Oracle Database Firewall What is New in Database Firewall 5.1


Oracle Database Firewall What’s New in Database Firewall 5.1?Tammy Bednar, Sr. Principal Product Manager

January 2012


Program Agenda

• Why Do You Need A Database Firewall?

• Oracle Database Firewall Overview

• What’s new in Database Firewall 5.1

• Demo

• Summary and Next Steps

• Q&A


Over 1B Records Have Been Breached from Database Servers Over the Past 6 Years

Two Thirds of Sensitive and Regulated Information Now Resides in Databases

… and Doubling Every Two Years

Source: IDC, 2011; Verizon, 2007-2011

20112009

48% Data Breaches Caused by Insiders89% Records Stolen Using SQL Injection86% Hacking UsedStolen Credentials


Traditional Perimeter and Application Security Leave Databases Vulnerable …

Database Applications Database Users

and Administrators

Must Address Attacks Exploiting Legitimate Access to Database

Endpoint

Security

Authentication

and User Security

Network Security

Email Security


Challenges in Network-based Monitoring

• Black list vs. white list approach

• False positives, false negativesAccuracy

• Applications, users, management

• Simple and flexible, factor basedPolicy Authoring

•In-line, span, proxy?

•High availabilityDeployment Flexibility

• OS modules can crash systems

• Dependence on fixed hardware can be limitingStability and Flexibility

• Should not have measurable impact

• Should scale to enterprise deploymentsLatency and Scale


• Monitors database activity, and prevents attacks and SQL injections

• White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis

• In-line blocking and monitoring, or out-of-band monitoring modes

Oracle Database Firewall First Line Of Defense


Accuracy Matters the Most

• High performance run-time matching must ensure only appropriate SQL interactions are sent to a database

– False positives detects when it should not

– False negatives avoid detection

• 1,000 transactions per second = 86 Million transactions per day

• 0.001% false positive rate = 27,000 disruptions to the business per month,

or almost 100 per day!

False positives bad, false negatives even worse…

0.0001% False Negative Rate Result In 86 Potential Successful Attacks Per Day!


Regular Expressions vs SQL Recognition

• 1st generation database activity monitoring solutions from third party vendors based regular expression technology

– Pattern matching does not understand SQL intention

– High maintenance due to false positives

– Can generate high false positives and avoid detection

• State of the art SQL grammar-based detection engine

– The grammar of the SQL statement is analyzed and grouped into clusters

– Clusters are deterministic and provide accurate policy application

– SQL injection and other out-of-policy SQL are detected as anomalies and blocked

– Speed of lookup is constant regardless of the number of clusters


Signature Based Solutions Don’t WorkRichness of SQL Results in Infinite Variety of PatternsSELECT * from stock where catalog-no = 'PHE8131' and location = 1

SELECT * from stock where catalog-no = ''--' and location = 1

SELECT * from stock where catalog-no = '' having 1=1 -- ' and location = 1

SELECT * from stock where catalog-no = '' order by 4--' and location = 1

SELECT * from stock where catalog-no = '' union select cardNo,customerId,0

from Orders where name = 'John Smith'--' and location = 1

SELECT * from stock where catalog-no = '' union select min(cardNo),1,0 from

Orders where cardNo > '0'--' and location = 1


White List

ApplicationsBlock

Allow

SELECT * from stock

where catalog-no='PHE8131'

SELECT * from stock

where catalog-no=''--'

Positive Security Model

• “Allowed” behavior can be defined for any user or application

• Automated whitelist generation for any application

• Many factors to define policy (e.g. network, application, etc)

• Out-of-policy Database network interactions instantly blocked


Blocking Out Of Policy Statement

Block

Log

Allow

Alert

Substitute

SELECT * FROM stock

BecomesSELECT * FROM dual where 1=0

Applicationns

• Unique graceful blocking achieved by substituting out-of-policy statement with predefined benign statement

• TCP reset which can affect more than one user when used with Database connection pools

• Wait for network reset to disconnect session


Reporting

• Dozens of reports

– Logged Anomalies

– Full Activity Report

– Database Administration

– Active Users

– Differential Audit

– Data Modification Detail

• Custom reports

– Oracle BI Publisher

– Documented schema

• No sensitive data displayed


Deployment Architecture

• Software appliance with hardened Linux and Intel for security, flexibility and scalability

