Oracle updated its Database Firewall with policies that can help administrators fight off SQL injection attacks. The new release offers support for MySQL databases and new compliance reports.
Oracle has updated its
Oracle Database Firewall product to improve enterprise database security and
help enterprises block both malicious insiders and SQL injection attacks from
gaining access to the data.
The new release of Oracle
Database Firewall introduces support for MySQL Enterprise Edition and other
reporting capabilities, Oracle said Jan. 9. The database firewall protects
MySQL databases from data breaches without requiring the administrator to make
any changes to the database infrastructure or to the underlying operating
system running the database, Vipin Samar, vice president of database security
at Oracle, told eWEEK. Developers
also won't have to modify existing applications to take advantage of the SQL
injection defense capabilities, he said.
With MySQL support, the
database firewall now supports Oracle's own flagship product, Database 11g and
earlier versions, as well as IBM DB2, Linux, Unix, Windows, Microsoft SQL
Server, Sybase Adaptive Server Enterprise and Sybase SQL Anywhere. Many enterprises
use MySQL extensively for their database operations and Oracle added support
for the open-source database due to customer demand, Samar said.
"With new MySQL
support, Oracle Database Firewall extends the combination of databases that
organizations can secure across their enterprise," said Samar.
The Oracle Database Firewall
establishes a "defensive perimeter" around databases, which would
help administrators address threats such as SQL injection attacks, according to
Samar. SQL injection attacks are commonly used by attackers exploiting a
vulnerability in Web applications to access and extract data from a database.
It is often used by submitting a malicious query in a form in the application,
such as a comment box, which tricks the database into executing the query.
The grammar-based analytical
engine compares the SQL queries being submitted with the queries it knows are
within the parameters of "normal application behavior" to identify
any anomalies, Samar said. When the application sends a suspicious SQL query to
the database, the firewall can block the query entirely, substitute it with a
harmless query for the database to execute or just log it, depending on the
severity, said Samar. The firewall can also issue alerts to administrators when
If the application is
designed to obtain records from the customer table in the database, any query
trying to get data from another table is automatically suspicious and can be
stopped, Roxana Bradescu, senior director of security product management at
Oracle, told eWEEK. Malicious
queries, such as one that orders the elimination of entire data tables can be
automatically blocked, Bradescu said.
In a recent Independent
Oracle Users Group survey, only 36 percent of respondents said that they have
taken steps to ensure their applications are not susceptible to SQL injection
attacks, according to Bradescu.
The firewall monitors
application behavior in real time to help prevent both SQL injection attacks as
well as unauthorized attempts internally to access data, Samar said.
Oracle Database Firewall is
also integrated with Oracle Advanced Security, which allows administrators to
monitor all encrypted traffic going to the database for any potential threats.
The new reporting
infrastructure in the firewall will help organizations address various
regulatory compliance requirements, according to Samar. The new version has 10
new out-of-the-box reports specifically addressing privacy and regulatory
mandates such as the Health Insurance Portability and Accountability Act
(HIPAA), Payment Card Industry (PCI) Data Security Standard (DSS) and Sarbanes
Oxley. Oracle Business Intelligence Publisher customers can take advantage of
all capabilities for authoring, managing and delivering highly formatted
reports, the company said.
MySQL joined Oracle's
product portfolio when the database giant closed on its $7.4 billion deal for
Sun Microsystems in January 2010. Sun originally acquired MySQL AB, the
development team behind the open-source database, for approximately $1 billion