RE: Client Access from Internet to Oracle Databases -SQL*Net or V PN or ...?

[sean.kelly () lanston com]

> The question is how does one give only  the members of an 
> aribitary, but
> defined set of Internet users access to a database
> of proprietary information?  And, secondarily, how does one 
> provides these
> users an easy way to get the access, while preserving
> the integrity of the database as much as possible?  The 
> database is updated
> several times per minute with new information.

For internal use, it really depends on the application.  I generally support
the idea of some kind of program to act as intermediary for people that are
not admins.  A careful set-up of access priveleges helps too.  Alternately,
or if you're not as concerned about auditing, something like Access with
links to the database can be pretty useful.
 
> Having an Oracle database available on a protected network, 
> gives a client
> on that network access to that
> database.  We assumed for our discussion that these users 
> were trusted not
> to try to ruin the database contents.

But on the off chance that a malicious person gains access to the database
via the same means (say they figure out a login/password) then you still
will want to be protected as much as possible.

If possible try to forbid arbitrary queries against the database.  Use views
and stored procedures for all client interaction if possible.  Besides being
much faster and making maintenance much easier, this will protect against
the possibility of an attacker being able to do evil things to your database
or your local network if they manage to gain access somehow.

> If one wanted to extend that access to an arbitrary (but defined and
> authorized) class of users (clients) with access to the 
> Internet, and on
> the "other side" of the firewall, what would be the best way 
> to do this?
>
> We have at least three different opinions:
>
> 1. Use Oracle's SQL*Net proxy and install client sw on each 
> Internet user
> wanting access.  (Use appropriate user-name, pw, token, etc. 
> security).

Haven't used it, I can't really say.  I can see this getting difficult if
you're going to be supporting hundreds of users, but you're going to have to
set up the logins in the database in any case... are there any people in
charge of installing software on people's pc's that can handle the grunt
work?

> 2. Use a client to LAN VPN product to let those users on the Internet
> "tunnel" into the protected network, thus making them appear 
> to be on the
> local LAN.

A decent solution, and probably a good one if you need to provide
comprehensive access to people on the internet.

> 3. Use an approach where the Oracle 8i web server is on the 
> Internet side
> of the firewall, connected by VPN to the database server on 
> the protected
> network, and give authorized Internet users a Client 
> certificate to browse
> the web-server.  I.e., set up the server security so that a 
> client can only
> connect with a ceritifcate.

This is both a good and common solution for many instances.  In fact,
password-protecting the whole thing with SSL is a slightly less paranoid
method that works fairly well (better if you can require 128 bit encryption,
though using just a password as verification might not be secure enough for
you) with the benefit of not having to install a key on everyone's pc.  You
don't even need to connect it via a VPN to the database so much as set up
the firewall to allow access to the necessary ports on the database only
from the web server.  Then, even if someone gains access to the web server,
they can't do anything more than query the database (rather than access the
entire database server, as a VPN solution could likely provide).

Since most of your solutions require some work to be done on a client's
computer, it would make sense to try to automate the install as much as
possible.  IPSec seems like an unlikely possibility with the Win95 issue...
ultimately it comes down to how paranoid you want to be.

Another alternative you didn't mention is using something like SecurID.
These products rely on a pin and some kind of small electronic device to
recalculate a password based on the pin at 1-minute intervals.  You don't
have to install anything special on the client PC's and access is still very
secure (much more so than with a password).  People may lose the devices,
but no solution is perfect.


Sean