Expand Your Oracle Fusion Cloud security with IP-based filtering: Part 1

October 4, 2024 | 3 minute read
Roland Koenn
SaaS Cloud Security Outbound Product Manager
Miranda Jimenez
Product Marketing Manager
Text Size 100%:

Recent data breaches across industries, such as the incident with Snowflake, highlight the necessity of enhancing security beyond username and password protection. One effective way to mitigate these risks and keep your environment protected is to restrict access based on IP addresses, significantly reducing the attack surface. Implementing IP-based filtering ensures that only traffic from specific IP addresses, such as those from your company’s network, your Oracle FastConnect connection, virtual private network (VPN), or a specific country, can access your system.

Oracle Fusion Cloud recommends the following native methods for IP-based filtering:

  • Network access control lists (ACL)
  • Web application firewall (WAF) for Fusion-based IP filtering 
  • Location-based access control (LBAC)

Network ACLs: Restrict access with precision and ease

One of the simplest ways to restrict access to your environment is through network ACLs. These lists deliver precise control over who can access systems by allowing only specified IP ranges in classless interdomain routing (CIDR) blocks. This self-service option is available in the Oracle Cloud Console and is activated immediately. 

Each distinct environment can have its own ACL, blocking all traffic not coming from the specified CIDR blocks. If no network ACL is set up, all traffic is allowed by default, potentially exposing your systems to unauthorized access. Network ACLs operate at the network level, blocking traffic before it even reaches your environment. This method allows you to add multiple CIDR blocks or virtual cloud networks (VCNs) to the ACL, as shown in the following images.

Available access control rules.
Available access control rules.
Creating and configuring access control rules.
Creating and configuring access control rules.

If an unauthorized attempt to access the environment from an unlisted IP is made, a 403-error screen appears, indicating forbidden access. For more details, see the network access control rule documentation.

WAF for Fusion: Enhanced IP filtering for advanced security needs

For complex security requirements, enhance your system’s defences by setting IP-based access control at the WAF layer, accessible through a service request. By default, all Fusion environments are protected by WAF for Fusion. Adjusting the WAF policy allows you to further restrict traffic, adding another layer of security. While WAF for Fusion is instrumental in controlling IP traffic, its capabilities extend to a broader spectrum of security threats, such as examples listed in the OWASP Top 10, enhancing resilience of your network against different vulnerabilities. 

To implement a WAF policy-based IP filter, you must disable your network ACL.

 

Architecture diagram for IP-based filtering.
Architecture diagram for IP-based filtering.

Summary

Network ACLs and WAF for Fusion are essential methods for IP filtering integral to expanding the security of your Oracle Fusion Cloud services. For a comprehensive defense, we recommend employing either network ACLs and LBAC or WAF and LBAC to ensure that your cloud environment is safeguarded against sophisticated threats.

In part 2 of our series, we explore more IP filtering methods, including WAF policy-based IP filters and LBAC, which offer enhanced security configurations to meet complex requirements, such as restricting subsets of the application to different IP ranges and geographies. These methods build on the foundation, set by network ACLs, to provide even stronger protection against unauthorized access.

 

Roland Koenn

SaaS Cloud Security Outbound Product Manager

Roland is a member of the SaaS Cloud Security Product Management team, focusing on SaaS cloud security products within Oracle SaaS Cloud. The team's mission is to engage, educate, and empower customers about the security controls and features embedded in Oracle’s SaaS offerings.

Miranda Jimenez

Product Marketing Manager

Miranda Jimenez is a member of the Product Management team at Oracle SaaS Cloud Security where she focuses on the development of messaging strategy, content creation, product launches and other security marketing initiatives. 

Miranda is a technology enthusiast, which is why she has been attracted to pursue technology projects in her professional life in an effort to contribute to its democratization. 

Show more

Previous Post

Generative AI inference workloads using OCI Compute with Intel Xeon CPU

Niranjan Mohapatra | 6 min read

Next Post


Expand Your Oracle Fusion Cloud security with IP-based filtering: Part 2

Roland Koenn | 5 min read
Oracle Chatbot
Disconnected