Steve Niedzwiecki
Senior Security Architect
Princeton University
O: 609-258-1618
M: 609-731-2941
steven () princeton edu<mailto:steven () princeton edu>

[ISO]




From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. 
Silowash
Sent: Wednesday, August 15, 2018 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ODBC Access to Oracle

Hello,

I am currently researching the security implications of allowing ODBC access to an Oracle database, in particular, 
Ellucian Banner.  I have a user requesting ODBC access to the Banner database. My gut feeling is to prohibit this 
access, but I need more information.

Does anyone have best practices for implementing this? Or, what are the reasons for prohibiting access? I am most 
concerned about:

-Data integrity
-Access control of tables and fields
-Accidental database denial of service (a query that is not constrained appropriately, etc.)

Is Oracle security enforced on an ODBC connection? Some research on other applications implies that it is not. Any help 
or guidance would be greatly appreciated.

Regards,
George
----------------------------------------------------------------
George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE
Chief Information Security Officer
Norwich University
158 Harmon Drive
Northfield VT 05663
http://www.norwich.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.norwich.edu&data=02%7C01%7Csteven%40princeton.edu%7C46488914b44044a1bc2f08d602b9fc6f%7C2ff601167431425db5af077d7791bda4%7C0%7C0%7C636699395170402089&sdata=thKLsY9PVtQMpYYrCFmkLgYrrD4XTrj2iBg0qQL4w%2Bo%3D&reserved=0>

Current thread:

ODBC Access to Oracle George J. Silowash (Aug 15)
- Re: ODBC Access to Oracle Steve Niedzwiecki (Aug 15)
- Re: ODBC Access to Oracle Thomas Carter (Aug 15)
- Re: ODBC Access to Oracle Theresa Rowe (Aug 15)
  - Re: ODBC Access to Oracle Mahmud Rahman (Aug 15)
- Re: ODBC Access to Oracle Kevin Crider (Aug 15)
- Re: ODBC Access to Oracle Carrie Shumaker (Aug 17)