Table of Contents
Advertisement
SSL and Firewalls
SSL and Firewalls
Oracle Advanced Security supports two types of firewalls:
When you enable SSL, stateful inspection firewalls behave like application proxy
firewalls because they do not decrypt encrypted packets.
Firewalls do not inspect encrypted traffic. When a firewall encounters data
addressed to an SSL port on an intranet server, it checks the target IP address
against its access rules and lets the SSL packet pass through to permitted SSL ports,
rejecting all others.
With the Oracle Net Firewall Proxy kit, a product offered by some firewall vendors,
firewall applications can provide specific support for database network traffic. If the
proxy kit is implemented in the firewall, the following processing takes place:
Oracle Connection Manager lets you route client connections over multiple Oracle
Net protocols. Each client connection request establishes an SSL connection between
the client and Oracle Connection Manager, which in turn establishes a TCP/IP
connection with the target database. Multiple clients can thus connect to multiple
databases behind the firewall, using a single SSL port through the firewall.
7-12 Oracle Database Advanced Security Administrator's Guide
Application proxy-based firewalls, such as Network Associates Gauntlet, or
Axent Raptor.
Stateful packet inspection firewalls, such as Check Point Firewall-1, or Cisco
PIX Firewall.
The Net Proxy (a component of the Oracle Net Firewall Proxy kit) determines
where to route its traffic.
The database listener requires access to a
SSL handshake. The listener inspects the SSL packet and identifies the target
database, returning the port on which the target database listens to the client.
This port must be designated as an SSL port.
The client communicates on this server-designated port in all subsequent
connections.
The number of ports that are open in the firewall increase as a function of the
number of database connections requested for different databases. This
approach prohibits the database server from using randomly chosen SSL ports,
because the SSL ports on the firewall must match those chosen by the database.
You can avoid this condition by deploying Oracle Connection Manager, an
application included with Oracle Database Enterprise Edition.
certificate
in order to participate in the
Advertisement
Chapters
Table of Contents
Troubleshooting
Need help?
Do you have a question about the Oracle Database B10772-01 and is the answer not in the manual?
Questions and answers