mjohn2000_99@yahoo.com wrote:
Hello friends,
My oracle people tell me to open up all TCP high ports to allow SQL communication. I see a security issue there because it would open up about 60K ports.
My test shows that the only port used by TNS listener is 1521. But, oracle people claim that when there is need for many connections, oracle would spawn more dedicated process for each connection and redirect connections to random high ports. My research showed that claim is correct. But, it is a risky thing to open up too many ports.
Please advise me how I can make the SQL communication secure. If u know any
article explain the security, please point me on that direction.
Thank you….
John
John,
I experienced the same problem with the developers that do not think
about overall security. I currently support an infrastructure with 4 DMZ
located web servers retrieving data from 2 oracle servers on isolated
server subnet.
The firewall is configured to listen on port 1521 on the DMZ connected
interface (an alias). The oracle client in then configured to point to
dmzaddy:1521. The firewall can then handle the high port connectivity
through redirection(either with rules on a stateful packet filter to
minimize exposure, or built in on some application level firewalls).
I have experienced no problems with this configuration mentioned above
(using a sidewinder, ymmv). One oracle server is 10g, the other is a 9i.
You could also look at using the "USE_SHARED_SOCKET" option on the
Oracle server (Windows). Take a look on Metalink. I had to set this in
the past when using a packet
Jim
