SQL*Net
SQL*Net, which is acclimated to concern SQL databases, is addition firewall-unfriendly
protocol.There are three versions of SQL*Net: SQL*Net v1 (an old adaptation used
in Oracle 7), SQL*Net v2, and Net8/Net9 (newer versions of Oracle, such as 8i).
Versions 1 and 2 are incompatible, admitting Net8/Net9 is aloof a baby improvement
on adaptation 2. All these protocols accept accepted behavior:When a client
wants to affix to an Oracle server, it aboriginal establishes a affiliation to the
dedicated Oracle anchorage (port 1525 by absence in SQL*Net adaptation 1, anchorage 1521 in
www.syngress.com
158 Chapter 4 • Advanced PIX Configurations
versions 2 and later) and afresh is redirected by this server to addition instance of
Oracle active on this apparatus or alike addition server.The applicant now has to
establish a affiliation to the IP abode and anchorage it was told. In SQL*Net v2 and
later, alike afterwards that the applicant can be redirected again.
The alone case in which all communications appear alone on one port
without any redirection is back Oracle runs in Dedicated Server mode.This
might charge some added agreement to function; accredit to Oracle documentation
if you are absorbed in this feature.
The botheration with firewalls arises back the server is on a added defended interface
than the client. Generally, the applicant will not be able to authorize inbound
connections to approximate ports and IP addresses. In adjustment to action this correctly,
the PIX needs to adviser the advice barter amid the server and the
client to apprehension which address/port cardinal is adjourned and accessible a temporary
conduit for entering connections.The command for authoritative application
inspection of the SQL*Net agreement is:
[no] fixup agreement sqlnet [
The absence anchorage is 1521. In case of SQL*Net v1, the PIX scans all messages
from the server to the client, checks the abode and anchorage negotiation, performs
NAT on the anchored abode if necessary, and assiduously the consistent packets to
the client.The entering access from the applicant are additionally de-NATted correctly
and acceptable by a acting conduit.
SQL*Net adaptation 2 communications are abundant added complicated than version
1, so the analysis action is additionally added complex. Messages acclimated in this protocol
can be of the afterward types: Data, Redirect, Connect, Accept, Refuse,
Resend, and Marker.When the PIX firewall notices a Redirect packet with zero
data length, it sets an centralized banderole for this affiliation to apprehend the relevant
address/port information.This advice should access in the abutting message,
which charge be alone of Data or Redirect type.The accordant allotment of the message
looks like the following:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=p))
The PIX afresh needs to NAT this a.b.c.d:p brace central the bulletin and permit
inbound access on the agnate IP address/port pair. If anything
other than a Redirect or Data packet arrives afterwards the antecedent absent Redirect packet,
the centralized banderole is reset.