Thursday, May 5, 2011

ORACLE Database Firewall

    Oracle Database Firewall provides a Next Generation technology for securing and protecting data in databases. Database Firewall uses a very different approach, which offers greater levels of automation, simplicity and security than traditionally data security software vendors.  The core technology interprets the grammar of SQL and works by analyzing the meaning of the statements that database clients issue. This approach provides a significantly higher degree of protection than traditional first-generation database monitoring technology since it is not dependent on the source of an attack or on recognizing the syntax of known security threats.
Oracle Database Firewall technology easily recognizes injected SQL and can block attempted attacks that are out of an organizations security policy.  The technology is so accurate in understanding the meaning of the SQL transaction that false positives and false negatives are a thing of the past.
Database Firewall is designed to work on the network, providing in-line security or out-of-band monitoring for the largest of enterprise deployment. Optional host-based agents provide low-impact local monitoring capabilities.


About the Oracle Database Firewall System Architecture
The typical Oracle Database Firewall architecture has the following main components:
    The database network, containing the database server and its clients: You are not required to install Oracle Database Firewall onto the database server or clients. However, if needed, you can install the Database Firewall Local Monitoring on the database server, which enables the Database Firewall to monitor SQL traffic originating from the users or processes that have direct access (for example, through the console) to the database computer.
    The Database Firewall: This is the server that runs the Oracle Database Firewall software. Each Database Firewall collects SQL data from SQL databases, and then sends this SQL data to the Database Firewall Management Server to be analyzed in reports. After the Database Firewall sends the SQL data to the Management Server, it deletes it locally. The SQL data is then stored in the Management Server.
    Database Firewall applications and other third-party applications: These applications perform system configuration, monitoring, administration, and reporting. If necessary, you can use a single computer to operate these applications. However, typically, there is a separate computer for each application, because applications are often used by different people or from different locations.
Examples of Database Firewall applications include the Oracle Database Firewall Administration Console and Oracle Database Analyzer.


You must use a Database Firewall Management Server to control one or more Database Firewall installations.



Documentation: http://download.oracle.com/docs/cd/E20465_01/doc/nav/portal_booklist.htm


In this tutorial, I use 4 Virtual machines:




ORADB11g - Test Oracle Database (on OELinux) which will be monitored by Database Firewall.

FWMS - Firewall Management Server (on OELinux)

DBFW - Standalone Database Firewall (on OELinux)

Analyzer - Windows XP client, which will be used for browser based applications like Administration Console.


Now, I will go through multiple parts for each section: Installation, Integration, Monitoring, Auditing and etc.

Future parts will be added as soon as possible, like "User Role Auditing", "SQL Injection" and etc.


Part 1: Installation


Download MP4 of this video



 Part 2: Firewall Management Server Installation


Download MP4 of this video



Part 3: Firewall Management Server Initial Configuration


Download MP4 of this video


Part 4: Integration Standalone Firewall With Management Server


Download MP4 of this video


Part 5: Creating Enforcement Point for Monitoring Database



Download MP4 of this video

Part 6: Stored Procedure Auditing


Download MP4 of this video

Part 7: User Role Auditing


Download MP4 of this video


Next parts coming soon...













1 comment:

Anonymous said...

Hi, How can you test in inline mode if all interfaces are bridged. Could you indicate the network configuration to use with 3 machines on virtualbox e.g or other.. ? I test with a client/xp, the DBFW (which is DBFW and management) and a vulnerable application (php+mysql e.g). I've tried to configured 1 management network to reach the (IP of the bridge) DBFW and the bridge interfaces which is connected to 2 separate host-only (to pass the traffic from client to vulnerable server/db) .. no WAY :) thanks in advance for your recommendations :)