Oracle Database Firewall Delivers Vendor-Agnostic Security

The Oracle Database Firewall works on any database and can interpret SQL statements to determine whether or not they are malicious.

IT administrators have the daunting task of defending enterprise databases from increasingly sophisticated and complex attacks, as hackers attempt to steal private and confidential data. Oracle's latest tool understands SQL statements and can identify malicious ones.

The database giant announced Oracle Database Firewall on Feb. 14 at the RSA Conference, in San Francisco. The firewall application establishes a "defensive perimeter" around databases by monitoring and enforcing normal application behavior in real-time, the company said. Administrators can use this tool to prevent unauthorized access, SQL injections, privilege or role escalation, and other attacks on their networks from ever reaching the database.

"Evolving threats to databases require enterprises to look at new security solutions," said Vipin Samar, Oracle's vice president of database security.

The technology behind Oracle Database Firewall came with Oracle's acquisition of Secerno in May 2010. Secerno's heterogeneous database firewall extended Oracle's line of database-security applications, Samar said.

The firewall relies on a combination of a model of how users and applications typically access the database and administrator-created policies. The policies can be granular, and can utilize attributes such as time of day, IP address, and application, as well as user and SQL category.

Exception policies also override default application policies to support maintenance tasks. The software also relies on SQL grammar-analysis technology to determine the legitimacy of SQL statements being sent to the database. Oracle Database Firewall also supports white-list and black-list policies to identify approved and unauthorized SQL statements that may pass the firewall.

The Oracle Database Firewall software can be deployed in-line on the network for blocking and monitoring the database or out-of-band to scan the network in a monitoring-only mode, according to Oracle. The software is installed and configured to block unauthorized database access to prevent attacks from even reaching the database, Samar said.

There are "dozens" of pre-built and customizable reports to help compliance teams meet required privacy and regulatory mandates including Payment Card Industry (PCI) Data Security Standard (DSS), Sarbanes-Oxley, and Health Insurance Portability and Accountability (HIPAA), said Oracle.

The firewall runs on any Intel-based hardware and can scale to support large numbers of database servers. Not limited to Oracle databases, it supports Oracle 11g and all previous database releases, as well as competitor databases. Administrators can also use the tool with IBM DB2 version 9; Microsoft SQL Server 2000, 2005 and 2008; Sybase Adaptive Server Enterprise from versions 12.5.4 to 15; and Sybase SQL Anywhere version 10, according to the product Web site.

The software can be deployed without changing or modifying existing applications and database infrastructure, Samar said.

To encourage IT managers to think about data security, Oracle has an Enterprise Data Security Assessment survey, which strives to calculate the organization's scores on data privacy, access control, secure configuration, audits and compliance.

Oracle Database Firewall is part of Oracle's suite of database-security products, which includes Oracle Advanced Security, Oracle Configuration Management, Oracle Secure Backup, Oracle Audit Vault, and Oracle Database Vault, the company said. The security tools help reduce costs and complexity across the enterprise, Oracle said.

Administrators use Oracle Audit Vault to centrally manage their database-auditing configuration and deploy uniform audit policies, according to Samar. Oracle Database Vault allows administrators to incrementally restrict data-access rights of all users, even DBAs, regardless of their role. Advanced Security encrypts all application data or specific database columns; Secure Backup adds encryption to backed-up archives; and Configuration Management monitors existing configuration settings and detects any attempts to change them.

The Database Firewall is priced at $5,000 per processor on the database server, according to Oracle. The Database Firewall Management Server, which features blocking, monitoring and log-aggregation capabilities, is priced at $57,500 per processor installed on the server.