|
There are at least three main components to consider when making a new service accessible to the Internet. First, the system and network architecture planned for the deployment of the solution. That architecture will likely include some sort of firewall device or screening router and at least one system to run OID. I would encourage you to consider building an isolated network for your Internet-accessible devices. If possible, that network should be configured like the roach motel--data goes in, but nothing comes out. By that I mean, the only data allowed out of that network is responses to specific requests. The main reason for this is so that if someone were to compromise an entire system (and has the ability to run commands on that system), they would not be able to penetrate your internal network, but could only reach other systems in the isolated (or DMZ) network.
After network architecture and security, I'd consider host security. If you're placing your host on an internet-accessible network, you should do your best to "harden" the operating system by disabling unnecessary services, enforcing good password policies (for length, complexity, and aging), and installing any updates or patches offered by your operating system vendor. There are also a number of good internet resources offering advice and checklists for securing operating systems. One good resource is the Center for Internet Security (www.cisecurity.org). CIS offers free security tools for most Windows platforms in addition to SOlaris, Linux and HP-UX. There's no good excuse to leave your OS open to attack.
Finally, I'd consider securing the application -- OID in this case. Luckily, the OID team at Oracle has done better than the average vendor to secure OID in the default installation. The main areas I would focus on are designing the access controls and enabling LDAPS (LDAP over SSL).
Unfortunately, the LDAP stanards do not specify how access control should work or what exactly what syntax should be used to set access controls in the directory. As a result, every vendor has implemented their own mechanisms for access control. How Oracle OID's ACL and ACP mechanisms work and how to configure them are bigger questions than I can answer here. However, the documentation on ACLs and ACPs is complete and there is a Metalink NOTE that offers some additional tips for setting access control in OID.
For enabling LDAPs in OID, you'll need to review chapter 11 in the OID Administrator's guide (for release 9.2.0) at: http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96574/ssl.htm.
Documentation for access control in OID 9.2.0:
http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96574/access.htm
Metalink NOTE 186518.1:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=186518.1
**************************************************
|
