Oracle Database Firewall What is New in Database Firewall 5.1
-
Upload
bogdan-statescu -
Category
Documents
-
view
38 -
download
3
Transcript of Oracle Database Firewall What is New in Database Firewall 5.1
1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Oracle Database Firewall What’s New in Database Firewall 5.1?Tammy Bednar, Sr. Principal Product Manager
January 2012
3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Why Do You Need A Database Firewall?
• Oracle Database Firewall Overview
• What’s new in Database Firewall 5.1
• Demo
• Summary and Next Steps
• Q&A
4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Over 1B Records Have Been Breached from Database Servers Over the Past 6 Years
Two Thirds of Sensitive and Regulated Information Now Resides in Databases
… and Doubling Every Two Years
Source: IDC, 2011; Verizon, 2007-2011
20112009
48% Data Breaches Caused by Insiders89% Records Stolen Using SQL Injection86% Hacking UsedStolen Credentials
5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Traditional Perimeter and Application Security Leave Databases Vulnerable …
Database Applications Database Users
and Administrators
Must Address Attacks Exploiting Legitimate Access to Database
Endpoint
Security
Authentication
and User Security
Network Security
Email Security
6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Challenges in Network-based Monitoring
• Black list vs. white list approach
• False positives, false negativesAccuracy
• Applications, users, management
• Simple and flexible, factor basedPolicy Authoring
•In-line, span, proxy?
•High availabilityDeployment Flexibility
• OS modules can crash systems
• Dependence on fixed hardware can be limitingStability and Flexibility
• Should not have measurable impact
• Should scale to enterprise deploymentsLatency and Scale
7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
• Monitors database activity, and prevents attacks and SQL injections
• White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis
• In-line blocking and monitoring, or out-of-band monitoring modes
Oracle Database Firewall First Line Of Defense
8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Accuracy Matters the Most
• High performance run-time matching must ensure only appropriate SQL interactions are sent to a database
– False positives detects when it should not
– False negatives avoid detection
• 1,000 transactions per second = 86 Million transactions per day
• 0.001% false positive rate = 27,000 disruptions to the business per month,
or almost 100 per day!
False positives bad, false negatives even worse…
0.0001% False Negative Rate Result In 86 Potential Successful Attacks Per Day!
9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Regular Expressions vs SQL Recognition
• 1st generation database activity monitoring solutions from third party vendors based regular expression technology
– Pattern matching does not understand SQL intention
– High maintenance due to false positives
– Can generate high false positives and avoid detection
• State of the art SQL grammar-based detection engine
– The grammar of the SQL statement is analyzed and grouped into clusters
– Clusters are deterministic and provide accurate policy application
– SQL injection and other out-of-policy SQL are detected as anomalies and blocked
– Speed of lookup is constant regardless of the number of clusters
10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Signature Based Solutions Don’t WorkRichness of SQL Results in Infinite Variety of PatternsSELECT * from stock where catalog-no = 'PHE8131' and location = 1
SELECT * from stock where catalog-no = ''--' and location = 1
SELECT * from stock where catalog-no = '' having 1=1 -- ' and location = 1
SELECT * from stock where catalog-no = '' order by 4--' and location = 1
SELECT * from stock where catalog-no = '' union select cardNo,customerId,0
from Orders where name = 'John Smith'--' and location = 1
SELECT * from stock where catalog-no = '' union select min(cardNo),1,0 from
Orders where cardNo > '0'--' and location = 1
11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
White List
ApplicationsBlock
Allow
SELECT * from stock
where catalog-no='PHE8131'
SELECT * from stock
where catalog-no=''--'
Positive Security Model
• “Allowed” behavior can be defined for any user or application
• Automated whitelist generation for any application
• Many factors to define policy (e.g. network, application, etc)
• Out-of-policy Database network interactions instantly blocked
12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Blocking Out Of Policy Statement
Block
Log
Allow
Alert
Substitute
SELECT * FROM stock
BecomesSELECT * FROM dual where 1=0
Applicationns
• Unique graceful blocking achieved by substituting out-of-policy statement with predefined benign statement
• TCP reset which can affect more than one user when used with Database connection pools
• Wait for network reset to disconnect session
13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Reporting
• Dozens of reports
– Logged Anomalies
– Full Activity Report
– Database Administration
– Active Users
– Differential Audit
– Data Modification Detail
• Custom reports
– Oracle BI Publisher
– Documented schema
• No sensitive data displayed
14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Deployment Architecture
• Software appliance with hardened Linux and Intel for security, flexibility and scalability
• Deployment modes
– Inline, Out-of-Band, and Proxy
