Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle Database Firewall - Pierre Leon


Published on

Presentation of Oracles NEW Database Firewall Software by Pierre Leon

Published in: Technology

Oracle Database Firewall - Pierre Leon

  1. 1. <Insert Picture Here>Oracle Database FirewallPierre LeonDatabase Security – Oracle UK
  2. 2. Agenda • Evolving Threats to Databases • Oracle Database Firewall • Security Models • Policy Enforcement • Reporting • Architecture and Deployment Modes • Oracle Database Security Solutions • Q&A© 2011 Oracle Corporation 2
  3. 3. How is Data Compromised? 2010 Data Breach Investigations Report© 2011 Oracle Corporation 3
  4. 4. #1 Cause of Data Breaches: Web Applications Hacked with SQL Injection and Stolen Credentials Obtained Using Malware Threat action categories by percent% of breaches and% of records Types of hacking by% of breaches within Hacking and % of records Attack pathways by percent% of breaches and% of records 2010 Data Breach Investigations Report© 2011 Oracle Corporation 4
  5. 5. Existing Security Solutions Not Enough Key Loggers Malware SQL Injection Espionage Spear Phishing Botware Social Engineering Web Users Database Application Users Application Database Administrators Data Must Be Protected at the Source© 2011 Oracle Corporation 5
  6. 6. Database Security Defense In Depth Approach • Monitor and block threats before they reach databases • Track changes and audit database activity • Control access to data within the database • Prevent access by non database users • Implement with • Transparency – no changes to existing applications • High Performance – no measurable impact on applications • Accuracy – minimal false positives and negatives© 2011 Oracle Corporation 6
  7. 7. Business Drivers • Customers need a first line of defence to monitor and protect against existing and emerging threats • Hackers breach databases from the web exploiting vulnerabilities in applications • Stolen credentials exploited for unauthorised use Application Database Firewall Database© 2011 Oracle Corporation 7
  8. 8. Oracle Database Firewall First Line of Defense Allow Log Alert Substitute Applications Block Alerts Built-in Custom Policies Reports Reports • Monitor database activity to help prevent unauthorisedactivity, application bypass and SQL injections, illegal access to sensitive data etc. • Highly accurate SQL grammar based analysis, no false positives • White-list, black-list, and exception-list based security policies • Built-in and custom compliance reports for regulations© 2011 Oracle Corporation 8
  9. 9. Oracle Database Firewall Positive Security Model Based Enforcement White List Allow Block Applications • White-list based policies enforce normal or expected behavior • Policies evaluate factors such as time, day, network, and application • Easily generate white-lists for any application • Out of policy SQL statements can be logged, alerted, blocked or substituted with a harmless SQL statement • SQL substitution foils attackers without disrupting applications© 2011 Oracle Corporation 9
  10. 10. Oracle Database Firewall Negative Security Model Based Enforcement Black List Allow Block Applications • Stop specific unwanted SQL commands, user or schema access • Prevent privilege or role escalation and unauthorisedaccess to sensitive data • Black list policies can evaluate factors such as day, time, network, and application© 2011 Oracle Corporation 10
  11. 11. Oracle Database Firewall Scalable and Safe Policy Enforcement Log Allow SELECT * FROM accounts Alert Becomes SELECT * FROM dual where 1=0 Substitute Applications Block • Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters” • Flexible enforcement at SQL level: block, substitute, alert and pass, log only • SQL substitution foils attackers without disrupting applications • Centralisedpolicy management and reporting • Superior performance and policy scalability© 2011 Oracle Corporation 11
  12. 12. SQL Injection Too much trust in applications SELECT *FROMdvd_stock WHERE catalog-no = PHE8131 AND location = 1 Allow SELECT *FROMdvd_stock Block WHERE catalog-no = Application UNION SELECTcardNo, customerId, 0 FROM DVD_Orders–- AND location = 1 • Applications are given high levels of privilege • Database trusts the application • “Users” subvert the application to access to the database (and beyond) • Each application is unique • Regular expression black lists are ineffective • Grammar based white list blocks SQL injection attacks© 2011 Oracle Corporation 12
  13. 13. Oracle Database Firewall Semantic Analysis and Policy Creation • Train the Analyser on Firewall logs • Automatically generate White Lists • Create exceptions • Create default actions for unrecognised SQL/anomalies • Novelty policies • Assign threat levels • Assign actions • Set policies for Logon/Logoff and Failed Login© 2011 Oracle Corporation 13
  14. 14. Oracle Database Firewall Data Masking • Prevents creating yet another database with sensitive and regulated data • Sensitive and regulated information contained in SQL statements can be masked or redacted in real-time prior to being logged • Flexible masking policies allow masking all data or just specific columns • Critical for organisationswho want to monitor and log all database activity© 2011 Oracle Corporation 14
  15. 15. Oracle Database Firewall Reporting • Database Firewall log data consolidated into reporting database • Dozens of built in reports that can be modified and customised • Database activity and privileged user reports • Entitlements reporting for database attestation and audit • Supports demonstrating controls for PCI, SOX, HIPAA, etc. • Logged SQL statements can be sanitisedof sensitive PII data© 2011 Oracle Corporation 15
