Oracle Database Firewall - Pierre Leon

<Insert Picture Here>

Oracle Database Firewall
Pierre Leon
Database Security – Oracle UK

Agenda

• Evolving Threats to Databases
• Oracle Database Firewall
• Security Models
• Policy Enforcement
• Reporting
• Architecture and Deployment Modes
• Oracle Database Security Solutions
• Q&A

© 2011 Oracle Corporation 2

How is Data Compromised? 2010 Data Breach
Investigations Report


#1 Cause of Data Breaches:
Web Applications Hacked with SQL Injection and
Stolen Credentials Obtained Using Malware
Threat action categories by percent% of breaches and% of records Types of hacking by% of breaches within Hacking
and % of records

Attack pathways by percent% of breaches and% of records

2010 Data Breach
Investigations Report


Existing Security Solutions Not Enough

Key Loggers Malware SQL Injection Espionage
Spear Phishing Botware Social Engineering

Web Users

Database
Application Users
Application Database Administrators

Data Must Be Protected at the Source


Database Security
Defense In Depth Approach

• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Implement with
• Transparency – no changes to existing applications
• High Performance – no measurable impact on applications
• Accuracy – minimal false positives and negatives


Business Drivers
• Customers need a first line of defence to monitor and
protect against existing and emerging threats
• Hackers breach databases from the web exploiting
vulnerabilities in applications
• Stolen credentials exploited for unauthorised use

Application Database
Firewall Database


First Line of Defense

Allow

Log

Alert

Substitute
Applications
Block

Alerts Built-in Custom Policies
Reports Reports

• Monitor database activity to help prevent unauthorisedactivity, application
bypass and SQL injections, illegal access to sensitive data etc.
• Highly accurate SQL grammar based analysis, no false positives
• White-list, black-list, and exception-list based security policies
• Built-in and custom compliance reports for regulations


Positive Security Model Based Enforcement

White List
Allow

Block
Applications

• White-list based policies enforce normal or expected behavior
• Policies evaluate factors such as time, day, network, and application
• Easily generate white-lists for any application
• Out of policy SQL statements can be logged, alerted, blocked or
substituted with a harmless SQL statement
• SQL substitution foils attackers without disrupting applications


Negative Security Model Based Enforcement

Black List
Allow

Block
Applications

• Stop specific unwanted SQL commands, user or schema access
• Prevent privilege or role escalation and unauthorisedaccess to
sensitive data
• Black list policies can evaluate factors such as day, time, network, and
application


Scalable and Safe Policy Enforcement

Log

Allow
SELECT * FROM accounts
Alert
Becomes
SELECT * FROM dual where 1=0
Substitute
Applications
Block

• Innovative SQL grammar technology reduces millions of SQL statements into
a small number of SQL characteristics or “clusters”
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
• Centralisedpolicy management and reporting
• Superior performance and policy scalability


SQL Injection
Too much trust in applications
SELECT *FROMdvd_stock
WHERE catalog-no = 'PHE8131'
AND location = 1
Allow

SELECT *FROMdvd_stock Block
WHERE catalog-no = ''
Application UNION SELECTcardNo, customerId, 0
FROM DVD_Orders–-' AND location = 1

• Applications are given high levels of privilege
• Database trusts the application
• “Users” subvert the application to access to the database (and beyond)
• Each application is unique
• Regular expression black lists are ineffective
• Grammar based white list blocks SQL injection attacks


Semantic Analysis and Policy Creation

• Train the Analyser on Firewall
logs
• Automatically generate White
Lists
• Create exceptions
• Create default actions for
unrecognised SQL/anomalies
• Novelty policies
• Assign threat levels
• Assign actions
• Set policies for Logon/Logoff
and Failed Login


Data Masking

• Prevents creating yet another database with sensitive and regulated data
• Sensitive and regulated information contained in SQL statements can be
masked or redacted in real-time prior to being logged
• Flexible masking policies allow masking all data or just specific columns
• Critical for organisationswho want to monitor and log all database activity


Reporting
• Database Firewall log data
consolidated into reporting database
• Dozens of built in reports that can be
modified and customised
• Database activity and privileged
user reports
• Entitlements reporting for
database attestation and audit
• Supports demonstrating controls
for PCI, SOX, HIPAA, etc.
• Logged SQL statements can be
sanitisedof sensitive PII data


