SlideShare ist ein Scribd-Unternehmen logo
1 von 29
<Insert Picture Here>




Oracle Database Firewall
Pierre Leon
Database Security – Oracle UK
Agenda



        • Evolving Threats to Databases
        • Oracle Database Firewall
              •   Security Models
              •   Policy Enforcement
              •   Reporting
              •   Architecture and Deployment Modes
        • Oracle Database Security Solutions
        • Q&A


© 2011 Oracle Corporation                             2
How is Data Compromised?   2010 Data Breach
                                       Investigations Report




© 2011 Oracle Corporation                                 3
#1 Cause of Data Breaches:
            Web Applications Hacked with SQL Injection and
            Stolen Credentials Obtained Using Malware
    Threat action categories by percent% of breaches and% of records   Types of hacking by% of breaches within Hacking
                                                                       and % of records




    Attack pathways by percent% of breaches and% of records



                        2010 Data Breach
                        Investigations Report



© 2011 Oracle Corporation                                                                                                4
Existing Security Solutions Not Enough

                  Key Loggers            Malware                    SQL Injection       Espionage
                            Spear Phishing     Botware                    Social Engineering




        Web Users




           Database
        Application Users
                                 Application             Database                              Administrators




                             Data Must Be Protected at the Source


© 2011 Oracle Corporation                                                                                       5
Database Security
            Defense In Depth Approach




        •   Monitor and block threats before they reach databases
        •   Track changes and audit database activity
        •   Control access to data within the database
        •   Prevent access by non database users
        •   Implement with
              • Transparency – no changes to existing applications
              • High Performance – no measurable impact on applications
              • Accuracy – minimal false positives and negatives



© 2011 Oracle Corporation                                                 6
Business Drivers
          • Customers need a first line of defence to monitor and
            protect against existing and emerging threats
          • Hackers breach databases from the web exploiting
            vulnerabilities in applications
          • Stolen credentials exploited for unauthorised use




                            Application   Database
                                          Firewall   Database




© 2011 Oracle Corporation                                           7
Oracle Database Firewall
             First Line of Defense

                                                    Allow

                                                    Log

                                                    Alert

                                                    Substitute
          Applications
                                                    Block



                            Alerts   Built-in   Custom       Policies
                                     Reports    Reports




    • Monitor database activity to help prevent unauthorisedactivity, application
      bypass and SQL injections, illegal access to sensitive data etc.
    • Highly accurate SQL grammar based analysis, no false positives
    • White-list, black-list, and exception-list based security policies
    • Built-in and custom compliance reports for regulations


© 2011 Oracle Corporation                                                       8
Oracle Database Firewall
            Positive Security Model Based Enforcement

                                  White List
                                               Allow

                                               Block
          Applications




      • White-list based policies enforce normal or expected behavior
      • Policies evaluate factors such as time, day, network, and application
      • Easily generate white-lists for any application
      • Out of policy SQL statements can be logged, alerted, blocked or
        substituted with a harmless SQL statement
      • SQL substitution foils attackers without disrupting applications

© 2011 Oracle Corporation                                                       9
Oracle Database Firewall
            Negative Security Model Based Enforcement

                                   Black List
                                                Allow

                                                Block
          Applications




       • Stop specific unwanted SQL commands, user or schema access
       • Prevent privilege or role escalation and unauthorisedaccess to
         sensitive data
       • Black list policies can evaluate factors such as day, time, network, and
         application


© 2011 Oracle Corporation                                                           10
Oracle Database Firewall
            Scalable and Safe Policy Enforcement

                                                     Log

                                                     Allow
                                        SELECT * FROM accounts
                                                     Alert
                                        Becomes
                                        SELECT * FROM dual where 1=0
                                                     Substitute
          Applications
                                                     Block




         • Innovative SQL grammar technology reduces millions of SQL statements into
           a small number of SQL characteristics or “clusters”
         • Flexible enforcement at SQL level: block, substitute, alert and pass, log only
                 • SQL substitution foils attackers without disrupting applications
         • Centralisedpolicy management and reporting
         • Superior performance and policy scalability


© 2011 Oracle Corporation                                                                   11
SQL Injection
            Too much trust in applications
                                           SELECT *FROMdvd_stock
                                            WHERE catalog-no = 'PHE8131'
                                              AND location = 1
                                                                          Allow


                                          SELECT   *FROMdvd_stock          Block
                                           WHERE   catalog-no = ''
                            Application    UNION   SELECTcardNo, customerId, 0
                                            FROM   DVD_Orders–-' AND location = 1




    •   Applications are given high levels of privilege
    •   Database trusts the application
    •   “Users” subvert the application to access to the database (and beyond)
    •   Each application is unique
    •   Regular expression black lists are ineffective
    •   Grammar based white list blocks SQL injection attacks


© 2011 Oracle Corporation                                                           12
Oracle Database Firewall
            Semantic Analysis and Policy Creation

        • Train the Analyser on Firewall
          logs
        • Automatically generate White
          Lists
        • Create exceptions
        • Create default actions for
          unrecognised SQL/anomalies
        • Novelty policies
        • Assign threat levels
        • Assign actions
        • Set policies for Logon/Logoff
          and Failed Login




© 2011 Oracle Corporation                           13
Oracle Database Firewall
            Data Masking




       • Prevents creating yet another database with sensitive and regulated data
       • Sensitive and regulated information contained in SQL statements can be
         masked or redacted in real-time prior to being logged
       • Flexible masking policies allow masking all data or just specific columns
       • Critical for organisationswho want to monitor and log all database activity


© 2011 Oracle Corporation                                                              14
Oracle Database Firewall
            Reporting
                             • Database Firewall log data
                               consolidated into reporting database
                             • Dozens of built in reports that can be
                               modified and customised
                                 • Database activity and privileged
                                   user reports
                                 • Entitlements reporting for
                                   database attestation and audit
                                 • Supports demonstrating controls
                                   for PCI, SOX, HIPAA, etc.
                             • Logged SQL statements can be
                               sanitisedof sensitive PII data




© 2011 Oracle Corporation                                               15
Oracle Database Firewall
                                                                Local Monitor
            Architecture
                                                               In-Line Blocking
                                                                and Monitoring

                                                                 Out-of-Band
            Inbound                                               Monitoring
           SQL Traffic

                                                                  HA Mode
                            Policy        Management
                            Analyser      Server(s)



       •   In-line blocking and monitoring, or out-of-band monitoring modes
       •   High availability with parallelFirewalls / Management Servers
       •   Monitoring of remote databases by forwarding network traffic
       •   Application agnostic
       •   Support for Oracle and non-Oracle Databases


© 2011 Oracle Corporation                                                         16
Oracle Database Firewall
            Fast and Flexible Deployments

                                                          Application Servers           Users

         Database           Out-of-Band   Router
          Firewall

                                                           Database Servers

                                                                                Host
                                                                                Based
                                          In-Line                               Agent


       • In-Line: All database traffic goes through the Oracle Database Firewall
       • Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP
       • Optional Host Based Remote or Local Monitors
               • Can send network traffic from the database host to the Database Firewall
               • Can send non-network database activity to the Database Firewall to
                 identify unauthoriseduse of local console or remote sessions


© 2011 Oracle Corporation                                                                       17
Major US East-Coast Bank
            Active Database Firewall
                                    • Protect business critical databases to prevent
                                      unauthorisedaccess, data loss and PII exposure
              Business Challenges   • Monitor and protect over 600 databases across 7
                                      international data centers.
                                    • Minimal impact to existing database performance

                                    • Oracle Database Firewall for real-time database
                                      protection and monitoring of billions of transactions
              Solution                per day
                                    • Prevent unauthorised data access and malicious
                                      activity

                                    • Passed internal and external audit
                                    • Demonstrate active controls over data access and
              Business Results        database systems
                                    • Standardised security, alerts and reporting across
                                      the complete business



© 2011 Oracle Corporation                                                                     18
Major US Investment Bank
            Auditing Data Changes

