Hello toasters,
Our Oracle admins are replacing their old FC SAN storage and are considering going with NetApp and NFS. But they are concerned about security.
They are really attracted to flex clone because they would like to instantly replicate a database on a secure, firewalled Oracle server, run a job to sanitize the clone and then serve the sanitized DB from a less secure Oracle server in a DMZ. They are concerned that if the DMZ server were hacked, could it be leveraged to gain unauthorized NFS access, perhaps by hijacking an IP address?
I have suggested that they set up two separate private data Ethernets, one for the secure servers and one for the DMZ servers. Use two different address blocks (subnets) and plug the netapp into both networks with two different ethernet ports. That way the netapp would never send data exported to the secure servers out the interface for the DMZ servers.
Am I on the right track here? Is this "secure enough"? Is there an easier way? We don't have any Kerberos infrastructure and we can't sacrifice performance, so I think NFSv4 is out.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
You can use lun clone with FC Luns on a Netapp - that way you don't have to purchase the flex clone license.
We don't allow ip connectivity to the Netapp from the DMZ.
Stephen C. Losen wrote:
Hello toasters,
Our Oracle admins are replacing their old FC SAN storage and are considering going with NetApp and NFS. But they are concerned about security.
They are really attracted to flex clone because they would like to instantly replicate a database on a secure, firewalled Oracle server, run a job to sanitize the clone and then serve the sanitized DB from a less secure Oracle server in a DMZ. They are concerned that if the DMZ server were hacked, could it be leveraged to gain unauthorized NFS access, perhaps by hijacking an IP address?
I have suggested that they set up two separate private data Ethernets, one for the secure servers and one for the DMZ servers. Use two different address blocks (subnets) and plug the netapp into both networks with two different ethernet ports. That way the netapp would never send data exported to the secure servers out the interface for the DMZ servers.
Am I on the right track here? Is this "secure enough"? Is there an easier way? We don't have any Kerberos infrastructure and we can't sacrifice performance, so I think NFSv4 is out.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Hi Steve,
I noticed your comment on NFSv4 and thought you might like an update regarding performance with Oracle databases. I've just completed some NFSv4 performance testing with Oracle 11g on Red Hat Enterprise Linux 5.2, and found performance, in general, to be about the same as with NFSv3.
Regards,
John Elliott - OCP-DBA Database Performance Engineer Reference Architectures, NetApp John.Elliott@netapp.com www.netapp.com
-----Original Message----- From: Stephen C. Losen [mailto:scl@sasha.acc.virginia.edu] Sent: Friday, March 27, 2009 10:05 AM To: toasters@mathworks.com Subject: Security best practice question
Hello toasters,
Our Oracle admins are replacing their old FC SAN storage and are considering going with NetApp and NFS. But they are concerned about security.
They are really attracted to flex clone because they would like to instantly replicate a database on a secure, firewalled Oracle server, run a job to sanitize the clone and then serve the sanitized DB from a less secure Oracle server in a DMZ. They are concerned that if the DMZ server were hacked, could it be leveraged to gain unauthorized NFS access, perhaps by hijacking an IP address?
I have suggested that they set up two separate private data Ethernets, one for the secure servers and one for the DMZ servers. Use two different address blocks (subnets) and plug the netapp into both networks with two different ethernet ports. That way the netapp would never send data exported to the secure servers out the interface for the DMZ servers.
Am I on the right track here? Is this "secure enough"? Is there an easier way? We don't have any Kerberos infrastructure and we can't sacrifice performance, so I think NFSv4 is out.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-
Elliott, John -
Jack Lyons -
Stephen C. Losen