Local Monitor
Architecture
In-Line Blocking
and Monitoring

Out-of-Band
Inbound Monitoring
SQL Traffic

HA Mode
Policy Management
Analyser Server(s)

• In-line blocking and monitoring, or out-of-band monitoring modes
• High availability with parallelFirewalls / Management Servers
• Monitoring of remote databases by forwarding network traffic
• Application agnostic
• Support for Oracle and non-Oracle Databases


Fast and Flexible Deployments

Application Servers Users

Database Out-of-Band Router
Firewall

Database Servers

Host
Based
In-Line Agent

• In-Line: All database traffic goes through the Oracle Database Firewall
• Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP
• Optional Host Based Remote or Local Monitors
• Can send network traffic from the database host to the Database Firewall
• Can send non-network database activity to the Database Firewall to
identify unauthoriseduse of local console or remote sessions


Major US East-Coast Bank
Active Database Firewall
• Protect business critical databases to prevent
unauthorisedaccess, data loss and PII exposure
Business Challenges • Monitor and protect over 600 databases across 7
international data centers.
• Minimal impact to existing database performance

• Oracle Database Firewall for real-time database
protection and monitoring of billions of transactions
Solution per day
• Prevent unauthorised data access and malicious
activity

• Passed internal and external audit
• Demonstrate active controls over data access and
Business Results database systems
• Standardised security, alerts and reporting across
the complete business


Major US Investment Bank
Auditing Data Changes

• Monitor 60+ databases
• Track every change to customer data
Business Challenges • Alert on unauthorisedchanges to stored procedures
or user roles and privileges
• Automated report distribution to internal auditors
• Database Firewall deployed in heterogeneous
environments providing monitoring and reporting on
Solution every change to customer data
• Monitor procedure and user role changes with full
separation of duties from existing DBA team

• Passes daily audits
Business Results • Audit data ready for sign-off automatically emailed
before the start of business


Major European Government
Protecting Government Data and PII

• Prevent access to highly sensitive citizen data other
than via certified application
Business Challenges • Enforce strict application behavior through white-list
• Monitor and audit every transaction 24x365

• Six fully redundant pairs of Database Firewall to
maintain a complete database security perimeter
Solution
• Critical high-availability architecture to meet strict
service-level requirements
• Complete protection from unauthorisedaccess,
hacking of malicious changes to application code
Business Results • Highly sensitive citizen data protected by
continuously available firewall perimeter
• Meets government standards for PII data storage


Heterogeneous Database Support

• Oracle 8i, 9i, 10g, 11g
• MS-SQL 2000, 2005, 2008
• Sybase 12.5.4 to 15.0.x
• SQL Anywhere 10.x
• DB2 9.x for LUW


Oracle Database Security Solutions
Inside. Outside. Complete.
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Transparency, high performance, accuracy

Monitoring Access Auditing & Encryption
& Blocking Control Tracking & Masking

• Database Firewall • Database Vault • Audit Vault • Advanced Security
• Label Security • Configuration • Secure Backup
• Identity Management Management • Data Masking
• Total Recall


For More Information

search.oracle.com

database security

or

oracle.com/database/security


Remote/Local Monitor

• Remote Monitor
• Runs on the server operating system.
• Sends database transactions to Oracle Database Firewall
• Supported platforms is by OS -- and then by the RDBMS
platforms that DBFW support:
• Local Monitor
• Resides inside a database
• Monitors local / non-network access.


User Role Reporting

• Entitlement Reports
• User names
• User roles and privileges
• Last changed, changed by whom and when
• Automated and transparent
• User role reporting can be run ad-hoc or scheduled
• Report on user roles and privileges
• Deltas since the last report


Stored Procedure Reporting

• Stored procedure contents
• Its not enough to know a procedure was run, it is important to
know what SQL was executed when the procedure is called.
• Stored procedure reports
• Name
• Content
• Threat rating (injection risk, system tables etc).
• Stored procedure type (DML, DDL, DCL, SELECT etc)
• Last changed, changed by whom and when
• Automated and transparent
• Stored procedure reporting can be run adhoc or scheduled


The Cost of Inaccuracy
select * from hr.employees;

3,000 transactions
per second

260 million
transactions per day


Oracle Database Firewall - Pierre Leon

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Oracle Database Firewall - Pierre Leon (20)

Recently uploaded (20)

Oracle Database Firewall - Pierre Leon

Editor's Notes