1
<Insert Picture Here> Oracle Database Firewall: prvá línia obrany Iveta Šťavinová Technology Pre Sales
Agenda What is Database Firewall Oracle Database Firewall Components and Deployment Modes Reporting 3
Why a Database Firewall? Customers need first line of defence to monitor and protect against existing and emerging threats Hackers breach databases from the web exploiting vulnerabilities in applications Stolen credentials exploited for unauthorized use Application Database Firewall Database 4
Oracle Database Firewall Differenciator Network packet Header (adderess) Payload (body/data) Trailer (footer) DB FW works with body Application Database Firewall Database 5
The cost of inaccuracy 0.0001% false negative rate: 26 successful attacks per day...it only takes one... 3,000 transactions per second 260 million transactions per day 0.001% false positive rate: 260 false positives per day 7,800 audit errors per month 6
Oracle Database Firewall First Line of Defense Monitor database activity and block unauthorized database access Highly accurate SQL grammar based analysis to enforce normal activity Built-in and custom compliance reports for SOX, PCI, and other regulations 7
Heterogeneous Database Support RDBMS platforms supported Oracle 8i, 9i, 10g, 11g MS-SQL 2000, 2005, 2008 Sybase 12.5.3 to 15 SQL Anywhere v10 DB2 for LUW Grammar engine Separate dialects of SQL 8
<Insert Picture Here> Oracle Database Firewall The Components 9
Oracle Database Firewall Basic Components Database Firewall Blocks unauthorized traffic Monitors access Database Firewall (HA Mode) Remote/Local Monitor Forwards network traffic Database Firewall Management Server Reports, archives repository Firewall mgmt, policy mgmt Alerts, integration Policy Analyzer Creates security policies Runs on Windows desktop 10
DB Firewall In-Line Deployment Application Servers Monitor Block Database Clients Oracle Database Firewall SQL traffic is inspected and verified against policy Also known as a Bridge or transparent bridge Sometimes only option if out-of-band ports are not available 11
Certified network kards Card Type Vendor Copper 10/100/1000 Interface Masters Niagara 32264 Fiber 10/100/1000 (SX and LX) for PCI-x Interface Masters Niagara 2282 (Dual) Interface Masters Niagara 2283 (Quad) Fiber 10/100/1000 (SX and LX) for PCI-e Interface Masters Niagara 2285 (Dual) Interface Masters Niagara 2284 (Quad) Fiber 10G (PCI-E) Interface Masters Niagara 32710 (Dual) 12
DB Firewall Out-Of-Line Deployment Monitor Block Application Servers Database Clients Oracle Database Firewall Also known as SPAN or Span port or Mirrored or Tap SQL logging and reporting only Easy to deploy, no risk of impacting databases or applications 13
DB Firewall Remote Monitoring Deployment Applicatio n Servers Oracle Database Firewall Monitor Block Remote Monitoring Agent Database Clients 14
DB Firewall Proxy-Mode Deployment Applicatio n Servers Monitor Block Oracle Database Firewall Database Clients 15
Oracle Database Firewall Host Based Monitors Two types of Monitors: Remote Monitor (spy) Local Monitor (don t work with network communication, works with local session, SSH session, keyboard, console Must be connected to the Oracle Database Firewall Optional and not required in most enterprise deployments 16
Oracle Database Firewall Remote Monitor Runs on the server operating system. Sends database transactions to Oracle Database Firewall Supported platforms is by OS -- and then by the RDBMS platforms that DBFW support: Linux AIX Unix Solaris SQL Log 17
Oracle Database Firewall Local Monitor Resides inside a database Monitors local / non-network access. Does not record duplicated statements, only record last statement Supported platforms are: Oracle 9i 11g MS-SQL 2005, 2008 Sybase 12.5.3 to 15 SQL Log Local session Application Adhoc tool SSH session Keyboard access 18
Oracle Database Firewall User Role Auditing Entitlement Reports User names User roles and privileges Last changed, changed by whom and when Automated and transparent User role auditing can be run ad-hoc or scheduled Report on user roles and privileges Deltas since the last report Workflow Changes can be marked as accepted or refused 19
Oracle Database Firewall Stored Procedure Auditing Stored procedure contents Its not enough to know a procedure was run, it is important to know what SQL was executed when the procedure is called. Stored procedure reports Name Content Threat rating (injection risk, system tables etc). Stored procedure type (DML, DDL, DCL, SELECT etc) Last changed, changed by whom and when Automated and transparent Stored procedure audit can be run adhoc or scheduled Workflow Changes can be marked as accepted or refused 20
<Insert Picture Here> Oracle Database Firewall accuracy 21
Policy Engines Why is Accuracy Important? 3,000 transactions per second = 260 Million per day 0.001% false positive rate = 7,800 audit errors per month High performance run-time matching ensure only appropriate SQL interactions are sent to a database. False positives detects when it should not False negatives avoid detection 0.0001% False Negative Rate Result In 26 Potential Attacks Per Day! 2011 Oracle Corporation 22