                                    • Monitor 60+ databases
                                    • Track every change to customer data
              Business Challenges   • Alert on unauthorisedchanges to stored procedures
                                      or user roles and privileges
                                    • Automated report distribution to internal auditors
                                    • Database Firewall deployed in heterogeneous
                                      environments providing monitoring and reporting on
              Solution                every change to customer data
                                    • Monitor procedure and user role changes with full
                                      separation of duties from existing DBA team

                                    • Passes daily audits
              Business Results      • Audit data ready for sign-off automatically emailed
                                      before the start of business




© 2011 Oracle Corporation                                                                   19
Major European Government
            Protecting Government Data and PII


                                    • Prevent access to highly sensitive citizen data other
                                      than via certified application
              Business Challenges   • Enforce strict application behavior through white-list
                                    • Monitor and audit every transaction 24x365

                                    • Six fully redundant pairs of Database Firewall to
                                      maintain a complete database security perimeter
              Solution
                                    • Critical high-availability architecture to meet strict
                                      service-level requirements
                                    • Complete protection from unauthorisedaccess,
                                      hacking of malicious changes to application code
              Business Results      • Highly sensitive citizen data protected by
                                      continuously available firewall perimeter
                                    • Meets government standards for PII data storage




© 2011 Oracle Corporation                                                                      20
Heterogeneous Database Support

            • Oracle 8i, 9i, 10g, 11g
            • MS-SQL 2000, 2005, 2008
            • Sybase 12.5.4 to 15.0.x
            • SQL Anywhere 10.x
            • DB2 9.x for LUW




© 2011 Oracle Corporation                    21
Oracle Database Security Solutions
            Inside. Outside. Complete.
            • Monitor and block threats before they reach databases
            • Track changes and audit database activity
            • Control access to data within the database
            • Prevent access by non database users
            • Transparency, high performance, accuracy



               Monitoring           Access                  Auditing &          Encryption
               & Blocking           Control                 Tracking            & Masking

  • Database Firewall       • Database Vault        • Audit Vault        • Advanced Security
                            • Label Security        • Configuration      • Secure Backup
                            • Identity Management     Management         • Data Masking
                                                    • Total Recall




© 2011 Oracle Corporation                                                                      22
For More Information



                             search.oracle.com


                               database security




                                                   or

                            oracle.com/database/security




© 2011 Oracle Corporation                                  23
© 2011 Oracle Corporation   24
Remote/Local Monitor

         • Remote Monitor
               • Runs on the server operating system.
               • Sends database transactions to Oracle Database Firewall
               • Supported platforms is by OS -- and then by the RDBMS
                 platforms that DBFW support:
         • Local Monitor
               • Resides inside a database
                  • Monitors local / non-network access.




© 2011 Oracle Corporation                                                  25
User Role Reporting

            • Entitlement Reports
                  • User names
                  • User roles and privileges
                  • Last changed, changed by whom and when
            • Automated and transparent
                  • User role reporting can be run ad-hoc or scheduled
                  • Report on user roles and privileges
                  • Deltas since the last report




© 2011 Oracle Corporation                                                26
Stored Procedure Reporting

            • Stored procedure contents
               • Its not enough to know a procedure was run, it is important to
                 know what SQL was executed when the procedure is called.
            • Stored procedure reports
               • Name
               • Content
               • Threat rating (injection risk, system tables etc).
               • Stored procedure type (DML, DDL, DCL, SELECT etc)
               • Last changed, changed by whom and when
            • Automated and transparent
               • Stored procedure reporting can be run adhoc or scheduled




© 2011 Oracle Corporation                                                         27
The Cost of Inaccuracy
                                                   select * from hr.employees;




                            3,000 transactions
                               per second

                                 260 million
                            transactions per day




© 2011 Oracle Corporation                                                        28
© 2011 Oracle Corporation   29

Weitere ähnliche Inhalte

Was ist angesagt?

Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guidebupbechanhgmail
 
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracle Audit Vault Training | Audit Vault - Oracle Trainings
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracleTrainings
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)DCIT, a.s.
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vaultuzzal basak
 
Security Quick Tour
Security Quick TourSecurity Quick Tour
Security Quick TourActive Base
 
Sustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardSustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardChristian Frahm
 
SANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerSANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerOracleIDM
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE Mahzad Zahedi
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingAntonios Chatzipavlis
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuidePCCW GLOBAL
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISECisco Canada
 
F5 Networks Application Ready Solution for Oracle Database Technologies
F5 Networks Application Ready Solution for Oracle Database TechnologiesF5 Networks Application Ready Solution for Oracle Database Technologies
F5 Networks Application Ready Solution for Oracle Database TechnologiesF5 Networks
 
Con8823 access management for the internet of things-final
Con8823   access management for the internet of things-finalCon8823   access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalOracleIDM
 
8 isecurity database
8 isecurity database8 isecurity database
8 isecurity databaseAnil Pandey
 

Was ist angesagt? (20)

Oracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guideOracle database 12c 2 day + security guide
Oracle database 12c 2 day + security guide
 
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracle Audit Vault Training | Audit Vault - Oracle Trainings
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vault
 
Security Quick Tour
Security Quick TourSecurity Quick Tour
Security Quick Tour
 
Sustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS StandardSustainable Compliance For PCI DSS Standard
Sustainable Compliance For PCI DSS Standard
 
SANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerSANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements Server
 
From Cisco ACS to ISE
From Cisco ACS to ISE From Cisco ACS to ISE
From Cisco ACS to ISE
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
 
CISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration GuideCISCO ACS 5.6 Migration Guide
CISCO ACS 5.6 Migration Guide
 
Cisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group TaggingCisco Trustsec & Security Group Tagging
Cisco Trustsec & Security Group Tagging
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
F5 Networks Application Ready Solution for Oracle Database Technologies
F5 Networks Application Ready Solution for Oracle Database TechnologiesF5 Networks Application Ready Solution for Oracle Database Technologies
F5 Networks Application Ready Solution for Oracle Database Technologies
 
Con8823 access management for the internet of things-final
Con8823   access management for the internet of things-finalCon8823   access management for the internet of things-final
Con8823 access management for the internet of things-final
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - final
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
 
8 isecurity database
8 isecurity database8 isecurity database
8 isecurity database
 
Enterprise Security & SSO
Enterprise Security & SSOEnterprise Security & SSO
Enterprise Security & SSO
 

Andere mochten auch

Presentation database security audit vault & database firewall
Presentation   database security audit vault & database firewallPresentation   database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteEdgar Alejandro Villegas
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultKhalid ALLILI
 
Enable oracle database vault
Enable oracle database vaultEnable oracle database vault
Enable oracle database vaultOsama Mustafa
 

Andere mochten auch (6)

Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Presentation database security audit vault & database firewall
Presentation   database security audit vault & database firewallPresentation   database security audit vault & database firewall
Presentation database security audit vault & database firewall
 
Oracle Audit Vault and Database Vault のご紹介
Oracle Audit Vault and Database Vault のご紹介Oracle Audit Vault and Database Vault のご紹介
Oracle Audit Vault and Database Vault のご紹介
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Enable oracle database vault
Enable oracle database vaultEnable oracle database vault
Enable oracle database vault
 

Ähnlich wie Oracle Database Firewall - Pierre Leon

Varhol oracle database_firewall_oct2011
Varhol oracle database_firewall_oct2011Varhol oracle database_firewall_oct2011
Varhol oracle database_firewall_oct2011Peter Varhol
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822Cana Ko
 
Oracle 11g security - 2014
Oracle 11g security - 2014Oracle 11g security - 2014
Oracle 11g security - 2014Connor McDonald
 
Web security
Web securityWeb security
Web securitydogangcr
 
Best Practices in Implementing Oracle Database Security Products
Best Practices in Implementing Oracle Database Security ProductsBest Practices in Implementing Oracle Database Security Products
Best Practices in Implementing Oracle Database Security ProductsEstuate, Inc.
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraORACLE USER GROUP ESTONIA
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsCourtland Smith
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx0567Padma
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Connor McDonald
 
