United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Back to the Advanced Security Homepage

Oracle Database Firewall

Frequently Asked Questions

Questions

Database Firewall -- General

  1. Why do I need Oracle Database Firewall and what does it do?
  2. What databases does the Oracle Database Firewall support and what functionality is available?
  3. Can a single Oracle Database Firewall support Oracle and non-Oracle databases?
  4. Is the Oracle Database Firewall a stand alone network device?
  5. What type of hardware can be used to deploy the Oracle Database Firewall?
  6. What kind of network cards can be used with the Oracle Database Firewall?
  7. How is Database Firewall deployed on a network?
  8. What does the Oracle Database Firewall add to the Oracle Database Security solutions?
  9. What are the additional uses Oracle Database Firewall technologies provide when it is deployed in a datacenter?
  10. What is the difference between Database Firewall and Network/App/Web Firewall?

Database Firewall -- Policy Management

  1. What are the advantages of white list based security policy?
  2. Does Oracle Database Firewall support black list policies?
  3. How does the white-list policy support changes to the existing applications (new features, new SQL requests, stored procedures)?
  4. What is SQL Injection and can the Oracle Database Firewall protect my database from this type of attack?

Database Firewall -- Integration

  1. How does Oracle Database Firewall and Audit Vault integrate for a database monitoring and security solution?
  2. How can Oracle Database Firewall integrate with SIEM software?
  3. Does Oracle Database Firewall integrate with Web/App Firewalls, such as F5?

Database Firewall -- Compliance

  1. What types of reports are available with Oracle Database Firewall?
  2. Can Oracle Database Firewall identify application users executing specific database queries and set security policies to limit their database activity?
  3. Can Oracle Database Firewall validate the response that is coming from the database?
  4. Can Oracle Database Firewall protect from insiders misusing/abusing data and their privileges?

Answers

  1. Why do I need Oracle Database Firewall and what does it do?

    According to the Verizon Security Report(*), 92 % of compromised data came from database servers. This is why implementing end-point security is not enough. Security controls need to be closer to the assets being targeted by attackers. Oracle Database Firewall provides exactly that: it is deployed on the network in front of the databases and provides first line of defense against both external and internal threats to the database. Oracle Database Firewall goes beyond the traditional database security approaches that rely on regular expression patterns and antivirus style signatures representing "bad SQL".

    The "secret sauce" of the Oracle Database Firewall, its SQL grammar parsing engine. It is designed to prevent SQL Injection attacks which account for more than 86 % of records stolen or compromised by hackers. The Oracle Database Firewall creates defenses specific for each protected database based on its monitored usage and data access. In other words, by fully capturing and intelligently classifying/grouping real time SQL traffic, Database Firewall learns about normal activity on each database. It then automatically creates a security policy that will allow you to log, block, and alert on any abnormal activity. As a result, Oracle Database Firewall produces essentially no false alarms - eliminating unnecessary investigations and maintenance overhead. More importantly, Oracle Database Firewall ensures that database security threats are mitigated and database attacks cannot get trough. Oracle Database Firewall allows full visibility into the SQL traffic for security and monitoring without any performance or infrastructure impacts. Together with Oracle Database Vault and Oracle Audit Vault, Oracle Database Firewall provides a complete solution for centralized auditing and reporting of database activity, including prevention of unauthorized access to data, monitoring of SQL traffic and blocking/alerting on any malicious SQL activity.

    (*)2010 Data Breach Investigations Report (Verizon Business)

  2. What databases does the Oracle Database Firewall support and what functionality is available?

    Oracle Database 8i, 9i, 10 and 11, Microsoft SQL Server 2000, 2005, 2008, Sybase ASE 12.5.4 through 15.0.x, SQLAnywhere V10, IBM DB2 on LUW v9.x.

    Platform /
    Feature    		 Oracle1
    8.1 - 11.2.x    		 Microsoft SQL Server2
    2000, 2005, 2008    		 IBM DB2 for L/U/W3 9.x Sybase ASE
    12.5.4 - 15.0.x    		 SQL Anywhere4 V10
    SQL Language Monitoring X X X X X
    Blocking X X X X X
    Database Response Monitoring X X X X X
    Statement Substitution X X   X X
    User Role Monitoring X X X X X
    Stored Procedure Change Review X X X X X
    Local Monitor X X   X  
    Remote Monitor (Linux only) X   X X X

    Notes:
    1 Oracle : Only versions 9.1 - 11.2 are supported for User Role Monitoring, Stored Procedure Change Review, Local Monitor
    2 Microsoft: Remote Monitor is not supported
    3 IBM DB2 LUW: Statement Substitution and Local Monitor are not supported
    4 SQL Anywhere: Local Monitor is not supported.

    Please refer to the Oracle Database Firewall documentation for more information on these features.

  3. Can a single Oracle Database Firewall support Oracle and non-Oracle databases?

    A single Oracle Database Firewall can support many different RDBMS platforms and many different database instances at once as well as many different network segments -- "VLANs" or "Subnets".

