Oracle Database Firewall - Pierre Leon

3,285 views
3,175 views

Published on

Presentation of Oracles NEW Database Firewall Software by Pierre Leon

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
3,285
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide
  • Add one slide after on database firewall category
  • Oracle Database Firewall - Pierre Leon

    1. 1. <Insert Picture Here>Oracle Database FirewallPierre LeonDatabase Security – Oracle UK
    2. 2. Agenda • Evolving Threats to Databases • Oracle Database Firewall • Security Models • Policy Enforcement • Reporting • Architecture and Deployment Modes • Oracle Database Security Solutions • Q&A© 2011 Oracle Corporation 2
    3. 3. How is Data Compromised? 2010 Data Breach Investigations Report© 2011 Oracle Corporation 3
    4. 4. #1 Cause of Data Breaches: Web Applications Hacked with SQL Injection and Stolen Credentials Obtained Using Malware Threat action categories by percent% of breaches and% of records Types of hacking by% of breaches within Hacking and % of records Attack pathways by percent% of breaches and% of records 2010 Data Breach Investigations Report© 2011 Oracle Corporation 4
    5. 5. Existing Security Solutions Not Enough Key Loggers Malware SQL Injection Espionage Spear Phishing Botware Social Engineering Web Users Database Application Users Application Database Administrators Data Must Be Protected at the Source© 2011 Oracle Corporation 5
    6. 6. Database Security Defense In Depth Approach • Monitor and block threats before they reach databases • Track changes and audit database activity • Control access to data within the database • Prevent access by non database users • Implement with • Transparency – no changes to existing applications • High Performance – no measurable impact on applications • Accuracy – minimal false positives and negatives© 2011 Oracle Corporation 6
    7. 7. Business Drivers • Customers need a first line of defence to monitor and protect against existing and emerging threats • Hackers breach databases from the web exploiting vulnerabilities in applications • Stolen credentials exploited for unauthorised use Application Database Firewall Database© 2011 Oracle Corporation 7
    8. 8. Oracle Database Firewall First Line of Defense Allow Log Alert Substitute Applications Block Alerts Built-in Custom Policies Reports Reports • Monitor database activity to help prevent unauthorisedactivity, application bypass and SQL injections, illegal access to sensitive data etc. • Highly accurate SQL grammar based analysis, no false positives • White-list, black-list, and exception-list based security policies • Built-in and custom compliance reports for regulations© 2011 Oracle Corporation 8
    9. 9. Oracle Database Firewall Positive Security Model Based Enforcement White List Allow Block Applications • White-list based policies enforce normal or expected behavior • Policies evaluate factors such as time, day, network, and application • Easily generate white-lists for any application • Out of policy SQL statements can be logged, alerted, blocked or substituted with a harmless SQL statement • SQL substitution foils attackers without disrupting applications© 2011 Oracle Corporation 9
    10. 10. Oracle Database Firewall Negative Security Model Based Enforcement Black List Allow Block Applications • Stop specific unwanted SQL commands, user or schema access • Prevent privilege or role escalation and unauthorisedaccess to sensitive data • Black list policies can evaluate factors such as day, time, network, and application© 2011 Oracle Corporation 10
    11. 11. Oracle Database Firewall Scalable and Safe Policy Enforcement Log Allow SELECT * FROM accounts Alert Becomes SELECT * FROM dual where 1=0 Substitute Applications Block • Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters” • Flexible enforcement at SQL level: block, substitute, alert and pass, log only • SQL substitution foils attackers without disrupting applications • Centralisedpolicy management and reporting • Superior performance and policy scalability© 2011 Oracle Corporation 11
    12. 12. SQL Injection Too much trust in applications SELECT *FROMdvd_stock WHERE catalog-no = PHE8131 AND location = 1 Allow SELECT *FROMdvd_stock Block WHERE catalog-no = Application UNION SELECTcardNo, customerId, 0 FROM DVD_Orders–- AND location = 1 • Applications are given high levels of privilege • Database trusts the application • “Users” subvert the application to access to the database (and beyond) • Each application is unique • Regular expression black lists are ineffective • Grammar based white list blocks SQL injection attacks© 2011 Oracle Corporation 12
    13. 13. Oracle Database Firewall Semantic Analysis and Policy Creation • Train the Analyser on Firewall logs • Automatically generate White Lists • Create exceptions • Create default actions for unrecognised SQL/anomalies • Novelty policies • Assign threat levels • Assign actions • Set policies for Logon/Logoff and Failed Login© 2011 Oracle Corporation 13
    14. 14. Oracle Database Firewall Data Masking • Prevents creating yet another database with sensitive and regulated data • Sensitive and regulated information contained in SQL statements can be masked or redacted in real-time prior to being logged • Flexible masking policies allow masking all data or just specific columns • Critical for organisationswho want to monitor and log all database activity© 2011 Oracle Corporation 14
