Make a database accessible over the internet
This is a discussion on Make a database accessible over the internet within the Oracle Database forums, part of the Database Server Software category; --> Hello everyone, I'm currently evaluating methods for making our database accessible from the outside (->Internet) (for e.g. field staff). ...
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-24-2008, 07:27 AM
| ||||
| ||||
 Make a database accessible over the internet Hello everyone, I'm currently evaluating methods for making our database accessible from the outside (->Internet) (for e.g. field staff). The Oracle Security Guide states that poking a hole through the firewall on port 1521 isn't (obviously) a good idea, which, I guess, applies whether the listener is password protected or not. So I have currently considered the following approaches: 1) set up a VPN to connect the external PC to the Intranet. 2) use TCPS in combination with a certificate/wallet as a listener protocol and let the TCPS listener port through the firewall. 3) use an application level proxy to additionally tighten security (<- but I couldn't find one) I searched the Internet and found that Oracle works somewhat like FTP, i.e. it uses a randomly negotiated port for a reconnect, which would make approach No 2 unusable if not the firewall was also equipped with a special plugin, which I couldn't find either. So my question is if you can explicitly recommend one approach (or a combination) over the other. Maybe you could also help me out with some discussion URL on that topic or such, as I couldn't discover a helpful one. Greetings and many thanks Marcus      |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet Marcus Ilgner wrote: > Hello everyone, > > I'm currently evaluating methods for making our database accessible from > the outside (->Internet) (for e.g. field staff). > The Oracle Security Guide states that poking a hole through the firewall > on port 1521 isn't (obviously) a good idea, which, I guess, applies > whether the listener is password protected or not. > So I have currently considered the following approaches: > 1) set up a VPN to connect the external PC to the Intranet. > 2) use TCPS in combination with a certificate/wallet as a listener > protocol and let the TCPS listener port through the firewall. > 3) use an application level proxy to additionally tighten security (<- but > I couldn't find one) > > I searched the Internet and found that Oracle works somewhat like FTP, > i.e. it uses a randomly negotiated port for a reconnect, which would make > approach No 2 unusable if not the firewall was also equipped with a > special plugin, which I couldn't find either. > > So my question is if you can explicitly recommend one approach (or a > combination) over the other. Maybe you could also help me out with some > discussion URL on that topic or such, as I couldn't discover a helpful one. > > Greetings and many thanks > Marcus > There is a "port forwarding" feature available with the SSH (secure shell) family of commands. Try searching Google "ssh port forwarding oracle", you'll find plenty of links. It's been a few years since I last used it, but it does work with Oracle if set up properly, your firewall only needs to allow SSH (port 22) IIRC. Depending on your platform, it may already be bundled with the OS, you may have to download and compile SSH yourself, or buy a commercial package. HTH, --Mark Bole |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet >There is a "port forwarding" feature available with the SSH (secure >shell) family of commands. Try searching Google "ssh port forwarding >oracle", you'll find plenty of links. > >It's been a few years since I last used it, but it does work with Oracle >if set up properly, your firewall only needs to allow SSH (port 22) >IIRC. Depending on your platform, it may already be bundled with the >OS, you may have to download and compile SSH yourself, or buy a >commercial package. Hi, There are two links to papers that show how to use ssh with Oracle. These are on http://www.petefinnigan.com/orasec.htm - use CTRL-F on the page and search for ssh. kind regards Pete -- Pete Finnigan  ete@petefinnigan.comWeb site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet Marcus Ilgner wrote: > Hello everyone, > > I'm currently evaluating methods for making our database accessible from > the outside (->Internet) (for e.g. field staff). > The Oracle Security Guide states that poking a hole through the firewall > on port 1521 isn't (obviously) a good idea, which, I guess, applies > whether the listener is password protected or not. > So I have currently considered the following approaches: > 1) set up a VPN to connect the external PC to the Intranet. > 2) use TCPS in combination with a certificate/wallet as a listener > protocol and let the TCPS listener port through the firewall. > 3) use an application level proxy to additionally tighten security (<- but > I couldn't find one) > > I searched the Internet and found that Oracle works somewhat like FTP, > i.e. it uses a randomly negotiated port for a reconnect, which would make > approach No 2 unusable if not the firewall was also equipped with a > special plugin, which I couldn't find either. > > So my question is if you can explicitly recommend one approach (or a > combination) over the other. Maybe you could also help me out with some > discussion URL on that topic or such, as I couldn't discover a helpful one. > > Greetings and many thanks > Marcus > https? |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet "Marcus Ilgner" <Marcus.Ilgner@gerig.de> wrote in message news an.2004.09.13.14.53.31.160993@gerig.de...