  4. Is the Oracle Database Firewall a stand alone network device?

    Oracle Database Firewall is shipped as software for installation on dedicated server hardware or blade server that supports Oracle Enterprise Linux. Once installed, Oracle Database Firewall will "take over" the entire hardware server. It is then deployed on the network to monitor and secure database traffic coming through the network. The Oracle Database Firewall software can be downloaded from Oracle Software Delivery Cloud, Oracle Software Delivery Cloud (Linux) or OTN.

  5. What type of hardware can be used to deploy the Oracle Database Firewall?

    Any Intel x86 hardware that supports Oracle Linux x86 (32bit) 5 update 5 release can be used to deploy the Database Firewall and Management Server components.

  6. What kind of network cards can be used with the Oracle Database Firewall?

    The Oracle Database Firewall is flexible in how it can be deployed within the enterprise. The Oracle Database Firewall can be deployed in-line on your network in front of the database host(s) for monitoring only or monitoring and blocking. Or the Oracle Database Firewall can be deployed out-of-band monitoring using a SPAN port.

    When the Oracle Database Firewall is deployed in-line, it is recommended to use a network interface card with bypass so if there is a failure on the hardware on which the Oracle Database Firewall software is installed, you have an option to allow the SQL traffic to continue to flow to the database. If you use a network interface card with bypass, it must be certified by the Oracle Database Firewall team. The current list of certified network cards with bypass are:

    Card Type Vendor
    Copper 10/100/1000 Interface Masters Niagara 32264
    Fiber 10/100/1000
    (SX and LX) for PCI-x    		 Interface Masters Niagara 2282 (Dual)
    Interface Masters Niagara 2283 (Quad)
    Fiber 10/100/1000
    (SX and LX) for PCI-e    		 Interface Masters Niagara 2285 (Dual)
    Interface Masters Niagara 2284 (Quad)
    Fiber 10G (PCI-e) Interface Masters Niagara 32710 (Dual)

    When deploying the Oracle Database Firewall in an out-of-band monitoring mode, any network interface card will work as long as it is supported by Oracle Linux 5.5. The Management Server can also use any network interface card as long as it is supported by Oracle Linux 5.5.

  7. How is Database Firewall deployed on a network?

    A single Oracle Database Firewall can monitor and protect many databases at once. Oracle Database Firewall can be deployed in multiple scenarios:

    • In-line network blocking mode and out-of-band passive network monitoring. In-line means that the SQL traffic is passed through the Oracle Database Firewall and inspected before it is forwarded to the database or blocked. Out-of-band means that the SQL traffic is copied to Oracle Database Firewall while at the same time the SQL is sent directly to the database usually by means of a span port. These can be used simultaneously for different databases.
    • Heterogeneous, multi-database, enforcement. For example, one device can support Oracle 8i, Oracle Database 10g and Oracle Database 11g databases simultaneously, as well as SQL Server and Sybase databases.
    • Combined deployments. In-line and/or out-of-band Oracle Database Firewall deployment can be combined with a local server-side, monitor-only agent for local connections.

  8. What does the Oracle Database Firewall add to the Oracle Database Security solutions?

    Oracle Database Firewall is a first line of defense (a security guard at the door) to the database, and it can monitor and block database traffic coming through the network. When deployed with Audit Vault, Oracle Database Firewall provides a complete database traffic monitoring solution. Database Vault and Oracle Advanced Security add another level of security from within the database for access controls and encrypting database at rest and on the network, while Oracle Data Masking ensures security production data non-production environments by scrambling production data so that it can be shared with development and test organizations.

  9. What are the additional uses Oracle Database Firewall technologies provide when it is deployed in a datacenter?

    Since Oracle Database Firewall can non-intrusively monitor SQL traffic coming to/from the database, including database response and status of SQL statement execution, Oracle Database Firewall can help developers to monitor and assess SQL queries performance on production databases, find slow or inconsistently performing queries and also help to identify all clients connecting to a specific database before and after migration by providing execution times on logged database activity.

  10. What is the difference between Database Firewall and Network/App/Web Firewall?

    While other Firewalls secure the end-points (or provide perimeter security), Oracle Database Firewall secures the data at the source (in front of the database). In other words, while endpoint security controls offer protection from a wide range of threats, including SQL injection, they are not specific to database and cannot interpret SQL language. Therefore a creative SQL injection attack/or user with stolen credentials can still go through these Firewalls. Oracle Database Firewall provides a solution that understands the true intent of incoming SQL traffic and blocks abnormal database activity.

  11. What are the advantages of white list based security policy?

    SQL language supports a variety of ways to manipulate data or extract data from the database. Unfortunately, this also means that there is an infinite number of ways to structure a database attack using SQL injection. Therefore, trying to predict a behavior of an attacker or create a protection from "known" database attacks would be ineffective when protecting a database from future (thus unknown) threats. This is why a black list or signature based security policy might be effective against very specific threats and SQL activity but will fail to prevent any unknown type of threats or a slight modification of a known "bad" SQL. A white list policy is based on real-time traffic to the database from applications and end-users captured over a period of time. Oracle Database Firewall not only analyzes the incoming SQL traffic but also classifies each transaction by its structure and intent - to condense millions of statements into few hundred groups (or clusters). It also automatically generates a white-list policy that can be combined with black-list type attributes to allow or block specific users, IPs, applications, SQL statements, access to certain tables, etc. This way any abnormal database traffic will be alerted on or blocked as out-of-policy activity, while normal database traffic will be allowed to go through uninterrupted. A white list based security policy reduces the chance of false alarms (false positives) and prevents known and unknown database attacks to go through unnoticed (false negatives).

