First Line of Defense

Oracle Database Firewall monitors database traffic and blocks unauthorized activity.

By Tom Haunert

July/August 2011

Tom Haunert, Oracle Magazine editor in chief, recently sat down with Steve Moyle, chief technical officer of Oracle Database Firewall, for an in-depth discussion of that product’s cutting-edge security features and functionality. The following is an excerpt from that interview. Download the full podcast.

Oracle Magazine: Let’s start at the beginning. Our readers are likely familiar with the concept of a firewall, but what’s different about a database firewall?

Moyle: A database firewall has some similarities with a traditional network-based firewall, in that it’s about protecting and controlling items that flow across the network. But unlike a network-based firewall that’s predominately focused on ensuring only the right destinations can connect to the right sources, a database firewall is entirely focused on the conversations that are flowing in and out of your databases.

Oracle Database Firewall has a complete understanding of the database language—SQL—and it’s this database language that powers the firewall and ensures that only the conversations you want to have going into your database are permitted. All others can be blocked.

Oracle Magazine: What are some other key features of Oracle Database Firewall?

Moyle: The database firewall is there to monitor database activity and to help prevent unauthorized access to and particular attacks on databases, including SQL injections, privilege or role escalations, and illegal access to sensitive data. Oracle Database Firewall has a highly accurate approach to controlling interactions with the database, based on a SQL grammar analysis. This ensures that there are no costly false alarms triggered by the firewall.

The product also provides a very flexible level of enforcement options based on two different security paradigms: a positive security model known as white lists, and a negative security model known as black lists. Customers deploy the firewall using a combination of these two paradigms.

Going beyond this, the firewall has a very scalable architecture that provides enterprise-level performance in many different deployment modes. The great news for database administrators and application authors is that it requires no configuration changes at either the application level or the database level to provide a very powerful level of protection in the environment.

Oracle Magazine: You mentioned SQL injection, and that’s of course something DBAs and database developers must always be conscious of. How does Oracle Database Firewall address SQL injection and other threats?

Moyle: SQL injection is a development-side error. It’s an application-layer error, but it’s not just one single mistake—it can manifest in many different ways. It’s also entirely application specific; each application that has a particular SQL injection vulnerability will appear different to its database than its operator.

Since there’s no one-size-fits-all way of looking for SQL injections, the technology for protecting against them needs to understand what is normal for each database and application in the operating environment. However, with this level of understanding comes protection against all manner of risks. So although a SQL injection is often caused by a malicious attacker on the outside, the same sorts of controls work for protecting against a malicious user on the inside or perhaps someone who has connected a piece of software to the network that is outside policy. All of these unauthorized access mechanisms can be protected against very powerfully by Oracle Database Firewall.

Oracle Magazine: What are some other key risk areas that Oracle Database Firewall can address to ensure security in the enterprise?

Moyle: Oracle Database Firewall reduces the risk profile of a database at the network level by ensuring that only permitted locations can connect through to the database—only permitted applications at permitted times of day with permitted users. For example, high-privilege users may only connect to the database from their workstations at particular times of day, which are their normal hours of business. Should the credentials for a high-privilege user become compromised, it would not be possible to use them from another location within the organization’s network.

In addition to containing privileged-user access, a database firewall also ensures that only in-policy applications are allowed to connect to the database. It also provides the ability to control and enforce controls around access to sensitive data.

Oracle Magazine: With the explosion of tablet computing and smartphones, mobile computing and specifically mobile enterprise computing are a much bigger part of IT than ever before. How does Oracle Database Firewall and its permission strategy address mobile computing?

Moyle: The real extra risk with mobile computing is about the increase in the number of different applications that are calling for information from the database. Each of those applications should be restricted to interacting only with the data in approved methods, and Oracle Database Firewall enables administrators to create and guarantee a restriction so that only permitted database queries are allowed through, regardless of which application they come from.

As customers demand more and more functionality from different devices to access their data, the firewall can guarantee that the data access is still limited to only those queries permitted within the organization’s policy. In a sense, although Oracle Database Firewall is not aware of the tablet or the mobile application, it is aware of what a good and safe conversation looks like between the database, the application layers, and the end user.

Oracle Magazine: Where does Oracle Database Firewall fit into the mix of Oracle database security solutions?

Moyle: Oracle provides many layers of security products and technologies—it’s part of our “defense-in-depth” strategy. On the outside, the first approach to the database as things travel across the network, we have the blocking and logging capability of Oracle Database Firewall. As we walk closer to the center of the database, there are auditing and monitoring products such as Oracle Audit Vault and Oracle’s configuration management tools. Then, as we get into the database itself, we have access control products: Oracle Label Security and Oracle Database Vault. Finally, for the actual secure storage of the data at risk itself, we have Oracle Advanced Security for encryption and other masking products. Oracle Database Firewall is the first layer of defense in this defense-in-depth architecture of products.

Next Steps

 LISTEN to the podcast

 LEARN more about Oracle Database Firewall


Photography by Glenn Carstens-Peters,Unsplash