||Oracle Tips by Burleson
Chapter 4 General Oracle Security
Firewalls and Demilitarized Zones
Sometimes, this process is rather complicated,
especially in cases where the file transfer is rather regular. In
those cases, instead of establishing the server in the DMZ, the
external users directly interact with the servers inside the
firewall. Instead of using the regular ports for ftp, they use a
different port for a different type of ftp, known as Secure FTP (sftp
or ftps). A similar concept exists for http traffic in a secured
manner, known as secured http (https).
What if the company's web server interacts with
the database server during the normal course of business? Shouldn't
the ports of the database be open outside the firewall for these
Not at all. The
architecture should be designed in such a way that the database
server never has any ports open to the firewall. All application
traffic has to come to the application server, which should then
connect to the database server using the port defined by the
listener. The only allowable connection to the database server must
be from the application server using the listener
port (1521, usually; but it can be changed). If
the architecture enables the access of this port by the external
users and machines, seriously consider changing it. The preferred
architecture is shown in Figure 4.3.
Optimal application server, database server interaction
Some companies utilize more than one firewall –
one encompassing all the machines in the network, and the other
protecting the most important ones inside this firewall. Examples
include a database server, a document server containing important
documents, such as claims records, etc.
Generally, the port 80 is used for http
traffic. Besides this port, no other ports need be opened to carry
out the normal operation of business. If open, they will invite
hackers to get in through an unsecured doorway. Therefore, they
should be completely closed off.
This type of setup may need some tweaking to
allow the application server to connect to the database server. This
will be discussed in Chapter 7, under Network Security.
The Important points
Always use a firewall.
If needed, use a firewall around the
vulnerable servers like the database server.
Open only those ports needed for business,
no more than that.
The outside users should never connect from
the firewall directly.
Use a Demilitarized Zone, if convenient.
Otherwise, use secured ftp and http.
Download your Oracle scripts now:
definitive Oracle Script collection for every Oracle professional DBA