Oracle Developer and Forms security issues

[Matías Bevilacqua <matias () escert upc es>]

Hi list,

I'm involved in a project which will use Oracle Forms in a web
environment and would like to hear some feedback from the list. This
technology is rather new (you don't see this stuff much out there) and
thus I'm concerned with security issues which may arise. I have
basically the following questions:

1) Is the usual 3 tier topology valid with this technology? I'm not sure
since we have to poke a hole on our two firewalls to let Forms Client
connect to the application sever directly... Not something nice. Should
we move the application server to our DMZ?

2) Any feedback on Oracle Forms security on a web deployment instead of
the traditional client/server setup?

3) What is the protocol used by the Forms client to connect to the Forms
Listener? It says it's compatible with HTTP but it also states it uses a
in-house protocol to reduce traffic and encrypts with HTTPS... Http
"obfuscation" of some type? Will IDSs do something here assumng we can
decrypt data?

Anyone feedback will be appreciated! Thank you in advance.

Matías Bevilacqua Trabado
___________________________________________________________________
PGP-ID: 0x3FFD6E18 
PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716  D9DF 3CE7 E88D 3FFD 6E18
___________________________________________________________________

"This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden."