Home -> Mailing Lists -> Oracle-L -> Re: Block connection from SQL developer

Re: Block connection from SQL developer

From: Mladen Gogala <gogala.mladen_at_gmail.com>
Date: Sun, 13 Mar 2022 15:05:09 -0400
Message-ID: <d35448a1-a4fb-63b7-9fd2-579acf1e4038_at_gmail.com> 





  
    
  
  
    
On 3/13/22 11:42, Dave Morgan wrote:

    

    
The
      only practical way to control connection level access is with a
      logon trigger supported with automated auditing and monitoring.
      Limitations based on hostname and/or IP address  can also be set
      in sqlnet.ora.
      

    

    Agreed

    

      

      In my environment the issue is developers who "have to" connect to
      production to "do their job".
      

      So, I do not return any errors I use a sleep(6000) call in the
      trigger. It is hard to complain about a problem when you should
      not be there
    

    
There is no reason whatsoever for developer to connect to
      production. In the good old times of my youth (think Perl 4 and
      "oraperl") there was a saying cautioning people to not trust
      programmers carrying screwdrivers. The times of programmers with
      screwdrivers and pliers are long gone but the same saying is
      applicable to the production databases: developers have no
      business connecting to the production database of, for that
      matter, production application server(s). Developers should
      document their products so that they can be installed by the
      maintenance engineers. Any developer caught trying to connect to
      the higher environments (QA, UAT, PROD) should be terminated on
      the spot. One of the foremost security measures is the separation
      of duties and the physical separation of the environments. 

    

    
The infamous "Solar Winds" case was caused by an intern in charge
      of the software upload site and the weal password (SolarWinds123).
      I hope that the intern has now been promoted to the managerial
      position of PHB. The vast majority of break-ins is caused by the
      human error. Developer with access to the higher environments is
      pretty typical. If things are supposed to be confidential, then
      confide in very few people and make sure that nobody else has the
      confidential information. It's elementary, my dear Dave.

    

    
-- 
Mladen Gogala
Database Consultant
Tel: (347) 321-1217
https://dbwhisperer.wordpress.com


  

--
http://www.freelists.org/webpage/oracle-l
Received on Sun Mar 13 2022 - 20:05:09 CET












Original text of this message