Home » RDBMS Server » Security » Limiting access by IP address
Limiting access by IP address [message #163197] Wed, 15 March 2006 08:18 Go to next message
gatsby
Messages: 22
Registered: March 2006
Junior Member
I need some advice on how to limit access to Oracle my 9i database by IP address.

There are a relatively small number of users who need to access this database. Using the tcp.invited_nodes parameter in sqlnet.ora works excellent for those with static IP addresses, except for those users who use DHCP. We need to allow those users with DCHP access.

Is the tcp.invited_nodes parameter the best way to handle this? If so, how would you suggest handling those users with DHCP? Will I have to use CMAN in this situation?

Thanks in advance.
Re: Limiting access by IP address [message #165965 is a reply to message #163197] Mon, 03 April 2006 14:28 Go to previous messageGo to next message
Lijie_Tu
Messages: 6
Registered: April 2006
Junior Member
You can create a before logon trigger for this. Ther ip can be found from v$session.
Re: Limiting access by IP address [message #167927 is a reply to message #163197] Mon, 17 April 2006 23:13 Go to previous messageGo to next message
markmal
Messages: 113
Registered: April 2006
Location: Toronto, Canada
Senior Member
you can do opposite

tcp.validnode_checking = YES
tcp.excluded_nodes = {list of IP addresses}

also you can look into CMan, using /nn notation for your DHCP range/subnet addresses.
(RULE=(SRC=206.62.226.32/27)(DST=sales-server)(SRV=*)(ACT=accept)

or simply use some other firewall.
Re: Limiting access by IP address [message #175979 is a reply to message #167927] Tue, 06 June 2006 04:46 Go to previous messageGo to next message
kamal480
Messages: 5
Registered: June 2006
Location: UAE
Junior Member

yes man you can by doing the following ..

tcp.validnode_checking = YES

tcp.included_nodes = {list of IP addresses}
but instead of excluding make including to those IPs which belongs to your domain and by this way u will exclude all others

i hope that i introduced some thing good
Re: Limiting access by IP address [message #182373 is a reply to message #163197] Fri, 14 July 2006 08:32 Go to previous messageGo to next message
gatsby
Messages: 22
Registered: March 2006
Junior Member
IPSec accomplished what I needed to do.

[Updated on: Fri, 14 July 2006 08:33]

Report message to a moderator

Re: Limiting access by IP address [message #185919 is a reply to message #182373] Fri, 04 August 2006 04:39 Go to previous messageGo to next message
angelsliu
Messages: 23
Registered: July 2006
Junior Member
here must 2 lines


tcp.validnode_checking=yes
tcp.execluded_nodes=your all ip
Re: Limiting access by IP address [message #185941 is a reply to message #163197] Fri, 04 August 2006 07:21 Go to previous messageGo to next message
gatsby
Messages: 22
Registered: March 2006
Junior Member
For the record...

The main problem with the valid node checking is that it is unable to work properly with DHCP. Since the very idea of DHCP is to assign IP addresses dynamically (ie. the IP changes from time to time), it becomes difficult if not impossible to know what a specific computer's IP address is over the course of many months. At least, you can't be sure enough about the IP that you can configure a filter around it.

Using other software, filters like this are usually accomplished with wildcards. See an example below:

If I were to enter the following:

tcp.validnode_checking = YES
tcp.excluded_nodes = 192.2.0.*

This example would allow all IP addresses from the fictional 192.2. address range to connect to the Oracle database. However, when I tried this on my filter, it allowed *all* IP traffic in, regardless of source IP address. Unless I'm overlooking something, in a situation with DHCP, you will have to use CMAN, a third-party firewall, or some other traffic controller.

[Updated on: Fri, 04 August 2006 07:27]

Report message to a moderator

Re: Limiting access by IP address [message #194953 is a reply to message #185941] Tue, 26 September 2006 05:23 Go to previous messageGo to next message
SilverChi
Messages: 17
Registered: September 2006
Junior Member
Hi there..

I'm new in oracle, and for now i'm still using Ora9i. I need to filterize which terminals (by IP address) are available to acces my database. I've read some reference about Oracle Connection Manager, but i still don't know is it installed or not in my machine, and how to start use it (if it is installed). Is there any clue..??

Regards..
Re: Limiting access by IP address [message #194966 is a reply to message #194953] Tue, 26 September 2006 05:59 Go to previous messageGo to next message
ebrian
Messages: 2794
Registered: April 2006
Senior Member
It's an optional item during install. You can read more about it here Connection Manager.
Re: Limiting access by IP address [message #194980 is a reply to message #194966] Tue, 26 September 2006 06:49 Go to previous messageGo to next message
SilverChi
Messages: 17
Registered: September 2006
Junior Member
If i didn't include CMAN in my installation, is it possible to add it manually using Universal Installer? I can't find CMAN in the installed products list.
Re: Limiting access by IP address [message #194982 is a reply to message #194980] Tue, 26 September 2006 07:07 Go to previous messageGo to next message
ebrian
Messages: 2794
Registered: April 2006
Senior Member
Yes. Re-launch the OUI and check Connection Manager for install.
Re: Limiting access by IP address [message #195148 is a reply to message #194982] Wed, 27 September 2006 03:52 Go to previous message
SilverChi
Messages: 17
Registered: September 2006
Junior Member
I've install the CMAN on my oracle machine. Then I create a cman.ora file with this configuration :
CMAN=
(ADDRESS=(PROTOCOL=tcp)(HOST=mysvr05)(PORT=1630))
CMAN_ADMIN=
(ADDRESS=(PROTOCOL=tcp)(HOST=mysvr05)(PORT=1830))
CMAN_RULES=
(RULE_LIST=
(RULE=
(SRC=mysvr05)
(DST=mysvr05)
(SRV=testdb)
(ACT=accept))
(RULE=
(SRC=10.5.1.76)
(DST=mysvr05)
(SRV=testdb)
(ACT=accept)))
CMAN_PROFILE=
(PARAMETER_LIST=
(LOG_LEVEL=2)
(REMOTE_ADMIN=YES)
(TRACING=on))

But, it won't work as i've assumed. Any terminal within my department still available to access my database. Is it something i've done wrong..??
Previous Topic: column programm in audit trail?
Next Topic: Security Patches for 9i.2.0.5.0
Goto Forum:
  


Current Time: Fri Mar 29 06:10:48 CDT 2024