This discussion is archived
5 Replies Latest reply: Jan 18, 2013 2:55 PM by Osama_Mustafa RSS

Restricting DB Access

895327 Newbie
Currently Being Moderated
I was asked if it was possible to restrict which users / or client IP's connect to my Oracle 11.2 database. I guess I could just shutdown the listener and have me and one other DBA connect to it via SSH / LOCALHOST but I was wondering if there was a more DBA specific way to restrict client connections to just two specific IP's over the Oracle listening port?

Thanks for any info...
  • 1. Re: Restricting DB Access
    EdStevens Guru
    Currently Being Moderated
    CarlosinFL wrote:
    I was asked if it was possible to restrict which users / or client IP's connect to my Oracle 11.2 database. I guess I could just shutdown the listener and have me and one other DBA connect to it via SSH / LOCALHOST but I was wondering if there was a more DBA specific way to restrict client connections to just two specific IP's over the Oracle listening port?

    Thanks for any info...
    There are options available in sqlnet.ora, but this really is not the proper place to do ip filtering. I suppose if you are wanting to restrict it to just two IPs, you are speaking of the IP of an application server, not the ip of an end-user's desktop.
  • 2. Re: Restricting DB Access
    Brian Bontrager Expert
    Currently Being Moderated
    We had a similar requirement recently in my shop.

    We looked at traditional firewall rules, SQL*NET Valid Node checking, and a database logon trigger.

    We went with a logon trigger in our situation, but it is not a perfect solution in itself, and not the right solution for everyone.
  • 3. Re: Restricting DB Access
    JohnWatson Guru
    Currently Being Moderated
    If you have an Enterprise Edition licence, you might want to look at using a Connection Manager. You can design reasonably clever rules for which hosts or IP addresses (or entire subnets) are allowed to connect to which services.
  • 4. Re: Restricting DB Access
    895327 Newbie
    Currently Being Moderated
    EdStevens wrote:
    There are options available in sqlnet.ora, but this really is not the proper place to do ip filtering. I suppose if you are wanting to restrict it to just two IPs, you are speaking of the IP of an application server, not the ip of an end-user's desktop.
    Actually it's the other way around and I apologize as I obviously have no experience or business being a DBA but would like to eventually become one. I just would like to know the protocol for a DBA if he did in fact want to only allow particular end-user desktop IP's. Our application server is only Clearquest and it's sadly also running locally on the same Linux box that has Oracle Database 11g installed. I would also like to eventually stand up a dedicated Oracle database server and just have the Clearquest (application server?) connect to the dedicated Oracle box.
  • 5. Re: Restricting DB Access
    Osama_Mustafa Oracle ACE
    Currently Being Moderated
    There's more than one Option to do, one of them is like ed said thru sqlnet.ora using tcp.validnode_checking , another way can you use is thru oracle profile connect_time or using network firewall.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points