1

<Insert Picture Here>

Oracle Database Firewall: prv lnia obrany

Iveta avinov
Technology Pre Sales

Agenda
What is Database Firewall
Oracle Database Firewall Components and
Deployment Modes
Reporting

Why a Database Firewall?

Customers need first line of defence to monitor and
protect against existing and emerging threats
Hackers breach databases from the web exploiting
vulnerabilities in applications
Stolen credentials exploited for unauthorized use

Application

Database
Firewall

Database

Oracle Database Firewall

Differenciator

Network packet
Header (adderess)
Payload (body/data)
Trailer (footer)

DB FW works with body

Application

Database
Firewall

Database

The cost of inaccuracy

0.0001% false negative rate:

26 successful attacks per day
...it only takes one...

3,000 transactions
per second
260 million
transactions per day

0.001% false positive rate:

260 false positives per day
7,800 audit errors per month

Oracle Database Firewall

First Line of Defense

Monitor database activity and block unauthorized database access

Highly accurate SQL grammar based analysis to enforce normal activity
Built-in and custom compliance reports for SOX, PCI, and other
regulations

Heterogeneous Database Support

RDBMS platforms supported

Oracle 8i, 9i, 10g, 11g

MS-SQL 2000, 2005, 2008
Sybase 12.5.3 to 15
SQL Anywhere v10
DB2 for LUW

Grammar engine
Separate dialects of SQL

<Insert Picture Here>

Oracle Database Firewall

The Components

Oracle Database Firewall

Basic Components
Database Firewall
Blocks unauthorized traffic
Monitors access

Database Firewall
(HA Mode)
Remote/Local Monitor
Forwards network traffic

Database Firewall
Management Server
Reports, archives repository
Firewall mgmt, policy mgmt
Alerts, integration

Policy Analyzer
Creates security policies
Runs on Windows desktop

10

DB Firewall In-Line Deployment

Monitor
Block

Application
Servers

Oracle
Database
Firewall
Database
Clients
SQL traffic is inspected and verified against policy
Also known as a Bridge or transparent bridge
Sometimes only option if out-of-band ports are not available
11

Certified network kards

Card Type

Vendor

Copper 10/100/1000

Interface Masters Niagara 32264

Fiber 10/100/1000
(SX and LX) for PCI-x

Interface Masters Niagara 2282 (Dual)

Interface Masters Niagara 2283 (Quad)

Fiber 10/100/1000
(SX and LX) for PCI-e

Interface Masters Niagara 2285 (Dual)

Interface Masters Niagara 2284 (Quad)

Fiber 10G (PCI-E)

Interface Masters Niagara 32710 (Dual)

12

DB Firewall Out-Of-Line Deployment

Monitor
Block

Application
Servers

Database
Clients

Oracle
Database
Firewall

Also known as SPAN or Span port or Mirrored or Tap

SQL logging and reporting only
Easy to deploy, no risk of impacting databases or applications
13

DB Firewall Remote Monitoring Deployment

Monitor

Applicatio
n Servers

Oracle
Database
Firewall

Block
Remote
Monitoring
Agent

Database
Clients
14

DB Firewall Proxy-Mode Deployment

Monitor
Block

Applicatio
n Servers
Oracle
Database
Firewall

Database
Clients

15

Oracle Database Firewall

Host Based Monitors

Two types of Monitors:

Remote Monitor (spy)
Local Monitor (dont work with network communication, works
with local session, SSH session, keyboard, console

Must be connected to the Oracle Database Firewall

Optional and not required in most enterprise
deployments

16

Oracle Database Firewall

Remote Monitor

Runs on the server operating system.

Sends database transactions to Oracle Database
Firewall
Supported platforms is by OS -- and then by the
RDBMS platforms that DBFW support:

Linux
AIX
Unix
Solaris

SQL Log
17

Oracle Database Firewall

Local Monitor
Resides inside a database
Monitors local / non-network access.
Does not record duplicated statements, only record last
statement

Supported platforms are:

Oracle 9i 11g
MS-SQL 2005, 2008
Sybase 12.5.3 to 15

Local session

SQL Log
Application
Adhoc tool
SSH session
Keyboard access

18

Oracle Database Firewall

User Role Auditing
Entitlement Reports
User names
User roles and privileges
Last changed, changed by whom and when

Automated and transparent

User role auditing can be run ad-hoc or scheduled
Report on user roles and privileges
Deltas since the last report

Workflow
Changes can be marked as accepted or refused

19

Oracle Database Firewall

Stored Procedure Auditing
Stored procedure contents
Its not enough to know a procedure was run, it is important to
know what SQL was executed when the procedure is called.
Stored procedure reports
Name
Content
Threat rating (injection risk, system tables etc).
Stored procedure type (DML, DDL, DCL, SELECT etc)
Last changed, changed by whom and when
Automated and transparent
Stored procedure audit can be run adhoc or scheduled
Workflow
Changes can be marked as accepted or refused
20