| Hello everyone, | | I'm currently evaluating methods for making our database accessible from | the outside (->Internet) (for e.g. field staff). | The Oracle Security Guide states that poking a hole through the firewall | on port 1521 isn't (obviously) a good idea, which, I guess, applies | whether the listener is password protected or not. | So I have currently considered the following approaches: | 1) set up a VPN to connect the external PC to the Intranet. | 2) use TCPS in combination with a certificate/wallet as a listener | protocol and let the TCPS listener port through the firewall. | 3) use an application level proxy to additionally tighten security (<- but | I couldn't find one) | | I searched the Internet and found that Oracle works somewhat like FTP, | i.e. it uses a randomly negotiated port for a reconnect, which would make | approach No 2 unusable if not the firewall was also equipped with a | special plugin, which I couldn't find either. | | So my question is if you can explicitly recommend one approach (or a | combination) over the other. Maybe you could also help me out with some | discussion URL on that topic or such, as I couldn't discover a helpful one. | | Greetings and many thanks | Marcus | Marcus, What's the goal of making the database accessible over the internet? Application access? Application development? Ad-hoc reporting? What tools/interfaces will the 'outside' users be using? Are you using (can you use) Oracle's Application Server (iAS)? ++ mcs |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet Marcus Ilgner <Marcus.Ilgner@gerig.de> wrote in message news:<pan.2004.09.13.14.53.31.160993@gerig.de>... > Hello everyone, > > I'm currently evaluating methods for making our database accessible from > the outside (->Internet) (for e.g. field staff). > The Oracle Security Guide states that poking a hole through the firewall > on port 1521 isn't (obviously) a good idea, which, I guess, applies > whether the listener is password protected or not. > So I have currently considered the following approaches: > 1) set up a VPN to connect the external PC to the Intranet. > 2) use TCPS in combination with a certificate/wallet as a listener > protocol and let the TCPS listener port through the firewall. > 3) use an application level proxy to additionally tighten security (<- but > I couldn't find one) > > I searched the Internet and found that Oracle works somewhat like FTP, > i.e. it uses a randomly negotiated port for a reconnect, which would make > approach No 2 unusable if not the firewall was also equipped with a > special plugin, which I couldn't find either. Most of the modern firewall products have the negotiation of this built in. You can use several products within Oracle to deal with this. http://download-west.oracle.com/docs...a96582/toc.htm see esp. ch. 9. VPN works, but I've only seen it be slow (since I'm normally using it to take over a PC remotely with a broadband connection and then using emulation products). > > So my question is if you can explicitly recommend one approach (or a > combination) over the other. Maybe you could also help me out with some > discussion URL on that topic or such, as I couldn't discover a helpful one. If you have metalink access, there are a number of notes that explain specific ways to do things, like http://metalink.oracle.com/metalink/... p_id=270160.1 and http://metalink.oracle.com/metalink/... p_id=125021.1 Also check out otn.oracle.com, lots of stuff on there. http://www.oracle.com/technology/pro...-practices.pdf jg -- @home.com is bogus. DJ: "Hef, every straight guy in the world wants to be you for one day." Hugh Hefner: "Even some gay guys do." |
|
02-24-2008, 07:27 AM
| |||
| |||
| Re: Make a database accessible over the internet This kind of depends on what your field staff do. Are they end users of an application? Are the dba's working at a client site? If app users, then build a password protected extranet. If dbas, then just set up ssh to get inside your firewall. Rich Marcus Ilgner <Marcus.Ilgner@gerig.de> wrote in message news:<pan.2004.09.13.14.53.31.160993@gerig.de>... > Hello everyone, > > I'm currently evaluating methods for making our database accessible from > the outside (->Internet) (for e.g. field staff). > The Oracle Security Guide states that poking a hole through the firewall > on port 1521 isn't (obviously) a good idea, which, I guess, applies > whether the listener is password protected or not. > So I have currently considered the following approaches: > 1) set up a VPN to connect the external PC to the Intranet. > 2) use TCPS in combination with a certificate/wallet as a listener > protocol and let the TCPS listener port through the firewall. > 3) use an application level proxy to additionally tighten security (<- but > I couldn't find one) > > I searched the Internet and found that Oracle works somewhat like FTP, > i.e. it uses a randomly negotiated port for a reconnect, which would make > approach No 2 unusable if not the firewall was also equipped with a > special plugin, which I couldn't find either. > > So my question is if you can explicitly recommend one approach (or a > combination) over the other. Maybe you could also help me out with some > discussion URL on that topic or such, as I couldn't discover a helpful one. > > Greetings and many thanks > Marcus |
|
02-24-2008, 07:29 AM
| ||||
| ||||
| Re: Make a database accessible over the internet On Mon, 13 Sep 2004 15:36:42 -0400, Mark C. Stock wrote: > > "Marcus Ilgner" <Marcus.Ilgner@gerig.de> wrote in message > news an.2004.09.13.14.53.31.160993@gerig.de...> | Hello everyone, > | > | I'm currently evaluating methods for making our database accessible from > | the outside (->Internet) (for e.g. field staff). The Oracle Security > | Guide states that poking a hole through the firewall on port 1521 isn't > | (obviously) a good idea, which, I guess, applies whether the listener is > | password protected or not. So I have currently considered the following > | approaches: 1) set up a VPN to connect the external PC to the Intranet. > | 2) use TCPS in combination with a certificate/wallet as a listener > | protocol and let the TCPS listener port through the firewall. 3) use an > | application level proxy to additionally tighten security (<- but I > | couldn't find one) > | > | I searched the Internet and found that Oracle works somewhat like FTP, > | i.e. it uses a randomly negotiated port for a reconnect, which would > | make approach No 2 unusable if not the firewall was also equipped with a > | special plugin, which I couldn't find either. > | > | So my question is if you can explicitly recommend one approach (or a > | combination) over the other. Maybe you could also help me out with some > | discussion URL on that topic or such, as I couldn't discover a helpful > one. > | > | Greetings and many thanks > | Marcus > | > Marcus, > > What's the goal of making the database accessible over the internet? > Application access? > Application development? > Ad-hoc reporting? > What tools/interfaces will the 'outside' users be using? Are you using > (can you use) Oracle's Application Server (iAS)? > > ++ mcs Hi Mark, thank you (and the others, of course) for your feedback. The goal is to enable remote users to use our in-house business application (a Java application which uses JDBC to connect to the DB) to check stock availability, browse the music repertoire or remotely place orders. So it is of importance that the process of establishing a secure connection is completely transparent to the user. Greetings Marcus |
Linear Mode