  12. Does Oracle Database Firewall support black list policies?

    Yes. Oracle Database Firewall allows creation of standalone black list policy or a combination of white and black list approaches in a single policy.

  13. How does the white-list policy support changes to the existing applications (new features, new SQL requests, stored procedures)?

    Oracle Database Firewall can be integrated in UAT environment to validate how newly developed features will affect the database traffic and to make necessary changes to a security policy. Oracle Database Firewall Policy Management tool supports testing of an existing policy with new SQL statements. An updated security policy will be generated and uploaded to the production Oracle Database Firewall prior deploying an application upgrade on the application server.

  14. What is SQL Injection and can the Oracle Database Firewall protect my database from this type of attack?

    SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of database server for parsing and execution. While some SQL injections can be prevented with the right user input validations, SQL injection cannot be fully prevented by validating user input or filtering "bad" SQL at the Web Application Firewall and many customized application developers rarely have the time to implement this level of security. A skilled hacker can bypass both application security and Web Application Firewalls using various security exploits and techniques. There is a strong need to have a database firewall as a safeguard.

    Oracle Database Firewall, deployed in front of the database, provides additional protection to mitigate SQL Injection threats and prevent data breaches. By detecting a change of grammar (or "intent") in the incoming database traffic, Database Firewall can prevent SQL injection from being successfully executed. An incoming SQL statement will be blocked, if Oracle Database Firewall detects that the grammar change affects SQL statement purpose (intent) versus a cosmetic variation of a known white listed SQL statement. Oracle Database Firewall unique SQL Grammar Analysis Engine distinguishes between these cases.

  15. How does Oracle Database Firewall and Audit Vault integrate for a database monitoring and security solution?

    Oracle Database Firewall enables database traffic monitoring on the network level, while Audit Vault leverages database native audit capabilities for deep level auditing of database activity. An integrated solution can include Oracle Database Firewall deployed on the network to monitor and block database traffic coming through the network, while Audit Vault consolidates audit database from enterprise databases and email alerts and reports to the security team.

  16. How can Oracle Database Firewall integrate with SIEM software?

    Database Firewall can integrate with SIEM applications via: TCP Syslog or UDP Syslog. Type and class of events sent to the SIEM are ustomizable from the Database Firewall Management Interface. Classes include:

    1. System - All system events (e.g. administration events, performance etc)
    2. Alerts - Database monitoring and Audit events
    3. Heartbeat - Database Firewall health and transaction rates
    4. Debug - All event data
    5. Info - general event data relating to non-critical system events.
    Additionally the SIEM output is sub-categorized into the following groups: General Messages, Property Change, Database Audit Summary, Statement Alerts, F5 Firewall Alerts, Login Alert, and Logout Alert.

    Oracle Database Firewall and ArcSight provide an out of the box integration. ArcSight Security Information Event Management (SIEM) system is a centralized system for logging, analyzing, and managing log messages from different sources. ArcSight SIEM enables Oracle Database Firewall to provide full details of security alerts or other selected event types, including the message text, priority and IP address of any attacker.

  17. Does Oracle Database Firewall integrate with Web/App Firewalls, such as F5?

    Oracle Database Firewall provides F5 certified connector which allows F5 BIG-IP ASM web application Firewall to send SQL injection policy violation alerts directly to Oracle Database Firewall. This enables Oracle Database Firewall to provide correlated reports that include the web username. The integration with F5 BIG-IP ASM provides web user identity.

  18. What types of reports are available with Oracle Database Firewall?

    Oracle Database Firewall contains dozens of predefined and customizable reports for SOX, PCI, HIPAA and GLBA and other key actives.

  19. Can Oracle Database Firewall identify application users executing specific database queries and set security policies to limit their database activity?

    Oracle Database Firewall can identify database and application users with client server applications. When integrated with F5 ASM, Oracle Database Firewall can identify database and application users in a web-based application when a SQL injection pattern has been identified.

  20. Can Oracle Database Firewall validate the response that is coming from the database?

    Oracle Database Firewall provides database response information, including transaction execution time, execution status (success/fail), error code and description in case of failure, login success or fail, logout record. The Oracle Database Firewall does not monitor out-bound application data.

  21. Can Oracle Database Firewall protect from insiders misusing/abusing data and their privileges?

    Oracle Database Firewall monitors privileged users (DBAs) accessing the database over the network and other internal users accessing the databases over the network. In addition to passive monitoring and alerting, Oracle Database Firewall can actively prevent these users from accessing sensitive data or abusing their privileges when accessing the database.