Round table guide
Round table guideRound table guide
Round table guideOracleIDM
 
Innovations dbsec-12c-pub
Innovations dbsec-12c-pubInnovations dbsec-12c-pub
Innovations dbsec-12c-pubOracleIDM
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityMario Beck
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Security in oracle
Security in oracleSecurity in oracle
Security in oraclessuser40bb47
 
security in oracle database
security in oracle databasesecurity in oracle database
security in oracle databasessuser40bb47
 
Presentation deploying oracle database 11g securely on oracle solaris
Presentation    deploying oracle database 11g securely on oracle solarisPresentation    deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solarisxKinAnx
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityJerome Leonard
 

Ähnlich wie Oracle Database Firewall - Pierre Leon (20)

Varhol oracle database_firewall_oct2011
Varhol oracle database_firewall_oct2011Varhol oracle database_firewall_oct2011
Varhol oracle database_firewall_oct2011
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
 
Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822Talk IT_ Oracle_김상엽_110822
Talk IT_ Oracle_김상엽_110822
 
Database Options
Database OptionsDatabase Options
Database Options
 
Oracle 11g security - 2014
Oracle 11g security - 2014Oracle 11g security - 2014
Oracle 11g security - 2014
 
Webdays blida mobile top 10 risks
Webdays blida   mobile top 10 risksWebdays blida   mobile top 10 risks
Webdays blida mobile top 10 risks
 
Web security
Web securityWeb security
Web security
 
Best Practices in Implementing Oracle Database Security Products
Best Practices in Implementing Oracle Database Security ProductsBest Practices in Implementing Oracle Database Security Products
Best Practices in Implementing Oracle Database Security Products
 
Tänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi TaraTänased võimalused turvalahendustes - Tarvi Tara
Tänased võimalused turvalahendustes - Tarvi Tara
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015
 
Round table guide
Round table guideRound table guide
Round table guide
 
Innovations dbsec-12c-pub
Innovations dbsec-12c-pubInnovations dbsec-12c-pub
Innovations dbsec-12c-pub
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
Security in oracle
Security in oracleSecurity in oracle
Security in oracle
 
security in oracle database
security in oracle databasesecurity in oracle database
security in oracle database
 
Presentation deploying oracle database 11g securely on oracle solaris
Presentation    deploying oracle database 11g securely on oracle solarisPresentation    deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solaris
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
 

Kürzlich hochgeladen

Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Kürzlich hochgeladen (20)

Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

Oracle Database Firewall - Pierre Leon

  • 1. <Insert Picture Here> Oracle Database Firewall Pierre Leon Database Security – Oracle UK
  • 2. Agenda • Evolving Threats to Databases • Oracle Database Firewall • Security Models • Policy Enforcement • Reporting • Architecture and Deployment Modes • Oracle Database Security Solutions • Q&A © 2011 Oracle Corporation 2
  • 3. How is Data Compromised? 2010 Data Breach Investigations Report © 2011 Oracle Corporation 3
  • 4. #1 Cause of Data Breaches: Web Applications Hacked with SQL Injection and Stolen Credentials Obtained Using Malware Threat action categories by percent% of breaches and% of records Types of hacking by% of breaches within Hacking and % of records Attack pathways by percent% of breaches and% of records 2010 Data Breach Investigations Report © 2011 Oracle Corporation 4
  • 5. Existing Security Solutions Not Enough Key Loggers Malware SQL Injection Espionage Spear Phishing Botware Social Engineering Web Users Database Application Users Application Database Administrators Data Must Be Protected at the Source © 2011 Oracle Corporation 5
  • 6. Database Security Defense In Depth Approach • Monitor and block threats before they reach databases • Track changes and audit database activity • Control access to data within the database • Prevent access by non database users • Implement with • Transparency – no changes to existing applications • High Performance – no measurable impact on applications • Accuracy – minimal false positives and negatives © 2011 Oracle Corporation 6
  • 7. Business Drivers • Customers need a first line of defence to monitor and protect against existing and emerging threats • Hackers breach databases from the web exploiting vulnerabilities in applications • Stolen credentials exploited for unauthorised use Application Database Firewall Database © 2011 Oracle Corporation 7
  • 8. Oracle Database Firewall First Line of Defense Allow Log Alert Substitute Applications Block Alerts Built-in Custom Policies Reports Reports • Monitor database activity to help prevent unauthorisedactivity, application bypass and SQL injections, illegal access to sensitive data etc. • Highly accurate SQL grammar based analysis, no false positives • White-list, black-list, and exception-list based security policies • Built-in and custom compliance reports for regulations © 2011 Oracle Corporation 8
  • 9. Oracle Database Firewall Positive Security Model Based Enforcement White List Allow Block Applications • White-list based policies enforce normal or expected behavior • Policies evaluate factors such as time, day, network, and application • Easily generate white-lists for any application • Out of policy SQL statements can be logged, alerted, blocked or substituted with a harmless SQL statement • SQL substitution foils attackers without disrupting applications © 2011 Oracle Corporation 9
  • 10. Oracle Database Firewall Negative Security Model Based Enforcement Black List Allow Block Applications • Stop specific unwanted SQL commands, user or schema access • Prevent privilege or role escalation and unauthorisedaccess to sensitive data • Black list policies can evaluate factors such as day, time, network, and application © 2011 Oracle Corporation 10
  • 11. Oracle Database Firewall Scalable and Safe Policy Enforcement Log Allow SELECT * FROM accounts Alert Becomes SELECT * FROM dual where 1=0 Substitute Applications Block • Innovative SQL grammar technology reduces millions of SQL statements into a small number of SQL characteristics or “clusters” • Flexible enforcement at SQL level: block, substitute, alert and pass, log only • SQL substitution foils attackers without disrupting applications • Centralisedpolicy management and reporting • Superior performance and policy scalability © 2011 Oracle Corporation 11
  • 12. SQL Injection Too much trust in applications SELECT *FROMdvd_stock WHERE catalog-no = 'PHE8131' AND location = 1 Allow SELECT *FROMdvd_stock Block WHERE catalog-no = '' Application UNION SELECTcardNo, customerId, 0 FROM DVD_Orders–-' AND location = 1 • Applications are given high levels of privilege • Database trusts the application • “Users” subvert the application to access to the database (and beyond) • Each application is unique • Regular expression black lists are ineffective • Grammar based white list blocks SQL injection attacks © 2011 Oracle Corporation 12
  • 13. Oracle Database Firewall Semantic Analysis and Policy Creation • Train the Analyser on Firewall logs • Automatically generate White Lists • Create exceptions • Create default actions for unrecognised SQL/anomalies • Novelty policies • Assign threat levels • Assign actions • Set policies for Logon/Logoff and Failed Login © 2011 Oracle Corporation 13
  • 14. Oracle Database Firewall Data Masking • Prevents creating yet another database with sensitive and regulated data • Sensitive and regulated information contained in SQL statements can be masked or redacted in real-time prior to being logged • Flexible masking policies allow masking all data or just specific columns • Critical for organisationswho want to monitor and log all database activity © 2011 Oracle Corporation 14
  • 15. Oracle Database Firewall Reporting • Database Firewall log data consolidated into reporting database • Dozens of built in reports that can be modified and customised • Database activity and privileged user reports • Entitlements reporting for database attestation and audit • Supports demonstrating controls for PCI, SOX, HIPAA, etc. • Logged SQL statements can be sanitisedof sensitive PII data © 2011 Oracle Corporation 15
