Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: VPN to database?

RE: VPN to database?

From: DENNIS WILLIAMS <DWILLIAMS_at_lifetouch.com>
Date: Fri, 24 Oct 2003 09:29:26 -0800
Message-ID: <F001.005D43A1.20031024092926@fatcity.com> 





Paul - We have some of the similar issues here (network/firewall/VPN/Oracle
Net). Based on your description of your business, you probably have some
competent network engineers on staff. My experience is that they routinely
handle issues like this, and you probably won't need to get involved in the
actual configuration. However, you should educate yourself in the security
issues involved so you can participate intelligently in any discussions from
the database point of view. As a starter, I am including two recent
excellent postings to this list from Tim Gorman and Ian MacGregor. Just
scroll down.



Dennis Williams


DBA



Lifetouch, Inc.


dwilliams_at_lifetouch.com 



Sent: Thursday, August 07, 2003 10:25 AM
To: Multiple recipients of list ORACLE-L




Sandro,



There is an excellent book on "Oracle Security" available online from


"http://www.sans.org".  Concise, organized, and prioritized.  Also, Newman

and Theriault's "Oracle Security Handbook" from Oracle Press is chock full
of common sense...



Not sure what the question about "automating the migration of stored
procedures" refers to.  Could you provide more information?  I don't think I
understand the problem...



Storing password files on the database server is mainly an exercise in
ensuring that OS security and file permissions properly implemented.  If you
cannot ensure that OS files are properly secured, then the entire Oracle
database is at risk, not to mention files containing clear-text passwords.
After all, one can view data within datafiles using programs other than the
Oracle RDBMS...



The idea of creating production schemas/logins to separate object ownership
from application/end-user access is excellent.  To avoid using synonyms,
consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA =
<ownership-schema>" command being executed in an AFTER LOGON trigger in all
accounts used for end-user access.  It is a little-known but wonderfully
manageable bit of functionality...



Hope this helps...



-Tim


-----Original Message-----


Sent: Wednesday, October 01, 2003 5:19 PM
To: Multiple recipients of list ORACLE-L




Our security folks just sent me this.



Ian MacGregor


Stanford Linear Accelerator Center


ian_at_slac.stanford.edu 



-----Original Message-----


Sent: Tuesday, September 30, 2003 1:35 PM
To: NTBUGTRAQ_at_LISTSERV.NTBUGTRAQ.COM




I've posted the presentation I gave at OracleWorld last month. This
presentation covers writing secure code in Oracle databases and Oracle
Application Server. The topics covered include:



Managing state


Query parameters


Hidden fields


Cookies


Cross-site scripting


SQL Injection


PL/SQL Injection


Buffer overflows in EXTPROC


Resources



You can download the presentation at


http://www.appsecinc.com/techdocs/presentations.html under the heading


"Writing Secure Code in Oracle Presentation".




I welcome comments and criticisms.



Regards,


Aaron




Aaron C. Newman


CTO/Founder


Application Security, Inc.


www.appsecinc.com


Phone: 212-420-9270


Fax: 212-420-9680


- Securing Business by Securing Enterprise Applications -




Sent: Friday, October 24, 2003 10:14 AM


To: Multiple recipients of list ORACLE-L




We are an Application Service Provider--we maintain a set of servers in
a colocation facility and our customers use our application via the
Web.  Security is a paramount concern, of course, and only our Web
server has a public IP address, with the application and database
servers completely private. 



We supply a number of standard reports, but most of our customers want
some custom reports as well.  We would like to give them access to our
database, possibly over a VPN, but only if security can be maintained. 
I'd like to know if anyone has faced such a situation, and what kind of
configuration (network/firewall/VPN/Oracle Net) might make such access
possible.



TIA,








Paul Baumgartel


Transcentive, Inc.


www.transcentive.com





Do you Yahoo!?


The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Paul Baumgartel
  INET: treegarden_at_yahoo.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: DENNIS WILLIAMS
  INET: DWILLIAMS_at_LIFETOUCH.COM

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Oct 24 2003 - 12:29:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US