what is the advantage of enabling sqlnet inspection in ASA appliance

Unanswered Question
Feb 19th, 2010
User Badges:

I am trying to understand the advantage of enabling sqlnet inspection "fixup protocol sqlnet 1521" on ASA appliance.


The reason I asked this is because everytime I enable this feature on the ASA appliance, it ended up breaking sqlnet connection.

One of my Oracle applications needs to run a very long sqlnet querry to transfer about 2GB of data between systems.  Enabling

sqlnet connection on the ASA breaks this sqlnet connection.


I would like to know the advantage of enabling sqlnet connection, aside from the standard response from Cisco.


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
francisco_1 Sun, 02/21/2010 - 09:21
User Badges:
  • Gold, 750 points or more

The fixup protocol sqlnet command causes the PIX Firewall to do the following for SQL*Net traffic on the indicated port:

  • Perform NAT in packet payload.

  • Dynamically create conduits for SQL*Net redirected connections.

Use the no form of the command to disable the inspection of traffic on the indicated port for SQL*Net connections. If the fixup protocol sqlnet command is not enabled for a given port, then the following will occur:

  • Outbound SQL*Net will work properly on that port as long as outbound traffic is not explicitly disallowed.

  • Inbound passive SQL*Net will not work properly on that port.

Using the clear fixup protocol sqlnet command without any arguments causes the PIX Firewall to clear all previous fixup protocol sqlnet assignments and set port 1521 back as the default.



More Info


SQL*Net

SQL*Net is used to query remote SQL databases. Although the protocol was written by Oracle for Oracle databases, it works equally well to query the SQL databases of other vendors. The main issue to consider when securing SQL*Net is that while it only uses one TCP port for communications, that port can be redirected to a different port and, even more commonly, to a different secondary server altogether. When a client starts an SQL*Net connection, it opens a standard TCP channel from one of its high-order ports to port 1521 on the server. The server then proceeds to redirect the client to a different port or IP address. The client tears down the initial TCP connection and establishes the second connection using the redirected port.

NOTE

While the default port inspected by the fixup protocol sqlnet command is 1521, Oracle registered TCP and UDP port 66 with IANA (Internet Assigned Numbers Authority). You may be required to add fixup protocol 66 to your configuration to support your particular implementation. Please see the following web page for details: http://www.iana.org/cgi-bin/usr-port-number.pl



For SQL*Net traffic, the PIX Firewall behaves in the following manner:

  • Outbound connections—If all outbound TCP traffic is implicitly allowed, no special handling is required because the client initiates all TCP connections from the inside.

    If all outbound TCP traffic is not implicitly allowed, the PIX Firewall opens a conduit for the redirected channel between the server and the client.

  • Inbound connections—If a conduit exists allowing inbound SQL*Net connections to an SQL*Net server, the PIX Firewall opens an inbound conduit for the redirected channel.

fixup protocol sqlnet Command

The syntax of the fixup protocol sqlnet command is as follows:

fixup protocol sqlnet

port [-port ] no fixup protocol sqlnet

port [-port ] clear fixup protocol sqlnet

where port[-port] is a single port or port range that the PIX Firewall will inspect for SQL*Net connections.

By default, the PIX Firewall inspects port 1521 connections for SQL*Net traffic. If you have SQL*Net servers using ports other than port 1521, use the fixup protocol sqlnet command as illustrated in Example 9-4 to instruct the PIX Firewall to inspect these other ports for SQL*Net traffic.

Example 9-4 Adding and Removing Standard and Non-standard Ports for SQL*NET


pixfirewall#(config) fixup protocol sqlnet 1521

pixfirewall#(config) fixup protocol sqlnet 66

pixfirewall#(config) no fixup protocol sqlnet 1521

pixfirewall#(config) no fixup protocol sqlnet 66

Actions

This Discussion