Please see my other blog for Oracle EBusiness Suite Posts - EBMentors

Search This Blog

Note: All the posts are based on practical approach avoiding lengthy theory. All have been tested on some development servers. Please don’t test any post on production servers until you are sure.

Sunday, March 04, 2012

Oracle Database Firewall

Oracle Database Firewall is the first line of defense for databases, providing real-time monitoring of database activity on the network. Highly accurate SQL grammar-based technology blocks unauthorized transactions, helping prevent internal and external attacks from reaching the database. Oracle Database Firewall is easy to deploy, requiring no changes to existing applications or databases.

Oracle Database Firewall creates a defensive perimeter around databases, monitoring and enforcing normal application behavior, helping to prevent SQL injection attacks and attempts to access sensitive application data using unauthorized SQL commands.
Oracle Database Firewall:
  • Monitors and blocks SQL traffic on the network with white list, black list and exception list policies
  • Protects against application bypass, SQL injection and similar threats
  • Reports on database activity for SOX, PCI and other regulations, choosing from dozens of out-of-the-box reports
  • Protects Oracle, MySQL, Microsoft SQL Server, IBM DB2 for Linux, Unix, and Windows, and Sybase databases

It is deployed on the network in front of the databases and provides first line of defense against both external and internal threats to the database. Oracle Database Firewall goes beyond the traditional database security approaches that rely on regular expression patterns and antivirus style signatures representing "bad SQL".

A single Oracle Database Firewall can support many different RDBMS platforms and many different database instances at once as well as many different network segments -- "VLANs" or "Subnets".

Deployment 
Customers can choose from several deployment models to meet their business requirements:
 In-line blocking and monitoring mode
 In-line monitoring only mode
 Proxy blocking and monitoring mode
 Out-of-band monitoring only mode


  • In-line network blocking mode and out-of-band passive network monitoring. In-line means that the SQL traffic is passed through the Oracle Database Firewall and inspected before it is forwarded to the database or blocked. Out-of-band means that the SQL traffic is copied to Oracle Database Firewall while at the same time the SQL is sent directly to the database usually by means of a span port. These can be used simultaneously for different databases.
  • Heterogeneous, multi-database, enforcement. For example, one device can support Oracle 8i, Oracle Database 10g and Oracle Database 11g databases simultaneously, as well as SQL Server and Sybase databases.
  • Combined deployments. In-line and/or out-of-band Oracle Database Firewall deployment can be combined with a local server-side, monitor-only agent for local connections.

 Integration with F5
The F5 BIG-IP® Application Security Manager™ (ASM) and Oracle Database Firewall solution links a web application firewall with a database firewall. The two products share common reporting for web-based attempts to gain access to sensitive data, subvert the database, or execute Denial of Service (DoS) attacks against an organization’s databases. Unified reporting for both the web application firewall and database firewall provides more convenient and comprehensive security monitoring.

When threats to data are detected, they are monitored, alerted, or blocked, and the identity of the user is shared between BIG-IP ASM and Oracle Database Firewall. Malicious or compromised users can be isolated, forced to re-authenticate, or prevented from accessing the application, in real time. Subsequent attacks from the same user can be prevented, diverted, or rendered inert.


Is it a device?

Oracle Database Firewall is shipped as software for installation on dedicated server hardware or blade server that supports Oracle Enterprise Linux. Once installed, Oracle Database Firewall will "take over" the entire hardware server. It is then deployed on the network to monitor and secure database traffic coming through the network.

Any Intel x86 hardware that supports Oracle Linux x86 (32bit) 5 update 5 release can be used to deploy the Database Firewall and Management Server components.

Additional Uses
Since Oracle Database Firewall can non-intrusively monitor SQL traffic coming to/from the database, including database response and status of SQL statement execution, Oracle Database Firewall can help developers to monitor and assess SQL queries performance on production databases, find slow or inconsistently performing queries and also help to identify all clients connecting to a specific database before and after migration by providing execution times on logged database activity.

Oracle Database Firewall provides database response information, including transaction execution time, execution status (success/fail), error code and description in case of failure, login success or fail, logout record. The Oracle Database Firewall does not monitor out-bound application data.

Oracle Database Firewall monitors privileged users (DBAs) accessing the database over the network and other internal users accessing the databases over the network. In addition to passive monitoring and alerting, Oracle Database Firewall can actively prevent these users from accessing sensitive data or abusing their privileges when accessing the database.

Difference between Database Firewall and Network/App/Web Firewall
While other Firewalls secure the end-points (or provide perimeter security), Oracle Database Firewall secures the data at the source (in front of the database). In other words, while endpoint security controls offer protection from a wide range of threats, including SQL injection, they are not specific to database and cannot interpret SQL language. Therefore a creative SQL injection attack/or user with stolen credentials can still go through these Firewalls. Oracle Database Firewall provides a solution that understands the true intent of incoming SQL traffic and blocks abnormal database activity.

No comments: