Paul - We have some of the similar issues here (network/firewall/VPN/Oracle Net). Based on your description of your business, you probably have some competent network engineers on staff. My experience is that they routinely handle issues like this, and you probably won't need to get involved in the actual configuration. However, you should educate yourself in the security issues involved so you can participate intelligently in any discussions from the database point of view. As a starter, I am including two recent excellent postings to this list from Tim Gorman and Ian MacGregor. Just scroll down.
Dennis Williams DBA Lifetouch, Inc. [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:25 AM To: Multiple recipients of list ORACLE-L Sandro, There is an excellent book on "Oracle Security" available online from "http://www.sans.org". Concise, organized, and prioritized. Also, Newman and Theriault's "Oracle Security Handbook" from Oracle Press is chock full of common sense... Not sure what the question about "automating the migration of stored procedures" refers to. Could you provide more information? I don't think I understand the problem... Storing password files on the database server is mainly an exercise in ensuring that OS security and file permissions properly implemented. If you cannot ensure that OS files are properly secured, then the entire Oracle database is at risk, not to mention files containing clear-text passwords. After all, one can view data within datafiles using programs other than the Oracle RDBMS... The idea of creating production schemas/logins to separate object ownership from application/end-user access is excellent. To avoid using synonyms, consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA = <ownership-schema>" command being executed in an AFTER LOGON trigger in all accounts used for end-user access. It is a little-known but wonderfully manageable bit of functionality... Hope this helps... -Tim -----Original Message----- Sent: Wednesday, October 01, 2003 5:19 PM To: Multiple recipients of list ORACLE-L Our security folks just sent me this. Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] -----Original Message----- Sent: Tuesday, September 30, 2003 1:35 PM To: [EMAIL PROTECTED] I've posted the presentation I gave at OracleWorld last month. This presentation covers writing secure code in Oracle databases and Oracle Application Server. The topics covered include: Managing state Query parameters Hidden fields Cookies Cross-site scripting SQL Injection PL/SQL Injection Buffer overflows in EXTPROC Resources You can download the presentation at http://www.appsecinc.com/techdocs/presentations.html under the heading "Writing Secure Code in Oracle Presentation". I welcome comments and criticisms. Regards, Aaron _______________________________ Aaron C. Newman CTO/Founder Application Security, Inc. www.appsecinc.com Phone: 212-420-9270 Fax: 212-420-9680 - Securing Business by Securing Enterprise Applications - Sent: Friday, October 24, 2003 10:14 AM To: Multiple recipients of list ORACLE-L We are an Application Service Provider--we maintain a set of servers in a colocation facility and our customers use our application via the Web. Security is a paramount concern, of course, and only our Web server has a public IP address, with the application and database servers completely private. We supply a number of standard reports, but most of our customers want some custom reports as well. We would like to give them access to our database, possibly over a VPN, but only if security can be maintained. I'd like to know if anyone has faced such a situation, and what kind of configuration (network/firewall/VPN/Oracle Net) might make such access possible. TIA, ===== Paul Baumgartel Transcentive, Inc. www.transcentive.com __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Paul Baumgartel INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).