September 26th, 2003, 03:07 PM
client direct connect to SQLnet and why it's bad
I need to know if, and why, a direct connection to SQLnet is bad. I'm not all that familiar with database connectivity (i.e. SQLnet, Oracle listener, etc) but I HAVE seen published guidelines saying that it is a bad thing. We have a client that is wishing to have this type of connectivity to our databases, but our management doesn't really want them to (none of our other customers need it, so they shouldn't either) but we need to justify the reason they should not have direct connectivity like that. So, they asked me to justify it through security means... sigh.
Anyway, I'm hoping someone on here can point me in the right direction. I have only found a couple of exploits that use SQLnet, but I'm sure there are probably more of them out there that I have not stumbled across yet.
a real quick clarification.
The way it's working right now is they go through an web based application that does the SQLnet connection itself, not the client machines. This client wants their workstations to have access to SQLnet directly vs going through the webserver/app server to do it for them.
September 26th, 2003, 04:37 PM
HA! I just had an epiphany of sorts while sitting here going through mindnumbing whitepapers on SQLnet. Why should I bother even addressing SQLnet directly, why not explain to them best practices on database security, i.e. why it's NEVER a good idea to allow direct access to the database itself. I found a really interesting read on that approach from MasterCard (which is good because we are a financial institution also) that has some good ammo for this meeting I have to go to on this in a bit.
Anyway, if you folks want to give information from this point forward feel free. More minds, and more information, the better for me. Thanks for reading my exceedingly boring posts today.