Professional Documents
Culture Documents
Agenda
What is Database Firewall
Oracle Database Firewall Components and
Deployment Modes
Reporting
Application
Database
Firewall
Database
Network packet
Header (adderess)
Payload (body/data)
Trailer (footer)
Application
Database
Firewall
Database
3,000 transactions
per second
260 million
transactions per day
Grammar engine
Separate dialects of SQL
Database Firewall
(HA Mode)
Remote/Local Monitor
Forwards network traffic
Database Firewall
Management Server
Reports, archives repository
Firewall mgmt, policy mgmt
Alerts, integration
Policy Analyzer
Creates security policies
Runs on Windows desktop
10
Monitor
Block
Application
Servers
Oracle
Database
Firewall
Database
Clients
SQL traffic is inspected and verified against policy
Also known as a Bridge or transparent bridge
Sometimes only option if out-of-band ports are not available
11
Vendor
Copper 10/100/1000
Fiber 10/100/1000
(SX and LX) for PCI-x
12
Monitor
Block
Application
Servers
Database
Clients
Oracle
Database
Firewall
Applicatio
n Servers
Oracle
Database
Firewall
Block
Remote
Monitoring
Agent
Database
Clients
14
Applicatio
n Servers
Oracle
Database
Firewall
Database
Clients
15
16
Linux
AIX
Unix
Solaris
SQL Log
17
Local session
SQL Log
Application
Adhoc tool
SSH session
Keyboard access
18
Workflow
Changes can be marked as accepted or refused
19
21
Policy Engines
Why is Accuracy Important?
3,000 transactions per second = 260 Million per day
0.001% false positive rate = 7,800 audit errors per month
High performance run-time matching ensure only
appropriate SQL interactions are sent to a database.
False positives detects when it should not
False negatives avoid detection
22
23
24
char(117,110,105,111,110)
u
2011 Oracle Corporation
n
25
Understanding SQL
SQL is an language with about 400 key words and a strict
grammar structure
UPDATE tbl_users SET comments = The user has asked for another
account_no,
and wishespassword,
to be billed
for services
1/2/2009
SELECT id, username,
acccount_no
FROM between
tbl_users
WHERE
and
2/2/2009,
and
wants
to
know
where
the
invoice
should
be
sent
username = Bill AND account_no BETWEEN 1001000 AND 1001012;
to. She will select the new service level agreement to run from
3/7/2009 next month WHERE id = A15431029;
KEY WORDS
SCHEMA
DATA
OPERATORS
When a SQL is not in a cluster, you can identify it as out-ofpolicy and apply rules to log, block, or pass it
2011 Oracle Corporation
26
27
Database Firewall
reporting
28
29
30
Reporting
Over 100 pre-defined audit reports
Create new reports and customize existing ones
Report can be distributed to the security and compliance staff
without human and/or DBA intervention
Published reporting schema for customers to use their favorite
reporting tools
Flexible policies
32
search.oracle.com
Database security
or
oracle.com/database/security
33
33
34
34
35
35