From: Frank van Bortel on
On 06/29/2010 10:42 PM, Mladen Gogala wrote:
> On Tue, 29 Jun 2010 21:18:16 +0200, Frank van Bortel wrote:
>
>> On 06/29/2010 08:39 PM, ddf wrote:
>>> On Jun 29, 2:01 pm, Chuck<chuckh1958_nos...(a)gmail.com> wrote:
>>>> When using this parameter in sqlnet.ora, and specifying host names,
>>>> are there any checks performed to see if a hostname has been spoofed?
>>>> Perhaps comparing the client's IP with a DNS lookup of the host name?
>>>
>>> No. The list is used 'as-is' without any verification via DNS lookup.
>>>
>>>
>>> David Fitzjarrell
>>
>> Not quite, David.
>>
>> I cannot recall what exactly was the matter, but I have had one instance
>> where the listener would not start because one of the clients mentioned
>> do longer existed.
>> Not sure if it was a DNS lookup to find the IP-address, or the reverse
>> (and the IP-address (DHCP!) was no longer available).
>>
>> Quite horrible if that's a production system, because you will have to
>> go through each and every name (in case of DHCP clients) or IP-address
>> (servers)
>
> Based on my experience, it's far easier to block the undesired clients by
> using the firewall rules than by using validnode checking. This feature
> is useless.
>

Not if you're internal - no firewall between client and server,
not in that direction anyway

--

Regards,

Frank van Bortel
From: Steve Howard on
On Jul 3, 9:43 am, Frank van Bortel <fbor...(a)home.nl> wrote:
> On 06/29/2010 10:42 PM, Mladen Gogala wrote:
>
>
>
> > On Tue, 29 Jun 2010 21:18:16 +0200, Frank van Bortel wrote:
>
> >> On 06/29/2010 08:39 PM, ddf wrote:
> >>> On Jun 29, 2:01 pm, Chuck<chuckh1958_nos...(a)gmail.com>   wrote:
> >>>> When using this parameter in sqlnet.ora, and specifying host names,
> >>>> are there any checks performed to see if a hostname has been spoofed?
> >>>> Perhaps comparing the client's IP with a DNS lookup of the host name?
>
> >>> No.  The list is used 'as-is' without any verification via DNS lookup.
>
> >>> David Fitzjarrell
>
> >> Not quite, David.
>
> >> I cannot recall what exactly was the matter, but I have had one instance
> >> where the listener would not start because one of the clients mentioned
> >> do longer existed.
> >> Not sure if it was a DNS lookup to find the IP-address, or the reverse
> >> (and the IP-address (DHCP!) was no longer available).
>
> >> Quite horrible if that's a production system, because you will have to
> >> go through each and every name (in case of DHCP clients) or IP-address
> >> (servers)
>
> > Based on my experience, it's far easier to block the undesired clients by
> > using the firewall rules than by using validnode checking. This feature
> > is useless.
>
> Not if you're internal - no firewall between client and server,
> not in that direction anyway
>
> --
>
> Regards,
>
> Frank van Bortel

It depends. We have internal firewalls configured for internal users,
allowing only production application server access (which is
presumably hardened) as well as DBA's with custom firewall rules.
Internal users are often the most dangerous :)
From: Mladen Gogala on
On Sat, 03 Jul 2010 15:43:05 +0200, Frank van Bortel wrote:


> Not if you're internal - no firewall between client and server, not in
> that direction anyway

Each Linux server comes equipped with internal firewall. If you configure
it properly, nobody will be able to tell the difference.



--
http://mgogala.byethost5.com
From: Frank van Bortel on
On 07/03/2010 11:18 PM, Mladen Gogala wrote:
> On Sat, 03 Jul 2010 15:43:05 +0200, Frank van Bortel wrote:
>
>
>> Not if you're internal - no firewall between client and server, not in
>> that direction anyway
>
> Each Linux server comes equipped with internal firewall. If you configure
> it properly, nobody will be able to tell the difference.
>
>

Ah Linux, yes. Seems difficult, or too new.
In the mean time, will have to do with HP-UX...

Firewalling is done by the Network dept. HP-UX
is done by the UX dept (backups are part of
that, as it's a HP tape robot...), and Oracle
is done by yet another dept.

--

Regards,

Frank van Bortel