SQL*Net Inspection
Oracle is one of the most common database systems deployed today. Like most popular
network applications, Oracle relies on specific ports for communication with clients and
servers, specifically 1521, 1810, 2481, and 7778. Oracle’s use of port 1521 for SQL*Net
services is well-known and a focus for hackers and malicious users attempting to exploit
known flaws and security holes. SQL*Net only requires one channel to communicate
between the client and server. Communication between client and server initiates through
port 1521 on the server side and an assigned port above 1023 on the client’s side. Once the
connection has been established, the SQL*Net server will request a redirect to a new port on
the server, usually an unused port above 1023. Once communication has been established
between the client and the new port, the SQL*Net server will tear down the old connection.
This behavior must be tracked and managed by the Security Appliance to verify that the
redirection of the ports was not done by a hacker attempting to hijack the connection.
To manage SQL*Net traffic, you must enable the inspect sqlnet command in a class map. The
inspect sqlnet command will monitor outbound TCP traffic for SQL*Net traffic, and if the
Security Appliance does not implicitly allow TCP traffic through, the command will open an
access control list (ACL) for the redirected SQL*Net channel between the client and the
server. For inbound TCP connections, the Security Appliance opens an inbound opening for
the redirected channel if an ACL exists, allowing inbound connections to an SQL*Net server.