Oracle and Firewalls

原帖地址：http://www.pauck.de/marco/misc/oracle_and_firewalls.html

Oracle and Firewalls

Introduction

Oracle has a white paper (#22428) explaining the issues with SQL*Net and firewalls in fairly good detail. The following is an excerpt from that document:

When the IP port number of the SQL*Net connection can be determined in advance, such as 1521, then connection can be permitted with some degree of security. Systems running multi-threaded servers, pre-spawned servers, or ones with architectures that do not support IP port sharing, require dynamic port allocation which tends to prevent connections. Firewall support where IP port redirection is employed requires an intelligent filter to monitor the port redirection information during the connect phase so that the filter can selectively open up the required port. Alternatively, a wide range of ports would have to be opened in advance, which would severely compromise security. In an application proxy solution the proxy itself handles IP port redirection issues.

Summary

Vinci Chou <vkmchou@HK.Super.NET> was so kind to provide the following summary:

---

1. Multi-Threaded Server (MTS) and pre-spawned servers always use dynamic port numbers.
2. “Dedicated Server” may either use
   1. single port number say 1521 ; or
   2. dynamic port numbers
   Wherever possible, the first option is taken. It is the operating system and TCP/IP protocol implementation that determines which option is taken, not the version of Oracle or SQL*Net.
3. Oracle is producing (i.e. not available yet (March 1996)) a SQL*Net proxy which Oracle encourage FW vendors to integrate into their products. The proxy is based on the Oracle Multi-Protocol Interchange (MPI) and will support SQL*Net V2 only.

Therefore, my observation is that:

1. There is no satisfactory solution for allowing SQL*Net traffic through FW if Oracle is configured as MTS or pre-spawned servers. No application proxy at present handle this. Gary Flynn quoted the White Paper “In an application proxy solution the proxy itself handles IP port redirection issues.” is only a requirement that FW vendors need to work on. This product doesn't exist at this moment.
2. There is no mention in the White Paper as to what OS and what TCP/IP implementation will cause a Dedicated Server to use dynamic port numbers. The limitation seems to be applicable to those that “do not support IP port sharing”.
3. My preliminary (very preliminary) testing using Oracle 7 on HP-UX 9.x using SQL*Net v1 and Solaris 2.4 using both SQL*Net v1 and v2 revealed that a fixed port number on the server is used. The client port number is random but is constant for that specific session. In such a case, it is possible to apply simple filtering rules on screening routers or use such things as plug-gw. There is no need for setting up a server to server interchange.

---

I can add that Oracle 7.1 on AIX 3.2.5 and Oracle 7.3 on Solaris 2.5 reveal the same behaviour, i.e. simple filtering rules on screening routers or such things as plug-gw from TIS's Firewall Toolkit may be used. However, Oracle 7.3 on Windows NT does not work this way.