There are things you can do to make it more difficult, but I don't believe there to be a foolproof way to enforce. See a lengthy discussion here.
In EBS, this is very easy, just enable tcp.validnode_checking by registering hosts in Oracle Applications Manager.
This adds in $TNS_ADMIN/sqlnet.ora on the DB server
tcp.validnode_checking = yes
tcp.invited_nodes = (db_server, app_server)
You can add any server that has a legitimate need to connect to the database. All other connections will be refused from SQLNet.
R12 How To Add Applications Sqlnet.ora TCP.VALIDNODE_CHECKING (Doc ID 1588841.1)
11.5.10 New Features : Managed SQL*Net Access from Hosts (Doc ID 291897.1)
Check those profile if they do what you need
POS: External Responsibility Flag
Responsibility Trust Level
iSP Default Responsibility For External User