Contenu connexe
Similaire à Oracle Database Firewall - Pierre Leon (20)
Oracle Database Firewall - Pierre Leon
- 2. Agenda
• Evolving Threats to Databases
• Oracle Database Firewall
• Security Models
• Policy Enforcement
• Reporting
• Architecture and Deployment Modes
• Oracle Database Security Solutions
• Q&A
© 2011 Oracle Corporation 2
- 3. How is Data Compromised? 2010 Data Breach
Investigations Report
© 2011 Oracle Corporation 3
- 4. #1 Cause of Data Breaches:
Web Applications Hacked with SQL Injection and
Stolen Credentials Obtained Using Malware
Threat action categories by percent% of breaches and% of records Types of hacking by% of breaches within Hacking
and % of records
Attack pathways by percent% of breaches and% of records
2010 Data Breach
Investigations Report
© 2011 Oracle Corporation 4
- 5. Existing Security Solutions Not Enough
Key Loggers Malware SQL Injection Espionage
Spear Phishing Botware Social Engineering
Web Users
Database
Application Users
Application Database Administrators
Data Must Be Protected at the Source
© 2011 Oracle Corporation 5
- 6. Database Security
Defense In Depth Approach
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Implement with
• Transparency – no changes to existing applications
• High Performance – no measurable impact on applications
• Accuracy – minimal false positives and negatives
© 2011 Oracle Corporation 6
- 7. Business Drivers
• Customers need a first line of defence to monitor and
protect against existing and emerging threats
• Hackers breach databases from the web exploiting
vulnerabilities in applications
• Stolen credentials exploited for unauthorised use
Application Database
Firewall Database
© 2011 Oracle Corporation 7
- 8. Oracle Database Firewall
First Line of Defense
Allow
Log
Alert
Substitute
Applications
Block
Alerts Built-in Custom Policies
Reports Reports
• Monitor database activity to help prevent unauthorisedactivity, application
bypass and SQL injections, illegal access to sensitive data etc.
• Highly accurate SQL grammar based analysis, no false positives
• White-list, black-list, and exception-list based security policies
• Built-in and custom compliance reports for regulations
© 2011 Oracle Corporation 8
- 9. Oracle Database Firewall
Positive Security Model Based Enforcement
White List
Allow
Block
Applications
• White-list based policies enforce normal or expected behavior
• Policies evaluate factors such as time, day, network, and application
• Easily generate white-lists for any application
• Out of policy SQL statements can be logged, alerted, blocked or
substituted with a harmless SQL statement
• SQL substitution foils attackers without disrupting applications
© 2011 Oracle Corporation 9
- 10. Oracle Database Firewall
Negative Security Model Based Enforcement
Black List
Allow
Block
Applications
• Stop specific unwanted SQL commands, user or schema access
• Prevent privilege or role escalation and unauthorisedaccess to
sensitive data
• Black list policies can evaluate factors such as day, time, network, and
application
© 2011 Oracle Corporation 10
- 11. Oracle Database Firewall
Scalable and Safe Policy Enforcement
Log
Allow
SELECT * FROM accounts
Alert
Becomes
SELECT * FROM dual where 1=0
Substitute
Applications
Block
• Innovative SQL grammar technology reduces millions of SQL statements into
a small number of SQL characteristics or “clusters”
• Flexible enforcement at SQL level: block, substitute, alert and pass, log only
• SQL substitution foils attackers without disrupting applications
• Centralisedpolicy management and reporting
• Superior performance and policy scalability
© 2011 Oracle Corporation 11
- 12. SQL Injection
Too much trust in applications
SELECT *FROMdvd_stock
WHERE catalog-no = 'PHE8131'
AND location = 1
Allow
SELECT *FROMdvd_stock Block
WHERE catalog-no = ''
Application UNION SELECTcardNo, customerId, 0
FROM DVD_Orders–-' AND location = 1
• Applications are given high levels of privilege
• Database trusts the application
• “Users” subvert the application to access to the database (and beyond)
• Each application is unique
• Regular expression black lists are ineffective
• Grammar based white list blocks SQL injection attacks
© 2011 Oracle Corporation 12
- 13. Oracle Database Firewall
Semantic Analysis and Policy Creation
• Train the Analyser on Firewall
logs
• Automatically generate White
Lists
• Create exceptions
• Create default actions for
unrecognised SQL/anomalies
• Novelty policies
• Assign threat levels
• Assign actions
• Set policies for Logon/Logoff
and Failed Login
© 2011 Oracle Corporation 13
- 14. Oracle Database Firewall
Data Masking
• Prevents creating yet another database with sensitive and regulated data
• Sensitive and regulated information contained in SQL statements can be
masked or redacted in real-time prior to being logged
• Flexible masking policies allow masking all data or just specific columns
• Critical for organisationswho want to monitor and log all database activity
© 2011 Oracle Corporation 14
- 15. Oracle Database Firewall
Reporting
• Database Firewall log data
consolidated into reporting database
• Dozens of built in reports that can be
modified and customised
• Database activity and privileged
user reports
• Entitlements reporting for
database attestation and audit
• Supports demonstrating controls
for PCI, SOX, HIPAA, etc.
