Re: Firewalling Oracle

Jared,

We're using ip checking selectively to protect a few of the more critical applications. The biggest problem I've noticed is that users make new requests for connections but the old ones seldom get cleaned up. Then a new hire inherits a machine and has access to the world.

Our entire datacenter is moving next weekend with all new ip addresses, so we just happen to be in the process of re-identifying all the necessary addresses. :(

If all DBA's happened to be OCD, this wouldn't have occurred ...

You also have to restart the listener for a new addition to be recognized, and a few of our app servers die anytime there is even a brief network interruption so new additions have to wait for a scheduled restart.

Seems to me it can serve a good purpose in the right environment. If it's allowed to get sloppy, it's not only difficult to cleanup, everyone and their cousin ends up in the list anyway.

my 2 cents ... Robyn

On 1/11/06, Hostetter, Jay M wrote:
>
> Jared,
>
> >What problems did you run into with it?
>
> Forgetting to change it when an ip address changed.
>
> >Was it worth the trouble in your opinion?
>
> I was able to sleep better at night.
>
> We have two boxes that were briefly sitting outside of a firewall. This
> is when I implemented the TCP.INVITED_NODES parameter. Since that time,
> these boxes have been moved into a more secure area of the network. But
> since they are outside our corporate firewall I left the parameter in
> place. I've never really had any problems, except when the IP address of
> the invited nodes changed. They were NATted addresses, so it took me a
> little while to figure out that it wasn't a firewall problem.
>
> Jay
>
> ------------------------------
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Jared Still
> *Sent:* Wednesday, January 11, 2006 2:09 PM
> *To:* Oracle-L Freelists
> *Subject:* Firewalling Oracle
>
>
> Hello,
>
> I'm curious how many folks have used the the TCP.VALIDNODE_CHECKING,
> TCP.EXCLUDED_NODES and/or TCP.INVITED_NODES parameters to restrict
> database access.
>
> What problems did you run into with it?
>
> Was it worth the trouble in your opinion?
>
> Thanks,
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
>
>
>
>
>
> **DISCLAIMER
>
> This e-mail message and any files transmitted with it are intended for the use of the \
individual or entity to which they are addressed and may contain information that is \ privileged, proprietary and confidential. If you are not the intended recipient, you may \ not use, copy or disclose to anyone the message or any information contained in the \ message. If you have received this communication in error, please notify the sender and \ delete this e-mail message. The contents do not represent the opinion of D&E except to the \ extent that it relates to their official business.

--
Robyn Anderson Sands
email: Robyn.Sands_at_SciAtl.com