Educause Security Discussion mailing list archives
Re: ODBC Access to Oracle
From: Steve Niedzwiecki <steven () PRINCETON EDU>
Date: Wed, 15 Aug 2018 14:29:04 +0000
George, We disallow direct ODBC access to any central Oracle databases from campus workstations. Where there is business need to do that, usually for 2-tier legacy apps, we've setup bastion host terminal servers (with MFA) which reside in our DMZ firewall zones and run the ODBC client app there. This allows us to maintain our requirement that only hosts in the DMZ firewall zone can directly access database servers in our trust firewall zone. Steve Steve Niedzwiecki Senior Security Architect Princeton University O: 609-258-1618 M: 609-731-2941 steven () princeton edu<mailto:steven () princeton edu> [ISO] From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. Silowash Sent: Wednesday, August 15, 2018 10:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ODBC Access to Oracle Hello, I am currently researching the security implications of allowing ODBC access to an Oracle database, in particular, Ellucian Banner. I have a user requesting ODBC access to the Banner database. My gut feeling is to prohibit this access, but I need more information. Does anyone have best practices for implementing this? Or, what are the reasons for prohibiting access? I am most concerned about: -Data integrity -Access control of tables and fields -Accidental database denial of service (a query that is not constrained appropriately, etc.) Is Oracle security enforced on an ODBC connection? Some research on other applications implies that it is not. Any help or guidance would be greatly appreciated. Regards, George ---------------------------------------------------------------- George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE Chief Information Security Officer Norwich University 158 Harmon Drive Northfield VT 05663 http://www.norwich.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.norwich.edu&data=02%7C01%7Csteven%40princeton.edu%7C46488914b44044a1bc2f08d602b9fc6f%7C2ff601167431425db5af077d7791bda4%7C0%7C0%7C636699395170402089&sdata=thKLsY9PVtQMpYYrCFmkLgYrrD4XTrj2iBg0qQL4w%2Bo%3D&reserved=0>
Current thread:
- ODBC Access to Oracle George J. Silowash (Aug 15)
- Re: ODBC Access to Oracle Steve Niedzwiecki (Aug 15)
- Re: ODBC Access to Oracle Thomas Carter (Aug 15)
- Re: ODBC Access to Oracle Theresa Rowe (Aug 15)
- Re: ODBC Access to Oracle Mahmud Rahman (Aug 15)
- Re: ODBC Access to Oracle Kevin Crider (Aug 15)
- Re: ODBC Access to Oracle Carrie Shumaker (Aug 17)