Mario, >- Should I create a DMZ and put this DB server there ?
Definitely you want your Oracle database behind a firewall. Even Oracle will tell you the database is not meant to be exposed to the internet directly. Lots of pretty simple DOS attacks if you aren't totally patched and even more serious attacks exist in the external procedure server, listener, and database instance. >From the database perspective, you can download a free evaluation of AppDetective for Oracle from www.oraclesecurity.net. It does pen testing and va against an Oracle database. Takes both an inside-out (security from valid user perspective) and outside-in approach (security from unauthorized attacker perspective). Regards, Aaron ____________________________________________ Aaron C. Newman CTO/Founder Application Security, Inc. Tel: 212-490-6022 Fax: 212-490-6456 E-mail: [EMAIL PROTECTED] Web: http://www.appsecinc.com - Protection Where it Counts - -----Original Message----- From: Mario Behring [mailto:[EMAIL PROTECTED]] Sent: 22 January 2002 07:52 To: [EMAIL PROTECTED] Subject: Vulnerability analysis tools Hi list, Does anybody know some good tool for testing a small environment for vulnerabilities ? I have the following scenario: 1- A web server hosted at an IDC (Internet Data Center) 2- A router connected to the IDC via a link (T1 or something) 3- One Microsoft ISA Server running as a firewall with 2 NICs, one connected to the Router described on item 2 and the other connected to the internal network. 4- A Database server - Oracle running on Windows 2000 Server in the internal network. This DB will be accessed by Internet users that visit the website (located at the web server described in item 1) depending on the options they choose at the web page. I need to analyse the vulnerabilities in such a scenario and report them. Is there any tool (freeware or not) that analyse this scenario from various points of view ? For instance, I have to analyse this from the perspective of someone accessing the web page and then accessing the DB server at the internal network. I have some other questions: - Should I put a real firewall in place (Firewall-1 or Raptor for example) instead of this ISA Server ? - Should I create a DMZ and put this DB server there ? Thanks in advance. Mario __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/