Security Basics mailing list archives
Securing 3rd party connections to Oracle DB's?
From: "Matt Harrison" <mharr19 () gmail com>
Date: Fri, 22 Aug 2008 14:26:27 -0400
Hello all, We are currently looking at ways to allow our clients to securely access their ERP databases (which we are hosting) via Point-to-Point WAN links or VPN. To date, we have only allowed access from internally controlled Citrix/MS Term Servers but we are seeing a significant number of requests from clients where they need to integrate non-hosted 3rd party apps or to perform dblinks for data warehousing systems at their location(s). We have implemented the usual protections already - firewalls only allowing the single data warehouse/remote db access on the single SQLnet port, IDP, hardened Oracle installs - but from an application layer I don't see anything from preventing a remote db, which we don't neccessarily trust for a variety of reasons, from issuing a "bad" command to the db on our side other than the permission level of the account used in the db link. Is there some sort of "application firewall" for the Oracle stack that would make sense to look at? We have looked at Oracle Connection Manager (OCM) already and it doesn't really do any "security checks" as far as SQL requests. It is primarily looking at IP/Port info and allowing that approved host to access a single db name which does provide us a little better security since we have multiple db's on a single listener (dev, test, demo, stage for example and only dev should be accessed via the db link). We keep our db's up at the latest Oracle CPU level with a roughly 60 day lag time between release of the CPU and our deployment to production since we're very limited on the downtime we can take each month (1 month dev, next month prod). If anyone has any docs or thoughts on how to better secure the 3rd party links I'd appreciate it. Thanks, matt
Current thread:
- Securing 3rd party connections to Oracle DB's? Matt Harrison (Aug 25)
- <Possible follow-ups>
- Re: Securing 3rd party connections to Oracle DB's? mike (Aug 26)
- I need a company running web security audit... Eddy Alexandre (Aug 26)
- RE: I need a company running web security audit... Kevin Ortloff (Aug 28)
- I need a company running web security audit... Eddy Alexandre (Aug 26)