Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> SQL*Net Proxy <==> Connection Manager???
        
(Message started by: Pete Finnigan on Mar 29th, 2006, 4:38pm)
Title: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Mar 29th, 2006, 4:38pm
Hi all.

I need to create a very secure access from several aplication servers to a critical database, and I don't like the traditional firewall in the middle of both.

Some years ago I liked to use the SQL*Net Proxy (Developed by Oracle) included in Raptor or Gaunlet firewalls, today there is no more SQL*Net Proxy included in the new Symantec Firewall or the evolution of Gaunlet, so I take a look in to the Oracle WEB and I find a product called Connection Manager.

What I read is very similar to the old proxy, I like the idea to have a system in the middle of the connection that stop the traffic from the Application Server and send a new connection to the database instead let the original Application Server connection let in.

I'm not an Oracle or DataBase expert, so I will like to know if anybody has knwoledge about this product and feedback.

I'm open to new suggestion about how to secure the access to a database from application servers, i prefer some idea about proxy's instead typical inspection firewalls (of course I will put a firewall in front of the connection).

Thanks for your help in advance and sorry for my bad english.
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Mar 29th, 2006, 9:46pm
Yes, it is ... and even more as extended functionalities make this a firewall like filter, concentrator, logger etc. Use with a good knowl. become a swiss knife (come with DB but not installed by default). Today...for a good DBA ...lots of other options available... you may know that the listener service himself can be more than a "listener" (NetService = proxy as well) as may be used as a proxy (no db, just listener comp. - service on a machine)... and this can be done with near 99% trafic encrypted with prot. U like... Good lock (& feedback too)!
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Mar 30th, 2006, 6:51pm
Agreed CMan is still a viable tool that can be deployed as part of an overall security scheme.

FYI:  CMan has recently been relegated to an appendix of the 10g security courseware from Oracle.

-- Kevin Hrim
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Apr 3rd, 2006, 11:02pm
Thanks both for your help, but anybody knows if there is a similar tool (from oracle or not) to avoid the use of certain oracle commands.

It's that mean, I'm looking for something similar to connection manager, but with the possibility to filter not only IP's and ports, even oracle commands.

thanks again.
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Apr 4th, 2006, 8:12pm
The answer is yes, more then one. May I know why you ask this?
(your profile is hidden)
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Apr 5th, 2006, 3:25pm
Well, I click in the button to not hide my profile :-/

But, anyway, I will need these kind of tools, because I'm in a pre-sales project to protect a very restricted database where I must to put all the security checkpoints that I find.

I said in previous entries in the forum, that I'm not an Oracle expert, so I will need help to fill my gap in this area.

The schema I'm trying to sell, more or less, is this:


Code:
Internet
    |
Load Balancers  
    |
    +----------- Firewall WEB
    |
    +----------- WEB
    |
    +----------- Application Servers
    |
Firewall
    |
Proxy or tool to forward
secure SQL sentences
    |
Firewall
    |
 Oracle

Like you can see, I will install a DMZ area in separates LAN's balanced by a Load Balancer system (Alteon/F5/...) then, the queries done by the application servers to the oracle server, must to be done throught a firewall to a "Oracle Proxy" (this is what I need), a software that intercept all the queries done from the Application Server, and filter them to get only right queries to the database, no insert, no write, etc...

What you can see, I will put to different firewalls levels between the Application servers to the Oracle Database, this is for the high security needs in the internal network.

So this is my problem. Could you give me some products that could intercept and analyze the SQL*Net queries from the Application server to the DataBase?, or do you have a better/secure approach to my problem?

Sorry for my english, i know is horrible.

Thanks a lot.
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Apr 5th, 2006, 4:56pm
One of the several layers of security that can be implemented is restriction of access to the objects in the database.  

For example if a DML  privilage on a table is not granted.  A procedure or function can be written that has access to the data, but on a controled basis.   (maybe implements proxy authentication) If the procedure only implements "select", the object hidden by the procedure should be safe from other forms of DML (update, insert or delete).

If this is coupled with strong authentication, Advanced Security Option, proxy roles, good design, virtual private database/fine grained access control, auditing,  etc... It makes for a more secure environment.

-Kevin Hrim
Title: Re: SQL*Net Proxy <==> Connection Manager???
Post by Pete Finnigan on Apr 5th, 2006, 10:41pm
I get the main ideea. I know some 3-4 products will do this for you - you'll need big names for a "goodlooking" project but also "goodnames" for a good support and top quality as well... I'll contact you in priv for details...(don't know "marketing" details ... you may check & contact your local representants)...


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board