In-Line Blocking and Monitoring
HA Mode
Inbound
SQL TrafficOut-of-Band Monitoring
Management Server
Policy Analyzer
Applications
Client configured to connect to the proxy IP/port (192.168.1.100:1522)
Database configured to only accept traffic from proxy IP (192.168.1.100)
15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Database Firewall 5.1 New Features
• Expanded Heterogeneous Support
• Proxy Mode Deployment
• Network Encryption
• Enhanced Policy Management
• Enhanced Reporting
• Performance with Multi-Core Support
• Installation
16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
MySQL 5.0, 5.1, 5.5
17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Proxy Deployment
Inbound SQL Traffic
Client configured to connect
to the DBFW proxy IP/port
(192.168.1.100:1522)
192.168.1.100: 1522
192.168.1.200: 1521
No Changes
to Network
Database: configured to only
accept traffic from DBFW proxy
IP (192.168.1.100)
Database Firewall in Proxy Mode
18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Advanced Security Native Network Encryption
1. Client established a connection to database using ASO encryption
2. Firewall recognizes encrypted traffic and request ASO session key from database
3. Database returns ASO session key encrypted with the Firewall’s public key
4. Firewall retrieves ASO session key and uses it to decrypt SQL traffic from client
5. Firewall applies policy on the decrypted traffic
6. Firewall sends original encrypted SQL or new encrypted SQL with SQL substitution
to database
How Does It Work?Request ASO Session Key
Encrypted SQL
ASO Session Key encryptedwith FW Public Key
19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Advanced Security Native Network Encryption
• Apply source database Patch 13051081 to support
session key exchange
• Copy the Firewall Public key to the source database host
• Update source database sqlnet.ora
• Create Enforcement Point to use Direct Database
Interrogation
How Do I Configure It?
SQLNET.ENCRYPTION_SERVER=required
SQLNET.ENCRYPTION_TYPES_SERVER=AES256 SQLNET.DBFW_PUBLIC_KEY=/<path>/dbfw_public_key.pem
20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Policy Setting Enhancements
• Dual actions for exceptions:
– Session-based block list
– Privileged user policy bypass (e.g. Block external IPs and Out-of-policy applications, Log all DBA activity)
21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Policy Setting Enhancements
• Enhanced Novelty Policies
– Rules that match ‘any’ tables in the policy (for auditing)
– Rules that match ‘all’ tables in the policy (for security)
22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Policy Setting Enhancements
• Blocking options
– Option to use TCP reset when Statement Substitution not used
23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Report Enhancements
• Crystal was replaced with BI
Publisher runtime
• Use BI Publisher to easily create and load new reports via
the Report UI
• Audit reports allow you to select
search results to use for report output
BI Publisher Run-Time Integration
24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Enhanced Vertical Scalability
• Improves support for high-throughput systems
• Allocate dedicatedcores per protected database per database firewall
• Works for all database platforms
Multi-Core Support
25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Install Changes Only Select Management Interface
26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Provides Additional Information of NIC
27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Manage the Addition / Removal of NICs
28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Manage the Oracle Embedded Database
29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Demo
30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Oracle Database Firewall Summary
�Highly accurate SQL grammar-based analysis
• Low maintenance and high confidence to block unauthorized activity
�Flexible blocking support
• SQL substitution, TCP reset connection, or network termination of session
�Fast performance and scalable to real world work load
• Scales to tens of thousands of transactions per second
�Built-in compliance reports and alerting
• Integrated with F5 ASM to identify end-user with associated with attacks
• Integrated with ArcSight for correlation with other events
�Choice of deployment platforms
• Runs on servers, blades, or virtual platforms
31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security Strategy
Encryption, Privileged User
Controls, Classification
Activity Monitoring, Auditing,
Blocking Attacks, Reporting
Database Lifecycle Management,
Data Masking for Non-Production
Maximum Security:Controls within Database
Low Security:Sensitive Data Removed
External Controls:Protect Oracle & Non-Oracle Database
Defense-in-depth
32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Next Steps
• More information about Database Security on OTNhttp://www.oracle.com/us/products/database/security/index.html
http://www.oracle.com/us/products/database/database-firewall-160528.html
Database Firewall Documentation:
http://www.oracle.com/technetwork/database/database-firewall/documentation/index.html
• Database Firewall available for download on OTN
• Engage Oracle Platform Technology Solutions
Email [email protected]
Subject “Database Security”
33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Q&A
34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.