• Deployment modes

– Inline, Out-of-Band, and Proxy

In-Line Blocking and Monitoring

HA Mode

Inbound

SQL TrafficOut-of-Band Monitoring

Management Server

Policy Analyzer

Applications

Client configured to connect to the proxy IP/port (192.168.1.100:1522)

Database configured to only accept traffic from proxy IP (192.168.1.100)


Database Firewall 5.1 New Features

• Expanded Heterogeneous Support

• Proxy Mode Deployment

• Network Encryption

• Enhanced Policy Management

• Enhanced Reporting

• Performance with Multi-Core Support

• Installation


MySQL 5.0, 5.1, 5.5


Proxy Deployment

Inbound SQL Traffic

Client configured to connect

to the DBFW proxy IP/port

(192.168.1.100:1522)

192.168.1.100: 1522

192.168.1.200: 1521

No Changes

to Network

Database: configured to only

accept traffic from DBFW proxy

IP (192.168.1.100)

Database Firewall in Proxy Mode


Advanced Security Native Network Encryption

1. Client established a connection to database using ASO encryption

2. Firewall recognizes encrypted traffic and request ASO session key from database

3. Database returns ASO session key encrypted with the Firewall’s public key

4. Firewall retrieves ASO session key and uses it to decrypt SQL traffic from client

5. Firewall applies policy on the decrypted traffic

6. Firewall sends original encrypted SQL or new encrypted SQL with SQL substitution

to database

How Does It Work?Request ASO Session Key

Encrypted SQL

ASO Session Key encryptedwith FW Public Key


Advanced Security Native Network Encryption

• Apply source database Patch 13051081 to support

session key exchange

• Copy the Firewall Public key to the source database host

• Update source database sqlnet.ora

• Create Enforcement Point to use Direct Database

Interrogation

How Do I Configure It?

SQLNET.ENCRYPTION_SERVER=required

SQLNET.ENCRYPTION_TYPES_SERVER=AES256 SQLNET.DBFW_PUBLIC_KEY=/<path>/dbfw_public_key.pem


Policy Setting Enhancements

• Dual actions for exceptions:

– Session-based block list

– Privileged user policy bypass (e.g. Block external IPs and Out-of-policy applications, Log all DBA activity)



• Enhanced Novelty Policies

– Rules that match ‘any’ tables in the policy (for auditing)

– Rules that match ‘all’ tables in the policy (for security)



• Blocking options

– Option to use TCP reset when Statement Substitution not used


Report Enhancements

• Crystal was replaced with BI

Publisher runtime

• Use BI Publisher to easily create and load new reports via

the Report UI

• Audit reports allow you to select

search results to use for report output

BI Publisher Run-Time Integration


Enhanced Vertical Scalability

• Improves support for high-throughput systems

• Allocate dedicatedcores per protected database per database firewall

• Works for all database platforms

Multi-Core Support


Install Changes Only Select Management Interface


Provides Additional Information of NIC


Manage the Addition / Removal of NICs


Manage the Oracle Embedded Database


Demo


Oracle Database Firewall Summary

�Highly accurate SQL grammar-based analysis

• Low maintenance and high confidence to block unauthorized activity

�Flexible blocking support

• SQL substitution, TCP reset connection, or network termination of session

�Fast performance and scalable to real world work load

• Scales to tens of thousands of transactions per second

�Built-in compliance reports and alerting

• Integrated with F5 ASM to identify end-user with associated with attacks

• Integrated with ArcSight for correlation with other events

�Choice of deployment platforms

• Runs on servers, blades, or virtual platforms


Oracle Database Security Strategy

Encryption, Privileged User

Controls, Classification

Activity Monitoring, Auditing,

Blocking Attacks, Reporting

Database Lifecycle Management,

Data Masking for Non-Production

Maximum Security:Controls within Database

Low Security:Sensitive Data Removed

External Controls:Protect Oracle & Non-Oracle Database

Defense-in-depth


Next Steps

• More information about Database Security on OTNhttp://www.oracle.com/us/products/database/security/index.html

http://www.oracle.com/us/products/database/database-firewall-160528.html

Database Firewall Documentation:

http://www.oracle.com/technetwork/database/database-firewall/documentation/index.html

• Database Firewall available for download on OTN

• Engage Oracle Platform Technology Solutions

Email [email protected]

Subject “Database Security”


Q&A

Oracle Database Firewall What is New in Database Firewall 5.1

Documents

Transcript of Oracle Database Firewall What is New in Database Firewall 5.1