The Oracle Database Firewall works on any database and can interpret SQL statements to determine whether or not they are malicious.
IT administrators have the daunting task of defending enterprise databases
from increasingly sophisticated and complex attacks, as hackers attempt to
steal private and confidential data. Oracle's latest tool understands SQL
statements and can identify malicious ones.
The database giant announced Oracle Database Firewall on Feb. 14 at the RSA
Conference, in San Francisco. The firewall application establishes a "defensive
perimeter" around databases by monitoring and enforcing normal application
behavior in real-time, the company said. Administrators can use this tool to
prevent unauthorized access, SQL injections, privilege or role escalation, and
other attacks on their networks from ever reaching the database.
"Evolving threats to databases require enterprises to look at new security
solutions," said Vipin Samar, Oracle's vice president of database security.
The technology behind Oracle Database Firewall came with Oracle's
acquisition of Secerno
in May 2010. Secerno's heterogeneous database
firewall extended Oracle's line of database-security applications, Samar said.
The firewall relies on a combination of a model of how users and
applications typically access the database and administrator-created policies.
The policies can be granular, and can utilize attributes such as time of day,
IP address, and application, as well as user and SQL category.
Exception policies also override default application policies to support
maintenance tasks. The software also relies on SQL grammar-analysis technology
to determine the legitimacy of SQL statements being sent to the database.
Oracle Database Firewall also supports white-list and black-list policies to
identify approved and unauthorized SQL statements that may pass the firewall.
The Oracle Database Firewall software can be deployed in-line on the network
for blocking and monitoring the database or out-of-band to scan the network in
a monitoring-only mode, according to Oracle. The software is installed and
configured to block unauthorized database access to prevent attacks from even
reaching the database, Samar said.
There are "dozens" of pre-built and customizable reports to help compliance
teams meet required privacy and regulatory mandates including Payment Card
Industry (PCI) Data Security Standard (DSS),
Sarbanes-Oxley, and Health Insurance Portability and Accountability (HIPAA),
The firewall runs on any Intel-based hardware and can scale to support large
numbers of database servers. Not limited to Oracle databases, it supports
Oracle 11g and all previous database releases, as well as competitor databases.
Administrators can also use the tool with IBM
DB2 version 9; Microsoft SQL Server 2000, 2005 and 2008; Sybase Adaptive Server
Enterprise from versions 12.5.4 to 15; and Sybase SQL Anywhere version 10,
according to the product Web site.
The software can be deployed without changing or modifying existing
applications and database infrastructure, Samar said.
To encourage IT managers to think about data security, Oracle has an Enterprise
Data Security Assessment
survey, which strives to calculate the
organization's scores on data privacy, access control, secure configuration,
audits and compliance.
Oracle Database Firewall is part of Oracle's suite of database-security
products, which includes Oracle Advanced Security, Oracle Configuration
Management, Oracle Secure Backup, Oracle Audit Vault, and Oracle Database
Vault, the company said. The security tools help reduce costs and complexity
across the enterprise, Oracle said.
Administrators use Oracle
to centrally manage their database-auditing configuration and
deploy uniform audit policies, according to Samar. Oracle
allows administrators to incrementally restrict data-access
rights of all users, even DBAs, regardless of their role. Advanced Security encrypts
all application data or specific database columns; Secure Backup adds
encryption to backed-up archives; and Configuration Management monitors
existing configuration settings and detects any attempts to change them.
The Database Firewall is priced at $5,000 per processor on the database
server, according to Oracle. The Database Firewall Management Server, which
features blocking, monitoring and log-aggregation capabilities, is priced at
$57,500 per processor installed on the server.