HPE Community
Operating System - HP-UX
1753876 Members
7306 Online
108809 Solutions
New Discussion юеВ

Re: Restricting a application to connect from development server to production server

 
kpatel786
Frequent Advisor

тАО01-29-2009 05:53 AM

тАО01-29-2009 05:53 AM

Restricting a application to connect from development server to production server

Hi,

Last week we had a very critical issue.
We have two HP-UX boxes. One production and other dev server.
We had did restore of production database onto the development database.
It was found that the entries passed on development server was updating the onces on the production database.
After the this the application has been brought down on developmen server. Still we haven't figured out how that happened.

My query is:
1) Is there a way i can restrict the development application user from connecting onto production server ( I cannot block the entire network )
2) Is there any oracle configuration change that could prevent the production database from accepting connections that originate on dev server?
3) Is there anything else that we should be checking, that might provide a better way of detecting these sessions? Maybe a listener log file or something?
4) Could Tcpwrapper be helpful. I know it can block entire network. But I want to block certain application users.

Your updates on this would highly be helpful in resolving any such issue in future.
0 Kudos
6 REPLIES 6
Autocross.US
Trusted Contributor

тАО01-29-2009 06:19 AM

тАО01-29-2009 06:19 AM

Re: Restricting a application to connect from development server to production server

You could configure IPFilter on production to block all incoming traffic from the dev server.

More info:
http://docs.hp.com/en/B9901-90009/index.html
I drive way too fast to worry about calories.
0 Kudos
Mel Burslan
Honored Contributor

тАО01-29-2009 06:26 AM

тАО01-29-2009 06:26 AM

Re: Restricting a application to connect from development server to production server

if you want to disable only some users from accessing the production system from the development while letting some others connect, the simplest solution is not to allow and rlogin, rsh, remsh and rexec commands to run on the production server. And if you look at your audit requirements and common sense security practices, you should not be running them at all anyway.

Also, you can manually lock-out these users using

passwd -l

command on the production side, so that they can not log in coming from any place. You only unlock them in an authorized window of, say code release time and then lock them out again.

If you are getting unexpected and unwanted updates from development to production, inadvertently, I think your application architecture needs a bit of attention and do-over. This should not happen under no circumstances in any formal IT organization.
________________________________
UNIX because I majored in cryptology...
0 Kudos
OldSchool
Honored Contributor

тАО01-29-2009 11:08 AM

тАО01-29-2009 11:08 AM

Re: Restricting a application to connect from development server to production server

"It was found that the entries passed on development server was updating the onces on the production database."

you seem to be saying that the application got pointed to the production database instead of the development DB, correct? (as opposed to dev users connecting directly to production).

it might be helpful if you stated *WHICH* database, as the connection methods vary.
for example ingres uses vnode::db to specify machine and database.
0 Kudos
Bill Hassell
Honored Contributor

тАО01-29-2009 12:44 PM

тАО01-29-2009 12:44 PM

Re: Restricting a application to connect from development server to production server

This is far more common then you might expect. Oracle, Sybase, etc, all are network databases and thus the instance name is available across the *entire* network. In other words, you have a duplcate database on the network -- Oracle is working as it was designed, but certainly not what is desired.

DO NOT shutdown the database on the development machine UNTIL you unplug the development system's network cable. If you don't do this, then you risk having production as well as development databases shutdown (probably a very bad thing -- I know first hand with Sybase).

Then leave the network unplugged. Now sit down with your DBA and network administrators to discuss how best to maintain a test/development database. Here are some ideas:

1. Have your network team block all the database ports between the systems. This requires exact knowledge of all the ports that will be used. Or TCPwrappers may also be used but with the same requirement (port IDs),

2. Create a new subnet for your development system. The subnet has *NO* router to the production network. You get to the development system using an intermediate system that lives on both systems but does not allow routing. Inconvenient, but far less painful than explaining why production has been trashed again.

3. Have your DBA rename the development database instance and make sure that *all* hostnames and IP addresses in the development database have been converted from prod to dev. I am sure that the Oracle support site has some good docs on this along with how to properly duplicate a database.

This is not a simple problem but it has to be solved or production will get corrupted or shutdown.


Bill Hassell, sysadmin
0 Kudos
kpatel786
Frequent Advisor

тАО02-20-2009 01:48 AM

тАО02-20-2009 01:48 AM

Re: Restricting a application to connect from development server to production server

Thanks all for your reply.
0 Kudos
kpatel786
Frequent Advisor

тАО02-20-2009 01:48 AM

тАО02-20-2009 01:48 AM

Re: Restricting a application to connect from development server to production server

Thanks.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.