Firewall Wizards mailing list archives
RE: Client Access from Internet to Oracle Databases -SQL*Net or V PN or ...?
From: sean.kelly () lanston com
Date: Wed, 15 Sep 1999 13:18:20 -0400
The question is how does one give only the members of an aribitary, but defined set of Internet users access to a database of proprietary information? And, secondarily, how does one provides these users an easy way to get the access, while preserving the integrity of the database as much as possible? The database is updated several times per minute with new information.
For internal use, it really depends on the application. I generally support the idea of some kind of program to act as intermediary for people that are not admins. A careful set-up of access priveleges helps too. Alternately, or if you're not as concerned about auditing, something like Access with links to the database can be pretty useful.
Having an Oracle database available on a protected network, gives a client on that network access to that database. We assumed for our discussion that these users were trusted not to try to ruin the database contents.
But on the off chance that a malicious person gains access to the database via the same means (say they figure out a login/password) then you still will want to be protected as much as possible. If possible try to forbid arbitrary queries against the database. Use views and stored procedures for all client interaction if possible. Besides being much faster and making maintenance much easier, this will protect against the possibility of an attacker being able to do evil things to your database or your local network if they manage to gain access somehow.
If one wanted to extend that access to an arbitrary (but defined and authorized) class of users (clients) with access to the Internet, and on the "other side" of the firewall, what would be the best way to do this? We have at least three different opinions: 1. Use Oracle's SQL*Net proxy and install client sw on each Internet user wanting access. (Use appropriate user-name, pw, token, etc. security).
Haven't used it, I can't really say. I can see this getting difficult if you're going to be supporting hundreds of users, but you're going to have to set up the logins in the database in any case... are there any people in charge of installing software on people's pc's that can handle the grunt work?
2. Use a client to LAN VPN product to let those users on the Internet "tunnel" into the protected network, thus making them appear to be on the local LAN.
A decent solution, and probably a good one if you need to provide comprehensive access to people on the internet.
3. Use an approach where the Oracle 8i web server is on the Internet side of the firewall, connected by VPN to the database server on the protected network, and give authorized Internet users a Client certificate to browse the web-server. I.e., set up the server security so that a client can only connect with a ceritifcate.
This is both a good and common solution for many instances. In fact, password-protecting the whole thing with SSL is a slightly less paranoid method that works fairly well (better if you can require 128 bit encryption, though using just a password as verification might not be secure enough for you) with the benefit of not having to install a key on everyone's pc. You don't even need to connect it via a VPN to the database so much as set up the firewall to allow access to the necessary ports on the database only from the web server. Then, even if someone gains access to the web server, they can't do anything more than query the database (rather than access the entire database server, as a VPN solution could likely provide). Since most of your solutions require some work to be done on a client's computer, it would make sense to try to automate the install as much as possible. IPSec seems like an unlikely possibility with the Win95 issue... ultimately it comes down to how paranoid you want to be. Another alternative you didn't mention is using something like SecurID. These products rely on a pin and some kind of small electronic device to recalculate a password based on the pin at 1-minute intervals. You don't have to install anything special on the client PC's and access is still very secure (much more so than with a password). People may lose the devices, but no solution is perfect. Sean
Current thread:
- RE: Client Access from Internet to Oracle Databases -SQL*Net or V PN or ...? sean . kelly (Sep 18)