Вы находитесь на странице: 1из 34

1

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall Whats New in Database Firewall 5.1?


Tammy Bednar, Sr. Principal Product Manager
January 2012
2 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Program Agenda
Why Do You Need A Database Firewall? Oracle Database Firewall Overview Whats new in Database Firewall 5.1 Demo Summary and Next Steps Q&A

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Over 1B Records Have Been Breached from Database Servers Over the Past 6 Years
Two Thirds of Sensitive and Regulated Information Now Resides in Databases and Doubling Every Two Years
48% Data Breaches Caused by Insiders 89% Records Stolen Using SQL Injection 86% Hacking Used Stolen Credentials

2009
4 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

2011

Source: IDC, 2011; Verizon, 2007-2011

Traditional Perimeter and Application Security Leave Databases Vulnerable


Authentication and User Security Network Security Email Security Endpoint Security

Database Applications

Database Users and Administrators

Must Address Attacks Exploiting Legitimate Access to Database


5 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Challenges in Network-based Monitoring


Accuracy Policy Authoring Deployment Flexibility Stability and Flexibility Latency and Scale
6 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Black list vs. white list approach False positives, false negatives Applications, users, management Simple and flexible, factor based In-line, span, proxy? High availability

OS modules can crash systems Dependence on fixed hardware can be limiting

Should not have measurable impact Should scale to enterprise deployments

Oracle Database Firewall First Line Of Defense

Monitors database activity, and prevents attacks and SQL injections White-list, black-list, and exception-list based security policies based upon highly accurate SQL grammar based analysis In-line blocking and monitoring, or out-of-band monitoring modes
7 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Accuracy Matters the Most


False positives bad, false negatives even worse
High performance run-time matching must ensure only appropriate SQL interactions are sent to a database
False positives detects when it should not False negatives avoid detection

1,000 transactions per second = 86 Million transactions per day 0.001% false positive rate = 27,000 disruptions to the business per month, or almost 100 per day!
0.0001% False Negative Rate Result In 86 Potential Successful Attacks Per Day!

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Regular Expressions vs SQL Recognition


1st generation database activity monitoring solutions from third party vendors based regular expression technology
Pattern matching does not understand SQL intention High maintenance due to false positives Can generate high false positives and avoid detection

State of the art SQL grammar-based detection engine


The grammar of the SQL statement is analyzed and grouped into clusters Clusters are deterministic and provide accurate policy application SQL injection and other out-of-policy SQL are detected as anomalies and blocked Speed of lookup is constant regardless of the number of clusters
9 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Signature Based Solutions Dont Work


Richness of SQL Results in Infinite Variety of Patterns
SELECT * from stock where catalog-no = 'PHE8131' and location = 1 SELECT * from stock where catalog-no = ''--' and location = 1

SELECT * from stock where catalog-no = '' having 1=1 -- ' and location = 1

SELECT * from stock where catalog-no = '' order by 4--' and location = 1

SELECT * from stock where catalog-no = '' union select cardNo,customerId,0 from Orders where name = 'John Smith'--' and location = 1

SELECT * from stock where catalog-no = '' union select min(cardNo),1,0 from Orders where cardNo > '0'--' and location = 1

10

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Positive Security Model


SELECT * from stock where catalog-no='PHE8131'
Applications

White List
Allow Block

SELECT * from stock where catalog-no=''--'

Allowed behavior can be defined for any user or application Automated whitelist generation for any application Many factors to define policy (e.g. network, application, etc) Out-of-policy Database network interactions instantly blocked

11

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Blocking Out Of Policy Statement


Log

Applicationns

SELECT * FROM stock Alert Becomes Substitute SELECT * FROM dual where 1=0
Block

Allow

Unique graceful blocking achieved by substituting out-of-policy statement with predefined benign statement TCP reset which can affect more than one user when used with Database connection pools Wait for network reset to disconnect session
12 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Reporting
Dozens of reports
Logged Anomalies Full Activity Report Database Administration Active Users Differential Audit Data Modification Detail

Custom reports
Oracle BI Publisher Documented schema

No sensitive data displayed


13 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Deployment Architecture
In-Line Blocking and Monitoring

Inbound SQL Traffic

Out-of-Band Monitoring
Client configured to connect to the proxy IP/port (192.168.1.100:1522) Database configured to only accept traffic from proxy IP (192.168.1.100)

