Hello !
I'd like to address to everyone who would try to help or at least try to direct into correct solution. The situation is in the following.
Let's suppose we have an Solaris zone which hosts oracle multi-container database (Oracle DB 12.2 EE with Multi-tenant option). Each container is registered in the listener, and such listener listens on appropriate network interface. So, the zone has several network interfaces (ipmp groups build over virtual nics), each interface has an address in the unique (different) net (vlans are being using for that) and appropriate default router for the net. In other words, it is classical multi-homed Solaris environment (as I see it).
The question is : how to secure the environment in network layer in case the containers are from different security-based network segments (say, CDE and Connected-To segments in terms of PCI DSS terminology) ? The problem is : when the client connects to appropriate listener it can be regulated in corporate firewall, but how to forbid (or allow) the server process who acts in behalf of the session connected to establish network connection (via db links or via other dbms staff) with another container not directly ? In other words, how to make the connection from one container to be established to another container (to the different network interface on the SAME machine) via router (i.e. via security settings on the corporate net firewall) ? May be there is some routing trick about it (-reject or -blackhole routing flags) ? And from which of several interfaces the connection will be made ?
I suppose the first recommendation will be throw away multi-tenant, but use classical approach - create zones as needed and create single instance or rac database in every zone. It's understood, but multi-tenant database offer a lot of the staff to control sharing hardware resources etc., although it costs additional fee.
The ideal (does not mean possible) solution would be :
- using security network settings only inside corporate firewall (do not build static routing table);
- all new outgoing connections should go to the router/switch for secure destination resolution (preferably, it will be perfect to bind outgoing packet to appropriate network interface on which container's listener listens to, and on the corporate firewall the rule "allow tcp x.x.x.x:1521 from y.y.y.y:dynamic_port" would exist).
I think the questions in the topic contradict to the concepts of TCP networks (route is chosen upon destination address in the network packet, it's not possible to choose the outgoing network interface). But Solaris system is not for the community, it's for the professionals. May be it has some solution/trick/remedy to achieve that. May be I should learn some more tools. Please, advice. Don't know how to act. Hope, my needs are understandable.
Thank you very much in advance
Dmitry Tesliuk