tags:

views:

785

answers:

3
+1  Q: 

Allow Oracle User to connect from one IP address only

For security reasons, we'd like to limit an oracle user to only connect from a specific IP address. Is this possible?

If so, how can we configure this?

+2  A: 

I would recommend that you use your firewall for this purpose. If you're on Linux, it should be possible to use iptables to setup a rule so that only one specific IP-address can access the ports that Oracle is listening on.

Ola Bini  2009-02-09 12:45:34
This isn't an answer. "limiting all oracle activity to one IP" is not the same as "limit connections to oracle using a specific username to one IP"
jj33  2009-02-09 13:39:20
Guy's right though. Building network security into the application level is not right. It could conceivably be argued for as defense in depth, but then if we're going to start replicating external functionality in our application why not just go whole hog and embed our own networking stack?
JosefAssad  2009-02-09 17:39:15
Is it bad form to comment twice? Pre-emptive apologies...If someone asks how precisely the cart can be made to pull the horse, answering the question directly doesn't really add much value I'd say.
JosefAssad  2009-02-09 17:41:24
This doesn't help .. I want one user (with ~admin privileges) to be bound to one machine, while query users can connect from anywhere.
IronGoofy  2009-02-09 17:58:32
JosefAssad, the difference is that there's very good reason to embed it in the app stack. Yes, of course you limit the incoming IPs that can connect to oracle. And in addition you limit specific IPs to specific usernames, which will add to the security, not replace it - belt and suspenders.
jj33  2009-02-09 20:57:20
jj33 I suppose I could see it that way. It isn't inconceivable that an app might be configured to be picky for example about which IP it permits which rights. I think my position therefore is, don't do it unless you've thought it through and still think you ought to. :)
JosefAssad  2009-02-10 18:44:04
+6  A: 

Put a:

SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS') FROM dual;

into your AFTER LOGON trigger and throw an exception when it's not allowed.

Quassnoi  2009-02-09 13:23:01
+1  A: 

Oracle Connection Manager should be available from your installation and acts as a proxy server for SQL*Net - you can configure firewall-like rules for connections with it.

dpbradley  2009-02-09 17:13:55
Can you give me some more specific pointers to the options? Thanks!
IronGoofy  2009-02-09 17:59:18
http://stanford.edu/dept/itss/docs/oracle/10g/network.101/b10775/cman.htm is the first link I found to the Oracle docs - has an overview and cman.ora syntax
dpbradley  2009-02-09 19:34:30

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?