Firewall rules

Too little information you give. We must know at least the type of database.

It’s oracle dB picture attached

There is no picture attached.
We don;t know if you need full access to Database, for update data, Management Database, or View only.
You can decide for yourself but here is an article about all ports and protocols you must consider to allow depending on you access type


https://docs.oracle.com/cd/B19306_01/install.102/b15660/app_port.htm

It’s only view data . Please find the picture attached

Well firewall only deals with IP ports so you need to provide access from DMZ -> inside network on TCP Port 1521 (for accessing sql*net.)
If you need access to other components please check this list:
https://docs.oracle.com/cd/B19306_01/install.102/b15660/app_port.htm

A somewhat older list that references several sources.
http://www.chebucto.ns.ca/~rakerman/oracle-port-table.html

noci

the architecture is in picture attached .
what is the Zone between Web and App server is called ? . since there is one more firewall separating Appserver and DB server ???

When Googling Oracle docs to post, at least make sure they are from a supported version.  Oracle 10g hasn't been around in a long time.

@svasireddy,

You need to get with the DBA to see what port they have set the Listener up on.  1521 is the default and should be changed in a production environment.

A lot also has to do with the Oracle version.  In older versions you needed all the high port range open because the Listener would pick a random high level port.  They have correct this in newer versions.  Again, the DBA will be able to help you with all this.

As far as the image you attached, I cannot read it.  At least do a screen capture and post that.

>>what is the Zone between Web and App server is called ?

I normally call it the DMZ.

@sligthwv:
10g is supported on a platform i regularly use.. 11g is still in the making for it.
(might be they skip to 19....)
Platform wasn't mentioned as well..

Here is a list for 19c (Linux)..   and it has a LOT less info on ports / components:
https://docs.oracle.com/en/database/oracle/oracle-database/19/ladbi/oracle-database-component-port-numbers-and-protocols.html#GUID-B530F5CD-DD07-44D9-8499-0828B716C3A8

please find the picture attached . what rules are generally required at the WAF and Application FW layer ?

1) My application is in DMZ and trying to access a database in the private network behind the firewall.

2) What rules shall be applied in the Firewall for secure access to the database from the application server.

Note: #1 + #2 are very different.

Addressing #1 - You'll require some sort of proxy system to expose your database on some public IP/port. What's required for this can be simple or complex. For example, if you're running your database in an LXD instance on a LAMP server on the net, a few seconds of work + you're done.

If you're database lives on a machine connected to residential service which blocks all listening ports, then you'll have to setup an ssh tunnel or something similar.

Addressing #2 - The required IP/port/protocol relates directory to #1 + also the type of database service you're running.

Also, super important, if you have a database instance connected to the net (a horrifying thought) you must make sure your connections are all forced to be TLS wrapped or you'll be hacked... No matter how smart you think you are or how smart your security folks tell you they are, you will be hacked if you break this rule.

Tip: About your attached image. It's fairly unreadable. Better to attach the raw graphic file.

>>10g is supported on a platform i regularly use..

You must be paying TONS of $$$.  Support ended in 2015.

https://community.oracle.com/community/support/support-blogs/database-support-blog/blog/2014/10/16/database-102-111-112-121-roadmap-and-support-life-cycle

>>what rules are generally required at the WAF and Application FW layer ?

Please stop posting pictures of your monitor.  You cannot read them.  Do a PrintScreen and post that.

Not sure we can answer your latest question even if we could see what is on the screen.  Aside from Oracle, we don't know what apps are running therefore we cannot say what ports you need open.

If you don't know, turn off everything and monitor what is trying to access what ports.  Then determine if that is legitimate traffic and open those ports.

Slight
Click open the picture it will be very clear
I  have a very fundamental question . What is an interface after all ? How do I see an analogy and visualise it . It seems to be pretty confusing concept even to an experienced networker !!!

Viewing Port Numbers and Access URLs
In most cases, the Oracle Database component's port number is listed in the tool used to configure the port. In addition, ports for some Oracle Database applications are listed in the portlist.ini file. This file is located in the $ORACLE_HOME/install directory.