  16. 16. Oracle Database Firewall Local Monitor Architecture In-Line Blocking and Monitoring Out-of-Band Inbound Monitoring SQL Traffic HA Mode Policy Management Analyser Server(s) • In-line blocking and monitoring, or out-of-band monitoring modes • High availability with parallelFirewalls / Management Servers • Monitoring of remote databases by forwarding network traffic • Application agnostic • Support for Oracle and non-Oracle Databases© 2011 Oracle Corporation 16
  17. 17. Oracle Database Firewall Fast and Flexible Deployments Application Servers Users Database Out-of-Band Router Firewall Database Servers Host Based In-Line Agent • In-Line: All database traffic goes through the Oracle Database Firewall • Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP • Optional Host Based Remote or Local Monitors • Can send network traffic from the database host to the Database Firewall • Can send non-network database activity to the Database Firewall to identify unauthoriseduse of local console or remote sessions© 2011 Oracle Corporation 17
  18. 18. Major US East-Coast Bank Active Database Firewall • Protect business critical databases to prevent unauthorisedaccess, data loss and PII exposure Business Challenges • Monitor and protect over 600 databases across 7 international data centers. • Minimal impact to existing database performance • Oracle Database Firewall for real-time database protection and monitoring of billions of transactions Solution per day • Prevent unauthorised data access and malicious activity • Passed internal and external audit • Demonstrate active controls over data access and Business Results database systems • Standardised security, alerts and reporting across the complete business© 2011 Oracle Corporation 18
  19. 19. Major US Investment Bank Auditing Data Changes • Monitor 60+ databases • Track every change to customer data Business Challenges • Alert on unauthorisedchanges to stored procedures or user roles and privileges • Automated report distribution to internal auditors • Database Firewall deployed in heterogeneous environments providing monitoring and reporting on Solution every change to customer data • Monitor procedure and user role changes with full separation of duties from existing DBA team • Passes daily audits Business Results • Audit data ready for sign-off automatically emailed before the start of business© 2011 Oracle Corporation 19
  20. 20. Major European Government Protecting Government Data and PII • Prevent access to highly sensitive citizen data other than via certified application Business Challenges • Enforce strict application behavior through white-list • Monitor and audit every transaction 24x365 • Six fully redundant pairs of Database Firewall to maintain a complete database security perimeter Solution • Critical high-availability architecture to meet strict service-level requirements • Complete protection from unauthorisedaccess, hacking of malicious changes to application code Business Results • Highly sensitive citizen data protected by continuously available firewall perimeter • Meets government standards for PII data storage© 2011 Oracle Corporation 20
  21. 21. Heterogeneous Database Support • Oracle 8i, 9i, 10g, 11g • MS-SQL 2000, 2005, 2008 • Sybase 12.5.4 to 15.0.x • SQL Anywhere 10.x • DB2 9.x for LUW© 2011 Oracle Corporation 21
  22. 22. Oracle Database Security Solutions Inside. Outside. Complete. • Monitor and block threats before they reach databases • Track changes and audit database activity • Control access to data within the database • Prevent access by non database users • Transparency, high performance, accuracy Monitoring Access Auditing & Encryption & Blocking Control Tracking & Masking • Database Firewall • Database Vault • Audit Vault • Advanced Security • Label Security • Configuration • Secure Backup • Identity Management Management • Data Masking • Total Recall© 2011 Oracle Corporation 22
  23. 23. For More Information database security or© 2011 Oracle Corporation 23
  24. 24. © 2011 Oracle Corporation 24
  25. 25. Remote/Local Monitor • Remote Monitor • Runs on the server operating system. • Sends database transactions to Oracle Database Firewall • Supported platforms is by OS -- and then by the RDBMS platforms that DBFW support: • Local Monitor • Resides inside a database • Monitors local / non-network access.© 2011 Oracle Corporation 25
  26. 26. User Role Reporting • Entitlement Reports • User names • User roles and privileges • Last changed, changed by whom and when • Automated and transparent • User role reporting can be run ad-hoc or scheduled • Report on user roles and privileges • Deltas since the last report© 2011 Oracle Corporation 26
  27. 27. Stored Procedure Reporting • Stored procedure contents • Its not enough to know a procedure was run, it is important to know what SQL was executed when the procedure is called. • Stored procedure reports • Name • Content • Threat rating (injection risk, system tables etc). • Stored procedure type (DML, DDL, DCL, SELECT etc) • Last changed, changed by whom and when • Automated and transparent • Stored procedure reporting can be run adhoc or scheduled© 2011 Oracle Corporation 27
  28. 28. The Cost of Inaccuracy select * from hr.employees; 3,000 transactions per second 260 million transactions per day© 2011 Oracle Corporation 28
  29. 29. © 2011 Oracle Corporation 29