<Insert Picture Here>

Oracle Database Firewall

accuracy

21

Policy Engines
Why is Accuracy Important?
3,000 transactions per second = 260 Million per day
0.001% false positive rate = 7,800 audit errors per month
High performance run-time matching ensure only
appropriate SQL interactions are sent to a database.
False positives detects when it should not
False negatives avoid detection

0.0001% False Negative Rate Result In

26 Potential Attacks Per Day!
2011 Oracle Corporation

22

Issues with Regular Expresssions

Fails to understand meaning, motives and intentions
of SQL when you just use strings and text
Good Statement
SELECT * from dvd_stock where [catalog-no] =
'PHE8131' and location = 1

Bad Statement SQL injecton

SELECT * from dvd_stock where [catalogno] = '' union select cardNo, customerId,
0 from DVD_Orders --' and location = 1

2011 Oracle Corporation

23

Can you Tune Regular Expressions?

union is bad when it appears near select
u(?:nion\b.{1,100}?\bselect
"(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|f
rom\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|
inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|ma
kewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|del
ete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numd
sn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|n
tsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bh
aving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|
tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjo
in)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b
?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b
?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b
?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"])
?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\
b|'(?:s(?:qloledb|a)|msdasql|dbo)')
[Source: ModSecurity, Web Application Firewall, February 2009]

Is this comprehensible or manageable?

2011 Oracle Corporation

24

False Positive and False Negative

union is NOT universally bad when next to this
select environment
SELECT lastname from boys
union SELECT
lastname from girls
union without saying it
uni/* */on
u/* */nion

char(117,110,105,111,110)

u
2011 Oracle Corporation

n
25

Understanding SQL
SQL is an language with about 400 key words and a strict
grammar structure
UPDATE tbl_users SET comments = The user has asked for another
account_no,
and wishespassword,
to be billed
for services
1/2/2009
SELECT id, username,
acccount_no
FROM between
tbl_users
WHERE
and
2/2/2009,
and
wants
to
know
where
the
invoice
should
be
sent
username = Bill AND account_no BETWEEN 1001000 AND 1001012;
to. She will select the new service level agreement to run from
3/7/2009 next month WHERE id = A15431029;

KEY WORDS

SCHEMA

DATA

OPERATORS

When the grammar of the language is understood,

organizing the SQL into clusters reduces policy errors
Cluster 1 : SELECT * FROM certs WHERE cert-type = '18
Cluster 2: SELECT * FROM dvd_stock WHERE catalog-no = 'PHE8131' and location = 1

When a SQL is not in a cluster, you can identify it as out-ofpolicy and apply rules to log, block, or pass it
2011 Oracle Corporation

26

Summary - understanding SQL

Regular expressions
Pattern matching does not understand SQL intention
Can generate false positives and non-detection
High maintenance

Oracle Database Firewall

Clusters are deterministic and provide accurate policy
application
Speed of lookup is constant in the number of clusters in the
policy
By understanding the SQL grammar, SQL injection and other
out-of-policy SQL are detected as anomalies

27

<Insert Picture Here>

Database Firewall
reporting

28

Oracle Database Firewall

Reporting
Database Firewall log data
consolidated into reporting database
Dozens of built in reports that can be
modified and customized
Database activity and privileged
user reports
Entitlements reporting for
database attestation and audit

Supports demonstrating controls

for PCI, SOX, HIPAA, etc.
Logged SQL statements can be
sanitized of sensitive PII data

29

Oracle Database Firewall

Reporting
Database Firewall log data
consolidated into reporting
database

Oracle Database Firewall

Over 130 built in reports that can

be modified and customized
Entitlements reporting for
database attestation and audit
Oracle Database Firewall

Oracle Database Firewall

Database activity and

privileged user reports
Supports demonstrating PCI,
SOX, HIPAA/HITECH, etc.
controls

30

Oracle Database Firewall

Key Features
Highly Accurate
Unique and powerful SQL recognition technology
100% language based
Uses grammatical analysis
Highly Performant and Scalable
Semantic clustering provides high-speed processing
Scales per platform, rather than just adding platforms
Manageability
Fewer boxes to deploy and manage
Database Firewall Local/Remote Monitors do not need to be
upgraded if the RDBMS platform or OS is patches.
No need to sign-on to individual Database Firewalls to
administer.
31

Demonstrate Internal Controls

Privacy and Compliance

Reporting
Over 100 pre-defined audit reports
Create new reports and customize existing ones
Report can be distributed to the security and compliance staff
without human and/or DBA intervention
Published reporting schema for customers to use their favorite
reporting tools

Flexible policies

White list, Black list, and Exception policies

User, Schema,.
Factors such as IP addresses, OS users
New queries, queries by SQL category etc

32

For More Information

search.oracle.com

Database security

or

oracle.com/database/security

33

33

34

34

35

35