Issues with Regular Expresssions Fails to understand meaning, motives and intentions of SQL when you just use strings and text Good Statement SELECT * from dvd_stock where [catalog-no] = 'PHE8131' and location = 1 Bad Statement SQL injecton SELECT * from dvd_stock where [catalogno] = '' union select cardno, customerid, 0 from DVD_Orders --' and location = 1 2011 Oracle Corporation 23
Can you Tune Regular Expressions? union is bad when it appears near select u(?:nion\b.{1,100}?\bselect "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length count top)\b.{1,100}?\bfrom f rom\b.{1,100}?\bwhere).*?\b(?:d(?:ump\b.*\bfrom ata_type) (?:to_(?:numbe cha) inst)r)) p_(?:(?:addextendedpro sqlexe)c (?:oacreat prepar)e execute(?:sql)? ma kewebtask) ql_(?:longvarchar variant)) xp_(?:reg(?:re(?:movemultistring ad) del ete(?:value key) enum(?:value key)s addmultistring write) e(?:xecresultset numd sn) (?:terminat dirtre)e availablemedia loginconfig cmdshell filelist makecab n tsec) u(?:nion\b.{1,100}?\bselect tl_(?:file http)) group\b.*\bby\b.{1,100}?\bh aving d(?:elete\b\w*?\bfrom bms_java) load\b\w*?\bdata\b.*\binfile (?:n?varcha tbcreato)r)\b i(?:n(?:to\b\w*?\b(?:dump out)file sert\b\w*?\binto ner\b\w*?\bjo in)\b (?:f(?:\b\w*?\(\w*?\bbenchmark null\b) snull\b)\w*?\() a(?:nd\b?(?:\d{1,10} [\'\"][^=]{1,10}[\'\"])?[=<>]+ utonomous_transaction\b) o(?:r\b?(?:\d{1,10} [\'\"][^=]{1,10}[\'\"])?[=<>]+ pen(?:rowset query)\b) having\b?(?:\d{1,10} [\'\"][^=]{1,10}[\'\"])?[=<>]+ print\b\w*?\@\@ cast\b\w*?\() (?:;\W*?\b(?:shutdown drop) \@\@version)\ b '(?:s(?:qloledb a) msdasql dbo)') [Source: ModSecurity, Web Application Firewall, February 2009] Is this comprehensible or manageable? 2011 Oracle Corporation 24
False Positive and False Negative union is NOT universally bad when next to this select environment SELECT lastname from boys union SELECT lastname from girls union without saying it uni/* */on u/* */nion char(117,110,105,111,110) u n i o n 2011 Oracle Corporation 25
Understanding SQL SQL is an language with about 400 key words and a strict grammar structure UPDATE tbl_users SET comments = The user has asked for another account_no, SELECT id, username, and wishes password, to be billed acccount_no for services FROM between tbl_users 1/2/2009 WHERE and username 2/2/2009, = Bill and wants AND account_no to know where BETWEEN the invoice 1001000 should AND 1001012; be sent to. She will select the new service level agreement to run from 3/7/2009 next month WHERE id = A15431029 ; KEY WORDS SCHEMA DATA OPERATORS When the grammar of the language is understood, organizing the SQL into clusters reduces policy errors Cluster 1 : SELECT * FROM certs WHERE cert-type = '18 Cluster 2: SELECT * FROM dvd_stock WHERE catalog-no = 'PHE8131' and location = 1 When a SQL is not in a cluster, you can identify it as out-ofpolicy and apply rules to log, block, or pass it 2011 Oracle Corporation 26
Summary - understanding SQL Regular expressions Pattern matching does not understand SQL intention Can generate false positives and non-detection High maintenance Oracle Database Firewall Clusters are deterministic and provide accurate policy application Speed of lookup is constant in the number of clusters in the policy By understanding the SQL grammar, SQL injection and other out-of-policy SQL are detected as anomalies 27
<Insert Picture Here> Database Firewall reporting 28
Oracle Database Firewall Reporting Database Firewall log data consolidated into reporting database Dozens of built in reports that can be modified and customized Database activity and privileged user reports Entitlements reporting for database attestation and audit Supports demonstrating controls for PCI, SOX, HIPAA, etc. Logged SQL statements can be sanitized of sensitive PII data 29
Oracle Database Firewall Reporting Oracle Database Firewall Oracle Database Firewall Oracle Database Firewall Database Firewall log data consolidated into reporting database Over 130 built in reports that can be modified and customized Entitlements reporting for database attestation and audit Database activity and privileged user reports Supports demonstrating PCI, SOX, HIPAA/HITECH, etc. controls 30
Oracle Database Firewall Key Features Highly Accurate Unique and powerful SQL recognition technology 100% language based Uses grammatical analysis Highly Performant and Scalable Semantic clustering provides high-speed processing Scales per platform, rather than just adding platforms Manageability Fewer boxes to deploy and manage Database Firewall Local/Remote Monitors do not need to be upgraded if the RDBMS platform or OS is patches. No need to sign-on to individual Database Firewalls to administer. 31
Demonstrate Internal Controls Privacy and Compliance Reporting Over 100 pre-defined audit reports Create new reports and customize existing ones Report can be distributed to the security and compliance staff without human and/or DBA intervention Published reporting schema for customers to use their favorite reporting tools Flexible policies White list, Black list, and Exception policies User, Schema,. Factors such as IP addresses, OS users New queries, queries by SQL category etc 32
For More Information search.oracle.com Database security or oracle.com/database/security 33 33
34 34
35 35