Suppose that you have Oracle 8.i and WebDB on a NT machine in your intranet. On this machine, the Listener is running as well. Let the URL for the database be : [url]http://mymachine.mydomain/mydb/[/url]
A connection to the db from a client in the intranet is now no problem with any internet browser. But how to enable a connection via the internet from a remote client? One way is to change some settings in the company's webserver and to enable a mapping: if a remote client enters the URL [url]http://www.mydomain/mydb/[/url] in his browser, the webservers routes it to [url]http://mymachine.mydomain/mydb/[/url] The company's webservers "communicates" now with the Listener, which "communicates" with the db via the PL/SQL gateway.
Now, the question is: "How insecure is this scenario?" I think that....
1.) the database connection is just passwd protected - so this is not sufficiently secure, of course. At least a SSL connection should be realized.
2.) somebody could try to assault the company's intranet via mymachine. Suppose that he knows a valid login/passwd to the database. But could he do anything else? I don't think so, because the Listener just communicates with mydb via the PL/SQL gateway...
So in my opinion, the worst case would be that a hacker gets access to the database, but not to any machine in the intranet.
What do think? - Thanks!
My take on this case would be make the listener encrypted through SSL option. Then also you could make your listen to only those connections that arise from certain IPs. as a result you can put in some security on it. Also there owa_util to capture the IP of the connection on your pl/sql procedure and then you can perform a check, and deny access any further. As far as I know in OAS, you have all these features that could be enabled and made use of. Foe webdb, since it again was an incranation of oracle webserver as that of OAS, these features should be there.