Clear text passwords and Oracle - arrrrrrgh - please help!

Hi,

I am working on a mobile application that consists of a number of handheld
scanners, an Xml Web service and an Oracle 9i database in a highly secure
environment. The .Net Compact Framework application running on the scanners
executes Web service methods, which in turn execute Oracle database
functions. The Web service and the Oracle database are running on separate
servers. The Web service uses the Microsoft OLE DB driver for Oracle.

The Web.config file contains a connection string in the <Appsettings>
section that includes the Oracle username and password. The application
simply reads this connection string and uses it internally to create a
connection object. The idea is that we can't afford to expose these
credentials in the connection string, because the firewall is reporting a
security violation when the application runs.

I am wondering what the best alternative is, if any. Preventing the username
and password travelling down the wire from the Web server to the Oracle
server is the main requirement, and preferably the DBA will have the option
of changing the Oracle account details (ie a different username and
password) at any time, therefore it would be preferable not to have the
ASP.Net worker process (ASPNET) as the Oracle user. I'm assuming that this
means that they want SQL Authentication and it therefore rules out Windows
Authentication. Please let me know if I *can* still use Windows
Authentication under these circumstances.

I have played with the idea of using Impersonation but I understand that it
cannot be used if the Oracle server is on a separate box to the Web server
and also that connection pooling will be affected, which we can't afford.

Can anyone please let me know if I can use either Windows Authentication or
a Trusted Connection to provide a solution in these circumstances, or
anything else!

If I can use Windows Authentication with a Web.config entry <authentication
mode="Windows" >, how can I allow the DBA to change the username/password,
if indeed I can have a user other than ASPNET, without having a major impact
on the system?

If I can use a Trusted connection with a connection string something like
"Data Source=MyOracleDB;Integrated Security=yes;" where do I specify the
Oracle username/password?

Preferably there will be no need for a code change if the DBA decides to
change the Oracle username.

Are there any alternatives, such as encryption, programmatic security or
other forms of authentication?

Please help, I am getting desperate! Many thanks.

DJ