Management Server Policy Analyzer

Applications

HA Mode

Software appliance with hardened Linux and Intel for security, flexibility and scalability Deployment modes Inline, Out-of-Band, and Proxy
14 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Database Firewall 5.1 New Features



15

Expanded Heterogeneous Support Proxy Mode Deployment Network Encryption Enhanced Policy Management Enhanced Reporting Performance with Multi-Core Support Installation

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

MySQL 5.0, 5.1, 5.5

16

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Proxy Deployment
Client configured to connect to the DBFW proxy IP/port (192.168.1.100:1522) Database: configured to only accept traffic from DBFW proxy IP (192.168.1.100)

Inbound SQL Traffic

No Changes to Network
192.168.1.200: 1521

192.168.1.100: 1522

Database Firewall in Proxy Mode

17

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Advanced Security Native Network Encryption


How Does It Work?
Request ASO Session Key ASO Session Key encrypted with FW Public Key Encrypted SQL

1. 2. 3. 4. 5. 6.

Client established a connection to database using ASO encryption Firewall recognizes encrypted traffic and request ASO session key from database Database returns ASO session key encrypted with the Firewalls public key Firewall retrieves ASO session key and uses it to decrypt SQL traffic from client Firewall applies policy on the decrypted traffic Firewall sends original encrypted SQL or new encrypted SQL with SQL substitution to database
Copyright 2012, Oracle and/or its affiliates. All rights reserved.

18

Advanced Security Native Network Encryption


How Do I Configure It? Apply source database Patch 13051081 to support session key exchange Copy the Firewall Public key to the source database host Update source database sqlnet.ora
SQLNET.ENCRYPTION_SERVER=required SQLNET.ENCRYPTION_TYPES_SERVER=AES256 SQLNET.DBFW_PUBLIC_KEY=/<path>/dbfw_public_key.pem

Create Enforcement Point to use Direct Database Interrogation


19 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Policy Setting Enhancements


Dual actions for exceptions: Session-based block list Privileged user policy bypass (e.g. Block external IPs and Out-ofpolicy applications, Log all DBA activity)

20

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Policy Setting Enhancements


Enhanced Novelty Policies Rules that match any tables in the policy (for auditing) Rules that match all tables in the policy (for security)

21

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Policy Setting Enhancements


Blocking options Option to use TCP reset when Statement Substitution not used

22

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Report Enhancements
BI Publisher Run-Time Integration Crystal was replaced with BI Publisher runtime Use BI Publisher to easily create and load new reports via the Report UI Audit reports allow you to select search results to use for report output
23 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Enhanced Vertical Scalability


Multi-Core Support
Improves support for high-throughput systems Allocate dedicated cores per protected database per database firewall Works for all database platforms

24

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Install Changes Only Select Management Interface

25

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Provides Additional Information of NIC

26

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Manage the Addition / Removal of NICs

27

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Manage the Oracle Embedded Database

28

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Demo

29

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall Summary


Highly accurate SQL grammar-based analysis Low maintenance and high confidence to block unauthorized activity Flexible blocking support SQL substitution, TCP reset connection, or network termination of session Fast performance and scalable to real world work load Scales to tens of thousands of transactions per second Built-in compliance reports and alerting Integrated with F5 ASM to identify end-user with associated with attacks Integrated with ArcSight for correlation with other events Choice of deployment platforms Runs on servers, blades, or virtual platforms
30 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Oracle Database Security Strategy


Defense-in-depth

Encryption, Privileged User Controls, Classification Maximum Security:


Controls within Database

Activity Monitoring, Auditing, Blocking Attacks, Reporting External Controls:


Protect Oracle & Non-Oracle Database

Database Lifecycle Management, Data Masking for Non-Production Low Security:


Sensitive Data Removed

31

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Next Steps
More information about Database Security on OTN
http://www.oracle.com/us/products/database/security/index.html http://www.oracle.com/us/products/database/database-firewall-160528.html

Database Firewall Documentation:


http://www.oracle.com/technetwork/database/database-firewall/documentation/index.html

Database Firewall available for download on OTN Engage Oracle Platform Technology Solutions
Email Oracle-development_ww@oracle.com Subject Database Security
32 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Q&A

33

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

34

Copyright 2012, Oracle and/or its affiliates. All rights reserved.