• Logged SQL statements can be
sanitisedof sensitive PII data
© 2011 Oracle Corporation 15
- 16. Oracle Database Firewall
Local Monitor
Architecture
In-Line Blocking
and Monitoring
Out-of-Band
Inbound Monitoring
SQL Traffic
HA Mode
Policy Management
Analyser Server(s)
• In-line blocking and monitoring, or out-of-band monitoring modes
• High availability with parallelFirewalls / Management Servers
• Monitoring of remote databases by forwarding network traffic
• Application agnostic
• Support for Oracle and non-Oracle Databases
© 2011 Oracle Corporation 16
- 17. Oracle Database Firewall
Fast and Flexible Deployments
Application Servers Users
Database Out-of-Band Router
Firewall
Database Servers
Host
Based
In-Line Agent
• In-Line: All database traffic goes through the Oracle Database Firewall
• Out-of-Band/Passive: Database Firewall connected to a SPAN port or TAP
• Optional Host Based Remote or Local Monitors
• Can send network traffic from the database host to the Database Firewall
• Can send non-network database activity to the Database Firewall to
identify unauthoriseduse of local console or remote sessions
© 2011 Oracle Corporation 17
- 18. Major US East-Coast Bank
Active Database Firewall
• Protect business critical databases to prevent
unauthorisedaccess, data loss and PII exposure
Business Challenges • Monitor and protect over 600 databases across 7
international data centers.
• Minimal impact to existing database performance
• Oracle Database Firewall for real-time database
protection and monitoring of billions of transactions
Solution per day
• Prevent unauthorised data access and malicious
activity
• Passed internal and external audit
• Demonstrate active controls over data access and
Business Results database systems
• Standardised security, alerts and reporting across
the complete business
© 2011 Oracle Corporation 18
- 19. Major US Investment Bank
Auditing Data Changes
• Monitor 60+ databases
• Track every change to customer data
Business Challenges • Alert on unauthorisedchanges to stored procedures
or user roles and privileges
• Automated report distribution to internal auditors
• Database Firewall deployed in heterogeneous
environments providing monitoring and reporting on
Solution every change to customer data
• Monitor procedure and user role changes with full
separation of duties from existing DBA team
• Passes daily audits
Business Results • Audit data ready for sign-off automatically emailed
before the start of business
© 2011 Oracle Corporation 19
- 20. Major European Government
Protecting Government Data and PII
• Prevent access to highly sensitive citizen data other
than via certified application
Business Challenges • Enforce strict application behavior through white-list
• Monitor and audit every transaction 24x365
• Six fully redundant pairs of Database Firewall to
maintain a complete database security perimeter
Solution
• Critical high-availability architecture to meet strict
service-level requirements
• Complete protection from unauthorisedaccess,
hacking of malicious changes to application code
Business Results • Highly sensitive citizen data protected by
continuously available firewall perimeter
• Meets government standards for PII data storage
© 2011 Oracle Corporation 20
- 21. Heterogeneous Database Support
• Oracle 8i, 9i, 10g, 11g
• MS-SQL 2000, 2005, 2008
• Sybase 12.5.4 to 15.0.x
• SQL Anywhere 10.x
• DB2 9.x for LUW
© 2011 Oracle Corporation 21
- 22. Oracle Database Security Solutions
Inside. Outside. Complete.
• Monitor and block threats before they reach databases
• Track changes and audit database activity
• Control access to data within the database
• Prevent access by non database users
• Transparency, high performance, accuracy
Monitoring Access Auditing & Encryption
& Blocking Control Tracking & Masking
• Database Firewall • Database Vault • Audit Vault • Advanced Security
• Label Security • Configuration • Secure Backup
• Identity Management Management • Data Masking
• Total Recall
© 2011 Oracle Corporation 22
- 23. For More Information
search.oracle.com
database security
or
oracle.com/database/security
© 2011 Oracle Corporation 23
- 25. Remote/Local Monitor
• Remote Monitor
• Runs on the server operating system.
• Sends database transactions to Oracle Database Firewall
• Supported platforms is by OS -- and then by the RDBMS
platforms that DBFW support:
• Local Monitor
• Resides inside a database
• Monitors local / non-network access.
© 2011 Oracle Corporation 25
- 26. User Role Reporting
• Entitlement Reports
• User names
• User roles and privileges
• Last changed, changed by whom and when
• Automated and transparent
• User role reporting can be run ad-hoc or scheduled
• Report on user roles and privileges
• Deltas since the last report
© 2011 Oracle Corporation 26
- 27. Stored Procedure Reporting
• Stored procedure contents
• Its not enough to know a procedure was run, it is important to
know what SQL was executed when the procedure is called.
• Stored procedure reports
• Name
• Content
• Threat rating (injection risk, system tables etc).
• Stored procedure type (DML, DDL, DCL, SELECT etc)
• Last changed, changed by whom and when
• Automated and transparent
• Stored procedure reporting can be run adhoc or scheduled
© 2011 Oracle Corporation 27
- 28. The Cost of Inaccuracy
select * from hr.employees;
3,000 transactions
per second
260 million
transactions per day
© 2011 Oracle Corporation 28
Notes de l'éditeur
- Add one slide after on database firewall category