The way SQLNet protocol works is the following:
1) A client wants to access a Oracle server so open a session on port 1521 (SQLNet).
2) Then the Server opens a session into the client in a random (as far as I know) port of the client and from a random (as far as I know) port of the server.
3) Once this is opened... this session is finished. I think is a tpye of user validation or whatever.
4) The data and the rest of the session works thru the port 1521 of the server.
So? What is the problem? If you need to stablish a session from a client into a server with a firewall in the middle your need to open all ports between both machines. This could be not consider a problem but if the client is a Webserver and the server is the Oracle server to feed that Webserver if someone get control of the Webserver using port 80 then can jump into the Oracle server using ANY port. That's a problem.
Now. CISCO PIX when you authorize SQLNet between two IPs controls this second session using something I found named as dynamic firewall. So what is doing is allowing a session on any port in the following milliseconds of a valid session on port 1521 (or something like that).
I consider this a virtual security hole since playing around with this is theoricaly possible to cheat the system. But of course having all the ports open all the time is much more unsecure.
ASTARO (as far as I know) has no understanding of SLQNet (while CISCO PIX have it) so I need to open all the ports.
Any idea if ASTARO people are working on this?????
Thank you.
Javier
This thread was automatically locked due to age.