If you change a port number, it is not updated in the portlist.ini file, so you can only rely on this file immediately after installation. To find or change a port number, use the methods described in this appendix.

https://docs.oracle.com/cd/B19306_01/install.102/b15660/app_port.htm

David

can Some one explain how the NAT complicates ingress rules in a firewall . What’s the order of processing firewall rules ? What I mean is is it after NAT processing or before NAT processing ? What’s the idea behind the specific ordering?

I am trying to figure out rules for WAF and Application FW in a 3 tier Web Application

Did you try port 1521 ? this is very common Viewing post

NAT is a function that is translating one port from external IP to one port in internal IP

For example

75.74.71.20  port 1521 to 192.168.10.2 port 1521
So bottom line is if some application from internet will require access to port 1521 on your WAN IP then router will reroute this request to internal IP

Seems peculiar for your setup. In such a sevurity design, the dmz system would be a reverse proxy that proxies requests to the web/application layer, from that you would have the rule providing access t port 1521 with oratab to the data.

Point being is to avoid exposing a system that has a vonnection to the most sensitive, the DB.
If the web server can be compromised, the rules you are adding will allow the attacker access to your underlying data....

The firewall sets setup, ha pairs, multi-path?

Arnold
Can we have dmz1 and dmz2 , web server in dmz1 and app server in dmz2 while the dB server will be in Inside Zone ?
That is two FW separating the DB server .

WAN <--> 1st Tier Firewall <--> Intermediate LAN <--> 2nd Tier Firewall <--> Internal LAN

In this setup what is Zone named in which app server resides ? What to name this zone ?

You could, but much depends on what the application server is and how the web server interacts with it.

The idea of multiple layers deals with limiting the attack vector. As well if the first is compromised, scope and range to attack the next one is limited.
A reverse proxy limits the attack as well as if there is a compromise, the firewall will shield the web/app server from initiating a connection out.

The web server has information, logins, etc that commonly would not be present on the reverse proxy.

You took a picture of the diagram from a monitor, using snap it tool in win 10 or alt-print screen ..
The two attempts, have glare and bit difficult ..

Arnold
Can we have dmz1 and dmz2 , web server in dmz1 and app server in dmz2 while the dB server will be in Inside Zone ?
That is two FW separating the DB server .

WAN <--> 1st Tier Firewall <--> Intermediate LAN <--> 2nd Tier Firewall <--> Internal LAN

In this setup what is Zone named in which app server resides ? What to name this zone ?

Click open the file . It is clearly visible !!!!

Sure dmz1 as a peremeter
Dmz2 application layer
Db in data layer most secure.

On what I am using, it is not as clear.

The images shows a beautiful Moire effect.  So it may be viewable on your monitor. On mine i see a wavy block patterns accross all details.
A screenshot would be as clear as it is on your monitor.

Possibly you can post a PDF export of the original document here?
(Screen shot:   CTRL-ALT-PRTSCR, paste in paint and save as PNG, JPG etc.)

DO NOT expose you database directly to the internet.... (no port 1521 in the public IP, unless you want to become a news item for some database heist...)
(That would need >1M personal details to be lost in to be newsworthy though)

Order between NAT & Filter depends on firewall in use.. Some filter before NAT, other NAT before filter. (Linux based firewall do the latter, en thus is the most common occurrence).

The Intermediate zone between two firewalls (outside and inside FW) is most commonly called the DMZ.
If you have multiple similar setups call them DMZ1, DMZ2 etc. like you did.

Noci

Do I need a network firewall in front of WAF on the WAN side even if I already have an IPS in front of WAF ?

Please suggest ASAP

They handle different domains..
Firewall (IP) = IPaddresses & portnumbers (and other possible IP header fields).
This can be done fairly quickly (like excluding some networks, countries (derived from ip ranges etc. etc.)
IPS may include a firewall and triggers on other aspects of contents of streams.   f.e. certain strings in streams.
WAF is a HTTP layer firewall needs more resources so any IP based blocking means less work for WAF.
  f.e. SQL statement  fragments inside a text field ... of strings in number fields.

They progressivly test with more knowledge of the contents about the protocol.

It would be very hard to test validity of SQL statements in a stream context, of even more so in a IP context.
Therefore you may need all layers (depending on requirements on the webservice...).