Oracle
Audit Vault and Database Firewall

Oracle Oracle Audit Vault and Database Firewall monitors Oracle and non-Oracle database traffic to detect and block threats, as well as improves compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources.

Introduction

avdf122-architecture

Oracle Database Firewall provides a sophisticated next-generation SQL grammar analysis engine that inspects SQL statements going to the database and determines with high accuracy whether to allow, log, alert, substitute, or block the SQL. Oracle Database Firewall supports white list, black list, and exception list based polices. A white list is simply the set of approved SQL statements that the database firewall expects to see. These can be learned over time or developed in a test environment. A black list includes SQL statements from specific users, IP addresses, or specific types that are not permitted for the database. Exception list-based policies provide additional deployment flexibility to override the white list or black list policies. Policies can be enforced based upon attributes, including SQL category, time of day, application, user, and IP address. This flexibility, combined with highly accurate SQL grammar analysis, enables organizations to minimize false alerts, and only collect data that is important. Database Firewall events are logged to the Audit Vault Server enabling reports to span information observed on the network alongside audit data.  enables entire copies or subsets of application data to be extracted from the database, obfuscated, and shared with partners inside and outside of the business. The integrity of the database is preserved assuring the continuity of the applications.

Fine Grained, Customizable Reporting and Alerting

Dozens of out-of-the-box compliance reports provide easy, customized reporting for regulations such as SOX, PCI DSS, and HIPAA. Reports aggregate network events and audit data from the monitored systems. Summary Reports, Trend Charts and Anomaly Reports can be used to quickly review characteristics of user activity and help identify anomalous events. Report data can be easily filtered, enabling quick analysis of specific systems or events. Security Managers can define threshold based alert conditions on activities that may indicate attempts to gain unauthorized access and/or abuse system privileges. Fine grained authorizations enable the Security Manager to restrict auditors and other users to information from specific sources, allowing a single repository to be deployed for an entire enterprise spanning multiple organizations.

Enterprise Audit Data Consolidation and Lifecycle Management

Native audit data provides a complete view of database activity along with full execution context irrespective of whether the statement was executed directly, through dynamic SQL, or through stored procedures. In addition to consolidating audit data from databases, operating systems, and directories, the Audit Collection Plugin can be used to collect audit data from application tables or XML files, and transfer them to the Audit Vault Server. Audit data from databases is automatically purged after it has been moved to the Audit Vault Server. Audit Vault Server supports data retention policies spanning days, weeks, or years on a per source basis, making it possible to meet internal or external compliance requirements.To prevent unauthorized access or tampering, Audit Vault and Database Firewall encrypts audit and event data at every stage, in transmission and at rest.

Deployment Flexibility and Scalability

avdf122-deployment

Security controls can be customized with in-line monitoring and blocking on some databases and monitoring only on other databases. The Database Firewall can be deployed in-line, out-of-band, or in proxy mode to work with the available network configurations. For monitoring remote servers, the Audit Vault Agent on the database server can forward the network traffic to the Database Firewall. Delivered as a soft appliance, a single Audit Vault Server can consolidate audit logs and firewall events from thousands of databases. Both Audit Vault Server and the Database Firewall can be configured in a HA mode for fault tolerance.

What's New in Oracle Audit Vault and Database Firewall Release 12.2

Sophisticated New Enterprise-Grade Features

  • Anomaly detection with new Anomaly Reports
  • Statistical user activity information with new Summary Reports
  • User activity trend analysis with new Trending Reports
  • OS user tracking with new Correlation Reports
  • Audit and event data at rest encryption with Transparent Data Encryption
  • User-defined server UI certificates
  • Better integration with SIEMs using custom syslog alert templates


Extended Platform Support

  • SQL Server 2014 support for auditing and monitoring
  • DB2 LUW 10.5 support for auditing and monitoring
  • Windows Server 2012 and 2012 R2 platform and auditing support
  • Oracle Linux 6.5 - 7.x platform and auditing support
  • AIX OS 6.1 - 7.1 platform and auditing support

Additional Improvements and Enhancements

  • Oracle Database 12c In-memory for data repository
  • Automatic state management for audit trails
  • Automatic refresh of audit policy and user entitlements
  • High availability, archiving, backup and CLI usability improvements

Download the AVDF 12.2 full ISO image files:

  • Go to https://edelivery.oracle.com
  • Select "Oracle Audit Vault and Database Firewall" from the "Product Pack" drop-down menu, and choose:"Linux x86-64"
  • Select link: "Oracle Audit Vault and Database Firewall 12.2 Media Pack for Linux x86-64"

This release can be applied to any existing Oracle Audit Vault and Database Firewall system to bring all pre-existing AVDF instances to the same software level as 12.2. Follow the Installation Guide to perform fresh install or upgrade.