    15. 15. Oracle Database Firewall Reporting • Database Firewall log data consolidated into reporting database • Dozens of built in reports that can be modified and customised • Database activity and privileged user reports • Entitlements reporting for database attestation and audit • Supports demonstrating controls for PCI, SOX, HIPAA, etc. • Logged SQL statements can be sanitisedof sensitive PII data© 2011 Oracle Corporation 15
    16. 16. Oracle Database Firewall Local Monitor Architecture In-Line Blocking and Monitoring Out-of-Band Inbound Monitoring SQL Traffic HA Mode Policy Management Analyser Server(s) • In-line blocking and monitoring, or out-of-band monitoring modes • High availability with parallelFirewalls / Management Servers • Monitoring of remote databases by forwarding network traffic • Application agnostic • Support for Oracle and non-Oracle Databases© 2011 Oracle Corporation 16
    17. 17. Oracle Database Firewall Fast and Flexible Deployments Application Servers Users Database Out-of-Band Router Firewall Database Servers Host Based In-Line Agent • In-Line: All database traffic goes through the Oracle Database Firewall • Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP • Optional Host Based Remote or Local Monitors • Can send network traffic from the database host to the Database Firewall • Can send non-network database activity to the Database Firewall to identify unauthoriseduse of local console or remote sessions© 2011 Oracle Corporation 17
    18. 18. Major US East-Coast Bank Active Database Firewall • Protect business critical databases to prevent unauthorisedaccess, data loss and PII exposure Business Challenges • Monitor and protect over 600 databases across 7 international data centers. • Minimal impact to existing database performance • Oracle Database Firewall for real-time database protection and monitoring of billions of transactions Solution per day • Prevent unauthorised data access and malicious activity • Passed internal and external audit • Demonstrate active controls over data access and Business Results database systems • Standardised security, alerts and reporting across the complete business© 2011 Oracle Corporation 18
    19. 19. Major US Investment Bank Auditing Data Changes • Monitor 60+ databases • Track every change to customer data Business Challenges • Alert on unauthorisedchanges to stored procedures or user roles and privileges • Automated report distribution to internal auditors • Database Firewall deployed in heterogeneous environments providing monitoring and reporting on Solution every change to customer data • Monitor procedure and user role changes with full separation of duties from existing DBA team • Passes daily audits Business Results • Audit data ready for sign-off automatically emailed before the start of business© 2011 Oracle Corporation 19
    20. 20. Major European Government Protecting Government Data and PII • Prevent access to highly sensitive citizen data other than via certified application Business Challenges • Enforce strict application behavior through white-list • Monitor and audit every transaction 24x365 • Six fully redundant pairs of Database Firewall to maintain a complete database security perimeter Solution • Critical high-availability architecture to meet strict service-level requirements • Complete protection from unauthorisedaccess, hacking of malicious changes to application code Business Results • Highly sensitive citizen data protected by continuously available firewall perimeter • Meets government standards for PII data storage© 2011 Oracle Corporation 20
    21. 21. Heterogeneous Database Support • Oracle 8i, 9i, 10g, 11g • MS-SQL 2000, 2005, 2008 • Sybase 12.5.4 to 15.0.x • SQL Anywhere 10.x • DB2 9.x for LUW© 2011 Oracle Corporation 21
    22. 22. Oracle Database Security Solutions Inside. Outside. Complete. • Monitor and block threats before they reach databases • Track changes and audit database activity • Control access to data within the database • Prevent access by non database users • Transparency, high performance, accuracy Monitoring Access Auditing & Encryption & Blocking Control Tracking & Masking • Database Firewall • Database Vault • Audit Vault • Advanced Security • Label Security • Configuration • Secure Backup • Identity Management Management • Data Masking • Total Recall© 2011 Oracle Corporation 22
    23. 23. For More Information search.oracle.com database security or oracle.com/database/security© 2011 Oracle Corporation 23
    24. 24. © 2011 Oracle Corporation 24
    25. 25. Remote/Local Monitor • Remote Monitor • Runs on the server operating system. • Sends database transactions to Oracle Database Firewall • Supported platforms is by OS -- and then by the RDBMS platforms that DBFW support: • Local Monitor • Resides inside a database • Monitors local / non-network access.© 2011 Oracle Corporation 25
    26. 26. User Role Reporting • Entitlement Reports • User names • User roles and privileges • Last changed, changed by whom and when • Automated and transparent • User role reporting can be run ad-hoc or scheduled • Report on user roles and privileges • Deltas since the last report© 2011 Oracle Corporation 26
    27. 27. Stored Procedure Reporting • Stored procedure contents • Its not enough to know a procedure was run, it is important to know what SQL was executed when the procedure is called. • Stored procedure reports • Name • Content • Threat rating (injection risk, system tables etc). • Stored procedure type (DML, DDL, DCL, SELECT etc) • Last changed, changed by whom and when • Automated and transparent • Stored procedure reporting can be run adhoc or scheduled© 2011 Oracle Corporation 27
    28. 28. The Cost of Inaccuracy select * from hr.employees; 3,000 transactions per second 260 million transactions per day© 2011 Oracle Corporation 28
    29. 29. © 2011 Oracle Corporation 29

    ×