I have Oracle 11gR2 db at my work. Last week security team informs that we need to encrypt all the traffic for database users to our databases. First thing that I have checked was Oracle solution - Oracle Advanced Security but after checking the license it would cost huge money for the company. So management decided to find check other solutions.
My second idea was to create SSH tunnel from clients to DB server. But in this case i have no idea how to restrict the access from users to DB only over encrypted tunnel. Can you suggest me how to restrict the access to db server only over the tunnel? Or maybe you have other solution how to my problem.
Thank you in advance for your reply.
2 Answers 2
Check the licensing again, these options became free about 2 years ago.
http://docs.oracle.com/cd/E11882_01/license.112/e47877/options.htm#DBLIC143
Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.
I tried both OpenSSL tunnel and SSH tunnel. Neither of them worked acceptable. It simply does not scale well - at least with Oracle protocol. There are reasons why TCP should not be wrapped into TCP - you can find various articles on the internet about it.
Another - related - problem is, that Oracle uses OOB (Out of bound data) in it's protocol. These data use special TCP headers field and for example stunnel can not deal with that. These packets are either droppped or merged into the usual TCP stream.
If you really insist on going this way check DISABLE_OOB option in tnsnames.ora.
Either use another packet level of encryption(IPSEC, TAP), or stick to physical security or check Advanced Security usability with Oracle support.