  • 16. Oracle Database Firewall Local Monitor Architecture In-Line Blocking and Monitoring Out-of-Band Inbound Monitoring SQL Traffic HA Mode Policy Management Analyser Server(s) • In-line blocking and monitoring, or out-of-band monitoring modes • High availability with parallelFirewalls / Management Servers • Monitoring of remote databases by forwarding network traffic • Application agnostic • Support for Oracle and non-Oracle Databases © 2011 Oracle Corporation 16
  • 17. Oracle Database Firewall Fast and Flexible Deployments Application Servers Users Database Out-of-Band Router Firewall Database Servers Host Based In-Line Agent • In-Line: All database traffic goes through the Oracle Database Firewall • Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP • Optional Host Based Remote or Local Monitors • Can send network traffic from the database host to the Database Firewall • Can send non-network database activity to the Database Firewall to identify unauthoriseduse of local console or remote sessions © 2011 Oracle Corporation 17
  • 18. Major US East-Coast Bank Active Database Firewall • Protect business critical databases to prevent unauthorisedaccess, data loss and PII exposure Business Challenges • Monitor and protect over 600 databases across 7 international data centers. • Minimal impact to existing database performance • Oracle Database Firewall for real-time database protection and monitoring of billions of transactions Solution per day • Prevent unauthorised data access and malicious activity • Passed internal and external audit • Demonstrate active controls over data access and Business Results database systems • Standardised security, alerts and reporting across the complete business © 2011 Oracle Corporation 18
  • 19. Major US Investment Bank Auditing Data Changes • Monitor 60+ databases • Track every change to customer data Business Challenges • Alert on unauthorisedchanges to stored procedures or user roles and privileges • Automated report distribution to internal auditors • Database Firewall deployed in heterogeneous environments providing monitoring and reporting on Solution every change to customer data • Monitor procedure and user role changes with full separation of duties from existing DBA team • Passes daily audits Business Results • Audit data ready for sign-off automatically emailed before the start of business © 2011 Oracle Corporation 19
  • 20. Major European Government Protecting Government Data and PII • Prevent access to highly sensitive citizen data other than via certified application Business Challenges • Enforce strict application behavior through white-list • Monitor and audit every transaction 24x365 • Six fully redundant pairs of Database Firewall to maintain a complete database security perimeter Solution • Critical high-availability architecture to meet strict service-level requirements • Complete protection from unauthorisedaccess, hacking of malicious changes to application code Business Results • Highly sensitive citizen data protected by continuously available firewall perimeter • Meets government standards for PII data storage © 2011 Oracle Corporation 20
  • 21. Heterogeneous Database Support • Oracle 8i, 9i, 10g, 11g • MS-SQL 2000, 2005, 2008 • Sybase 12.5.4 to 15.0.x • SQL Anywhere 10.x • DB2 9.x for LUW © 2011 Oracle Corporation 21
  • 22. Oracle Database Security Solutions Inside. Outside. Complete. • Monitor and block threats before they reach databases • Track changes and audit database activity • Control access to data within the database • Prevent access by non database users • Transparency, high performance, accuracy Monitoring Access Auditing & Encryption & Blocking Control Tracking & Masking • Database Firewall • Database Vault • Audit Vault • Advanced Security • Label Security • Configuration • Secure Backup • Identity Management Management • Data Masking • Total Recall © 2011 Oracle Corporation 22
  • 23. For More Information search.oracle.com database security or oracle.com/database/security © 2011 Oracle Corporation 23
  • 24. © 2011 Oracle Corporation 24
  • 25. Remote/Local Monitor • Remote Monitor • Runs on the server operating system. • Sends database transactions to Oracle Database Firewall • Supported platforms is by OS -- and then by the RDBMS platforms that DBFW support: • Local Monitor • Resides inside a database • Monitors local / non-network access. © 2011 Oracle Corporation 25
  • 26. User Role Reporting • Entitlement Reports • User names • User roles and privileges • Last changed, changed by whom and when • Automated and transparent • User role reporting can be run ad-hoc or scheduled • Report on user roles and privileges • Deltas since the last report © 2011 Oracle Corporation 26
  • 27. Stored Procedure Reporting • Stored procedure contents • Its not enough to know a procedure was run, it is important to know what SQL was executed when the procedure is called. • Stored procedure reports • Name • Content • Threat rating (injection risk, system tables etc). • Stored procedure type (DML, DDL, DCL, SELECT etc) • Last changed, changed by whom and when • Automated and transparent • Stored procedure reporting can be run adhoc or scheduled © 2011 Oracle Corporation 27
  • 28. The Cost of Inaccuracy select * from hr.employees; 3,000 transactions per second 260 million transactions per day © 2011 Oracle Corporation 28
  • 29. © 2011 Oracle Corporation 29

Hinweis der Redaktion

  1. Add one slide after on database firewall category