Marco Pauck wrote:
> > As someone mentioned previously, Oracle has a document explaining the
> > issues with SQLnet and firewalls in fairly good detail. The document
> > name is "SQL*Net and Firewalls" and is dated October 1995. It is labeled
> > "Part C10451". The following is an excerpt from that document:
> > "When the IP port number of the SQL*Net connection can be determined in advance,
> > such as 1521, then connection can be permitted with some degree of security.
> > Systems running multi-threaded servers, pre-spawned servers, or ones with
> > architectures that do not support IP port sharing, require dynamic port allocation
> > which tends to prevent connections. Firewall support where IP port redirection
> > is employed requires an intelligent filter to monitor the port redirection
> > information during the connect phase so that the filter can selectively open
> > up the required port. Alternatively, a wide range of ports would have to be
> > opened in advance, which would severely compromise security. In an application
> > proxy solution the proxy itself handles IP port redirection issues."
> > The architecture support mentioned above implies operating system and
> > TCP/IP implementation. I've *heard* that AIX has this limitation.
> I should mention that we use plug-gw with AIX 3.2.5 without problems.
> No, I don't know about AIX 4.1.
I've just read the "SQL*Net and Firewalls" White Paper from Oracle, my
understanding is summarized below -
1. Multi-Threaded Server (MTS) and pre-spawned servers ALWAYS use dynamic
2. "Dedicated Server" may either use
a) a single port number say 1521 ; or
b) dynamic port numbers
Wherever possible, option (a) is taken.
It is the operating system and TCP/IP protocol implementation that
determines which option is taken, not the version of Oracle or
3. Oracle is produc--ing (i.e. not available yet) a SQL*Net proxy which
Oracle encourage FW vendors to integrate into their products.
The proxy is based on the Oracle Multi-Protocol Interchange (MPI)
and will support SQL*Net V2 only.
Therefore, my observation is that -
1. There is no satisfactory solution for allowing SQL*Net traffic
through FW if Oracle is configured as MTS or pre-spawned servers.
No application proxy at present handle this.
Gary Flynn quoted the White Paper "In an application proxy solution
the proxy itself handles IP port redirection issues." is only a
requirement that FW vendors need to work on. This product doesn't
exist at this moment.
2. There is no mention in the White Paper as to what OS and what TCP/IP
implementation will cause a Dedicated Server to use dynamic port
numbers. The limitation seems to be applicable to those that
"do not support IP port sharing".
3. My preliminary (VERY preliminary) testing using Oracle 7 on
HP-UX 9.x using SQL*Net v1 and Solaris 2.4 using both SQL*Net v1
and v2 revealed that a FIXED port number on the server is used.
The client port number is random but is constant for that specific
session. In such a case, it is possible to apply simple filtering
rules on screening routers or use such things as Plug-GW. There is
no need for setting up a Server to Server interchange.
Any one has comments, either agree or disagree with my observations ?
Also, anybody aware that if any Stateful Inspection FW can handle the
session redirect by the Listener to the MTS ? I suppose this is rather
easy to implement, isn't it ?