-
1
-
Oracle Database Firewall: prv lnia obrany
Iveta avinov Technology Pre Sales
-
3
Agenda
What is Database Firewall
Oracle Database Firewall Components and
Deployment Modes
Reporting
-
4
Why a Database Firewall?
Customers need first line of defence to monitor and
protect against existing and emerging threats
Hackers breach databases from the web exploiting
vulnerabilities in applications
Stolen credentials exploited for unauthorized use
Application Database
Database Firewall
-
5
Oracle Database Firewall Differenciator
Network packet
Header (adderess)
Payload (body/data)
Trailer (footer)
DB FW works with body
Application Database
Database Firewall
-
6
The cost of inaccuracy
3,000 transactions
per second
260 million
transactions per day
0.001% false positive rate:
260 false positives per day
7,800 audit errors per month
0.0001% false negative rate:
26 successful attacks per day
...it only takes one...
-
7
Oracle Database Firewall First Line of Defense
Monitor database activity and block unauthorized database
access
Highly accurate SQL grammar based analysis to enforce normal
activity
Built-in and custom compliance reports for SOX, PCI, and other
regulations
-
8
Heterogeneous Database Support
RDBMS platforms supported
Oracle 8i, 9i, 10g, 11g
MS-SQL 2000, 2005, 2008
Sybase 12.5.3 to 15
SQL Anywhere v10
DB2 for LUW
Grammar engine
Separate dialects of SQL
-
9
Oracle Database Firewall
The Components
-
10
Oracle Database Firewall Basic Components
Policy Analyzer
Creates security policies
Runs on Windows desktop
Database Firewall Management Server
Reports, archives repository
Firewall mgmt, policy mgmt
Alerts, integration
Database Firewall (HA Mode)
Blocks unauthorized traffic Monitors access
Database Firewall
Remote/Local Monitor Forwards network traffic
-
11
DB Firewall In-Line Deployment
Oracle
Database
Firewall
Application
Servers
Database
Clients
Monitor
Block
SQL traffic is inspected and verified against policy
Also known as a Bridge or transparent bridge
Sometimes only option if out-of-band ports are not available
-
12
Certified network kards
Card Type Vendor
Copper 10/100/1000 Interface Masters Niagara 32264
Fiber 10/100/1000
(SX and LX) for PCI-x Interface Masters Niagara 2282 (Dual)
Interface Masters Niagara 2283 (Quad)
Fiber 10/100/1000
(SX and LX) for PCI-e Interface Masters Niagara 2285 (Dual)
Interface Masters Niagara 2284 (Quad)
Fiber 10G (PCI-E) Interface Masters Niagara 32710 (Dual)
-
13
DB Firewall Out-Of-Line Deployment
Oracle
Database
Firewall
Application
Servers
Database
Clients
Monitor
Block
Also known as SPAN or Span port or Mirrored or Tap
SQL logging and reporting only
Easy to deploy, no risk of impacting databases or
applications
-
14
DB Firewall Remote Monitoring Deployment
Oracle
Database
Firewall Applicatio
n Servers
Database
Clients
Remote
Monitoring
Agent
Monitor
Block
-
15
DB Firewall Proxy-Mode Deployment
Oracle
Database
Firewall
Applicatio
n Servers
Database
Clients
Monitor
Block
-
16
Oracle Database Firewall Host Based Monitors
Two types of Monitors:
Remote Monitor (spy)
Local Monitor (dont work with network communication, works with
local session, SSH session, keyboard, console
Must be connected to the Oracle Database Firewall
Optional and not required in most enterprise
deployments
-
17
Oracle Database Firewall Remote Monitor
Runs on the server operating system.
Sends database transactions to Oracle Database
Firewall
Supported platforms is by OS -- and then by the
RDBMS platforms that DBFW support:
Linux
AIX
Unix
Solaris
SQL Log
-
18
Oracle Database Firewall Local Monitor
Resides inside a database
Monitors local / non-network access.
Does not record duplicated statements, only record last
statement
Supported platforms are: Oracle 9i 11g
MS-SQL 2005, 2008
Sybase 12.5.3 to 15
Local session
SSH session
Keyboard access
Application
Adhoc tool
SQL Log
-
19
Oracle Database Firewall User Role Auditing
Entitlement Reports
User names
User roles and privileges
Last changed, changed by whom and when
Automated and transparent
User role auditing can be run ad-hoc or scheduled
Report on user roles and privileges
Deltas since the last report
Workflow
Changes can be marked as accepted or refused
-
20
Oracle Database Firewall Stored Procedure Auditing
Stored procedure contents
Its not enough to know a procedure was run, it is important
to
know what SQL was executed when the procedure is called.
Stored procedure reports
Name
Content
Threat rating (injection risk, system tables etc).
Stored procedure type (DML, DDL, DCL, SELECT etc)
Last changed, changed by whom and when
Automated and transparent
Stored procedure audit can be run adhoc or scheduled
Workflow
Changes can be marked as accepted or refused
-
21
Oracle Database Firewall
accuracy
-
2011 Oracle Corporation 22
Policy Engines Why is Accuracy Important?
