Oracle DbNest and Network isolation/Namespace

In my previous articles we have seen how oracle DbNest is taking advantage of the underling Linux namespaces features for enhancing the database security. We have taken a closer look at the user,mount and pid namespaces as they are the one used by default when enabling DbNest. But is seem that there is more (Not documented nor enabled by default) !

When taking a look at the dbnest and oracle binary it seems that that we can get better isolation by taking advantage of the Network namespace event if it’s not enabled by default (Maybe in feature release !) .

First thing first let’s get closer look at the Network Namespace !

“Network namespaces provide isolation of the system resources associated with networking: network devices, IPv4 and IPv6 protocol stacks, IP routing tables, firewall rules, the /proc/net directory (which is a symbolic link to /proc/PID/net), the /sys/class/net directory, various files under /proc/sys/net, port numbers (sockets), and so on”

“A network namespace is logically another copy of the network stack, with its own routes, firewall rules, and network devices.”

Ok let’s give it a try !

We can easily create a new network namespace using “ip netns add“

The newly created network namespace “ns1” have a different network devices and routing table :

We can also see that the loopback device is disabled ! Let’s enable it :

We may ask at this point how to connect our newly created namespace “ns1” to the outside world (Root host network/other network namespaces/Other hosts).

There are may solutions for that ! let’s see some example :

Connection between two different namespaces (“ns1″,”ns0”) using veth (Virtual Ethernet Device )

“The veth devices are virtual Ethernet devices. They can act as tunnels between network namespaces to create a bridge to a physical network device in another namespace, but can also be used as standalone network devices.

veth devices are always created in interconnected pairs.

Packets transmitted on one device in the pair are immediately received on the other device”

Here is the steps to connect two different network namespace using veth devices :

Here is the final network devices configuration :

The two network namespace are now connected :

Ok this was just a very simple case of connecting two different network namespace , but what about more namespaces ? for that we can use a combination of veth and a Linux bridge

Connection between three different namespaces (“ns1″,”ns0″,”parent/root namespace”) using veth (Virtual Ethernet Device ) and a Linux Bridge

“A bridge is a piece of software used to unite two or more network segments. A bridge behaves like a virtual network switch, working transparently (the other machines do not need to know about its existence). Any real devices (e.g. eth0) and virtual devices (e.g. tap0) can be connected to it.”

Here is the steps to do that :

Here is the final network devices configuration :

The different network namespace are now connected :

But still we can not reach external networks (ex: internet) yet :

for that we need to enable NAT on the host side :

Another solution to connect multiple network namespaces is using a MACVLAN.

Connection between three different namespaces (“ns1″,”ns0”,“parent/root namespace”) using MACVLAN (Virtual Ethernet Device ) .

Macvlan allows a single physical interface to have multiple mac and ip addresses using macvlan sub-interfaces. It allow us to bind a physical interface that is associated with a MACVLAN directly to namespaces, without the need for a custom bridge configuration.

Here is the steps to do that using a MACVLAN configured in bridge mode ( all endpoints are directly connected to each other with a simple bridge via the physical interface) :