A couple of our servers have Oracle maintenance licenses. Our hardware vendor asked there was internet connection in the server room. Our policy is that all machines in that room is isolated from the internet for security reasons. But the maintenance guy asked "then how are we going to be able to do maintenance work on your servers?"
My question is, do our servers need internet connection in order for the maintenance to be carried out like a license verification system. Or can he do it offline? Isn't it a risk in itself if there was an internet connection to our production server?
Your servers are connected to a network which has other devices with Internet access. Correct? I'm sure others will disagree but I believe the security afforded by not allowing those servers direct Internet access is more illusory than anything else.
You would generally need to download patches from the internet then apply them to the server. However it is reasonable to have an intermediate step of copying the patches to an intermediate location (even a DVD) to go between the internet and the database servers.
If they just want a separate machine in the server room that can connect to the internet (eg for reading patch notes), that's another option.
Finally, there's a difference between having a browser running on the server that can connect to the internet and having the server actually accessible as a server from the internet.
It all depends on how secure you want/need to be.
You can always use iptables to configure exact source/destination IP:Port pairs that you wish to keep open.
That way, even when the server is explosed over the WAN, you may ensure that only trusted IPs + correct credentials will gain access to it.
Moreover you can use a private-public ssh key pair as well, which can be shared only amongst the two of you.
We do a lot of maintenance on customers servers that have no access to the internet. We have to take all of the updates/patches/software we need for that visit on CD / USB Stick. (Allowing 3rd parties to bring in USB sticks/CDs is a security risk in it's own)
All your servers should be either in a DMZ or at least behind a firewall. Just about any firewall can be configured to allow outgoing connections from any of these servers (so that they can check for and download security patches and other updates on their own). And then it's up to your system admins to configure the firewall such that a few, very specific ingoing connections are allowed. If they are only needed for occasional maintenance, they can be disabled once the maintenance is finished.
We use linux gateways for this job, with iptables for the firewall. However, your standard hardware firewalls will do exactly the same.
The question is - Is there a risk in allowing production servers to have HTTP/S connections outbound to the Internet. The short answer is NO. The longer answer that the security risk is so minimal that it outweighs the cost (in terms of time) to manage those servers.
Consider the risks of allowing access:
The first point it mitigated by restricting Internet access to known sites, and ideally not allowing web browsing at all. Additionally, there is a certain trust in your administrators to not act in a malicious manner.
On the second point, considering that the server was already compromised in some fashion, whether or not Internet access is available is a moot point. The attacker has already found a way to get code on to your systems which means they can get additional code to that system or retrieve data from it.
Obviously, this may all depend on specific circumstances (like meeting certain customer or regulatory requirements).
What type of connection do those servers need?
If it is only an HTTP connection to Oracle website, why don't you make them use web-proxies?
VPN access is your best bet !
answer #1 is the best in theory terms - network's security level is equal to the security level of the weakest computer connected to that network
a hands on approach would be, in my point of view:
Even If you allow internet connection for some of servers let they use OpenDNS as their DNS server.