Oracle Developer and Forms security issues

From: Matías Bevilacqua <matias(at)escert.upc.es>
Date: Thu Feb 20 2003 - 15:50:06 EST

Hi list,

I'm involved in a project which will use Oracle Forms in a web environment and would like to hear some feedback from the list. This technology is rather new (you don't see this stuff much out there) and thus I'm concerned with security issues which may arise. I have basically the following questions:

1. Is the usual 3 tier topology valid with this technology? I'm not sure since we have to poke a hole on our two firewalls to let Forms Client connect to the application sever directly... Not something nice. Should we move the application server to our DMZ?
2. Any feedback on Oracle Forms security on a web deployment instead of the traditional client/server setup?
3. What is the protocol used by the Forms client to connect to the Forms Listener? It says it's compatible with HTTP but it also states it uses a in-house protocol to reduce traffic and encrypts with HTTPS... Http
   "obfuscation" of some type? Will IDSs do something here assumng we can
   decrypt data?

Anyone feedback will be appreciated! Thank you in advance.

Matías Bevilacqua Trabado

---

PGP-ID: 0x3FFD6E18
PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716 D9DF 3CE7 E88D 3FFD 6E18

---

"This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden." Received on Thu Feb 20 16:19:26 2003