Securing 3rd party connections to Oracle DB's?

["Matt Harrison" <mharr19 () gmail com>]

Hello all,

We are currently looking at ways to allow our clients to securely
access their ERP databases (which we are hosting) via Point-to-Point
WAN links or VPN. To date, we have only allowed access from internally
controlled Citrix/MS Term Servers but we are seeing a significant
number of requests from clients where they need to integrate
non-hosted 3rd party apps or to perform dblinks for data warehousing
systems at their location(s).

We have implemented the usual protections already - firewalls only
allowing the single data warehouse/remote db access on the single
SQLnet port, IDP, hardened Oracle installs - but from an application
layer I don't see anything from preventing a remote db, which we don't
neccessarily trust for a variety of reasons, from issuing a "bad"
command to the db on our side other than the permission level of the
account used in the db link. Is there some sort of "application
firewall" for the Oracle stack that would make sense to look at? We
have looked at Oracle Connection Manager (OCM) already and it doesn't
really do any "security checks" as far as SQL requests. It is
primarily looking at IP/Port info and allowing that approved host to
access a single db name which does provide us a little better security
since we have multiple db's on a single listener (dev, test, demo,
stage for example and only dev should be accessed via the db link). We
keep our db's up at the latest Oracle CPU level with a roughly 60 day
lag time between release of the CPU and our deployment to production
since we're very limited on the downtime we can take each month (1
month dev, next month prod).

If anyone has any docs or thoughts on how to better secure the 3rd
party links I'd appreciate it.

Thanks,

matt