3,000 transactions per second = 260 Million per day
0.001% false positive rate = 7,800 audit errors per month
High performance run-time matching ensure only appropriate SQL
interactions are sent to a database.
False positives detects when it should not
False negatives avoid detection
0.0001% False Negative Rate Result In 26 Potential Attacks Per
Day!
-
2011 Oracle Corporation 23
Issues with Regular Expresssions
Fails to understand meaning, motives and intentions of SQL when
you just use strings and text
Good Statement
Bad Statement SQL injecton
SELECT * from dvd_stock where [catalog-no] = 'PHE8131' and
location = 1
SELECT * from dvd_stock where [catalog-
no] = '' union select cardNo, customerId,
0 from DVD_Orders --' and location = 1
-
2011 Oracle Corporation 24
Can you Tune Regular Expressions?
union is bad when it appears near select
u(?:nion\b.{1,100}?\bselect
"(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|f
rom\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|
inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|ma
kewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|del
ete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numd
sn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|n
tsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bh
aving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|
tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjo
in)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b
?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"])
?[=]+|utonomous_transaction\b)|o(?:r\b
?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"])
?[=]+|pen(?:rowset|query)\b)|having\b
?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"])
?[=]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\
b|'(?:s(?:qloledb|a)|msdasql|dbo)')
[Source: ModSecurity, Web Application Firewall, February
2009]
Is this comprehensible or manageable?
-
2011 Oracle Corporation 25
False Positive and False Negative
union is NOT universally bad when next to this
select environment
union without saying it
SELECT lastname from boys
union SELECT
lastname from girls
uni/* */on
u/* */nion
char(117,110,105,111,110)
u n i o n
-
2011 Oracle Corporation 26
SQL is an language with about 400 key words and a strict grammar
structure
SELECT id, username, password, acccount_no FROM tbl_users
WHERE
username = Bill AND account_no BETWEEN 1001000 AND 1001012;
SELECT id, username, password, acccount_no FROM tbl_users
WHERE
username = Bill AND account_no BETWEEN 1001000 AND 1001012;
SELECT id, username, password, acccount_no FROM tbl_users
WHERE
username = Bill AND account_no BETWEEN 1001000 AND 1001012;
SELECT id, username, password, acccount_no FROM tbl_users
WHERE
username = Bill AND account_no BETWEEN 1001000 AND 1001012;
UPDATE tbl_users SET comments = The user has asked for
another
account_no, and wishes to be billed for services between
1/2/2009
and 2/2/2009, and wants to know where the invoice should be
sent
to. She will select the new service level agreement to run
from
3/7/2009 next month WHERE id = A15431029;
KEY WORDS SCHEMA DATA OPERATORS
Understanding SQL
When the grammar of the language is understood, organizing the
SQL into clusters reduces policy errors
Cluster 1 : SELECT * FROM certs WHERE cert-type = '18
Cluster 2: SELECT * FROM dvd_stock WHERE catalog-no = 'PHE8131'
and location = 1
When a SQL is not in a cluster, you can identify it as
out-of-policy and apply rules to log, block, or pass it
-
27
Summary - understanding SQL
Regular expressions Pattern matching does not understand SQL
intention
Can generate false positives and non-detection
High maintenance
Oracle Database Firewall Clusters are deterministic and provide
accurate policy
application
Speed of lookup is constant in the number of clusters in the
policy
By understanding the SQL grammar, SQL injection and other
out-of-policy SQL are detected as anomalies
-
28
Database Firewall
reporting
-
29
Oracle Database Firewall
Reporting
Database Firewall log data consolidated into reporting
database
Dozens of built in reports that can be modified and
customized
Database activity and privileged user reports
Entitlements reporting for database attestation and audit
Supports demonstrating controls for PCI, SOX, HIPAA, etc.
Logged SQL statements can be sanitized of sensitive PII data
-
30
Oracle Database Firewall
Oracle Database Firewall
Reporting
Database Firewall log data consolidated into reporting
database
Over 130 built in reports that can be modified and
customized
Entitlements reporting for database attestation and audit
Database activity and privileged user reports
Supports demonstrating PCI, SOX, HIPAA/HITECH, etc.
controls
Oracle Database Firewall Oracle Database Firewall
-
31
Oracle Database Firewall Key Features
Highly Accurate
Unique and powerful SQL recognition technology
100% language based
Uses grammatical analysis
Highly Performant and Scalable
Semantic clustering provides high-speed processing
Scales per platform, rather than just adding platforms
Manageability
Fewer boxes to deploy and manage
Database Firewall Local/Remote Monitors do not need to be
upgraded if the RDBMS platform or OS is patches.
No need to sign-on to individual Database Firewalls to
administer.
-
32
Demonstrate Internal Controls Privacy and Compliance
Reporting
Over 100 pre-defined audit reports
Create new reports and customize existing ones
Report can be distributed to the security and compliance
staff
without human and/or DBA intervention
Published reporting schema for customers to use their
favorite
reporting tools
Flexible policies
White list, Black list, and Exception policies
User, Schema,.
Factors such as IP addresses, OS users
New queries, queries by SQL category etc
-
33 33
For More Information
oracle.com/database/security
search.oracle.com
or
Database security
-
34 34
-
35 35
