Doag Regio STGT Avdbfw

Oracle Audit Vault &
Database Firewall
Overview
Wolfgang Thiem
ORACLE Germany B.V. & Co.KG
STCC Munich
Copyright 2015 Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole discretion of Oracle.
Todays Agenda
1
What is Oracle Audit Vault & Database Firewall?
Deployment Best Practices
Q&A
Oracle Security Solutions Defense-in-Depth

PREVENTIVE
DETECTIVE
ADMINISTRATIVE
Encryption & Redaction
Activity Monitoring
Key & Wallet Management
Masking & Subsetting
Database Firewall
Privilege & Data Discovery
Privileged User Controls
Auditing & Reporting
Configuration Management
Oracle Audit Vault and Database Firewall

PREVENTIVE
DETECTIVE
ADMINISTRATIVE
Encryption & Redaction
Activity Monitoring
Key & Wallet Management
Masking & Subsetting
Database Firewall
Privilege & Data Discovery
Privileged User Controls
Auditing & Reporting
Configuration Management
Todays Agenda
1
What is Oracle Audit Vault & Database Firewall?
Q&A
Database Activity Auditing and Monitoring

Flexible security with Oracle Audit Vault and Database Firewall
Monitoring
(Database Firewalls)
Auditing
(Audit Vault Agents)
Who, what, where, when
Who, what, where, when

Before/After values
Full execution and application context
Pathways
Network
All: stored procedures, direct connections,

scheduled jobs, operational activities
Impact on
database
Completely independent, negligible

performance impact
Requires native database auditing, minimal

performance impact (<5%)
Prevent SQL-injections and other

unauthorized activity, enforce corporate data
security policy
Ensure regulatory compliance, provide guaranteed

audit trail to enable control
Information
Purpose
10
Audit Log Consolidation Deployment Use-Cases

Comprehensive detective control with Audit Vault and Database Firewall
Offload audit data from production databases and systems

Consolidate heterogeneous audit data into single secure repository
Perform compliance reporting out of the box with a click of a button

Accelerate incident response and forensic investigations
Alert on suspicious and unauthorised activities in real time
Review user rights, identify dormant users and excessive privileges
Detect and monitor changes to stored procedures
Audit Vault
Audit data consolidation
SYBASE
Consolidates and secures audit event data

Extensive and customizable reporting
Powerful, threshold based alerting
Distributed as software appliance
Audit Data
Alerts
Reports
Policies
Audit Data,
Event Logs
Audit Vault
12
Central Repository for Audit and Event Data

Fine-grade data access
authorization model
Privilege user repository
protection with
Database Vault
Audit and event data
lifecycle management
High Availability
14
Extensive and Customizable Reporting

Dozens of predefined
compliance reports
Custom reports
Aggregate and filter data

interactively in seconds
Report scheduling,
notification and
attestation
15
Powerful Alerting
Multi-event alerts
with thresholds and
duration
Flexible alert
conditions
Customizable alert
content
Alerts via email or
syslog
16
Database Firewall
First line of defense
Database Firewall
Application layer firewall monitors

SQL activity on network
Grammar policy engine precisely
identifies SQL statements
Users
SYBASE
Application
s
Policy-based
pass/log/alert/substitute/block
Support both white-list and blacklist security models

Low latency, high availability and
scalability
17
Database Firewall Deployment Use-Cases

First line of defense for your databases
Comprehensive real-time application database activity monitoring

Selected user database activity monitoring
Anomaly detection in database activity

Protection from all not authorized SQL interactions, user or schema access
Blocking of SQL injection attacks
Database Firewall
Enforcing access with black-list based policy
Legitimate
access
Unauthorized
access, eg.
from not
permitted IP
address
SELECT * from stock

where catalog-no=1001'
Black-list
Policy
SELECT * from stock

Allow
Log
Block
Databases
Apply negative policy actions on session factors: IP address, application, database

and OS user
Block specific unauthorized SQL statements, users or object access

19
Database Firewall
Anomaly detection and threat blocking with white-list based policy
Legitimate
access
Unauthorized
access, eg. SQLinjection
SELECT * from stock

White-list
Policy
SELECT * from stock

where catalog-no='' union
select cardNo from Orders--'
Allow
Log
Block
Databases
Accurately detect and block out-of-policy SQL statements

Automatically create SQL activity profile of users and/or applications
20
Database Firewall
Transparent blocking with statement substitution
Database Firewall
SELECT * FROM stock
Becomes
SELECT * FROM dual where 1=0
Databases
Block unauthorized SQL statements by substituting with pre-defined innocuous

SQL statement
Preserve application-database connection while blocking

21
Database Firewall Policy Engine

Finding needles in the haystack of SQL
DML
DDL
Requirement: Audit all
DCL
Challenge: scale (100k TPS 4TB/day)

Unusual events
Solution:
Database Firewall creates activity profile
Logs new (i.e. out of policy) SQL

22
Database Firewall
Flexible deployment
Out of band
Out of band (off SPAN port)
Proxy
Passive monitoring
Proxy mode
Inline blocking
and monitoring
Database clients connect to the IP

address of Database Firewall
Host monitor
In-line
Monitoring or blocking
Host monitor
Host agent mirrors traffic back to
Database Firewall
25
EM Plug-in for Audit Vault and Database Firewall

Automatic deployment of
Audit Vault Agents
Availability, performance
and configuration
monitoring of AVDF
deployments
Start/Stop/Delete control
actions
26
Audit Vault and Database Firewall

Audit Data Consolidation
Database Firewall Protection
Alerting & Reporting
Heterogeneous databases
OSs and other sources,
data lifecycle management
Database Activity Monitoring,

Blocking of SQL injections and
other malicious SQL
Real-time alerting,
customizable reporting, report
scheduling and attestation
Todays Agenda
1
What is Oracle Audit Vault Database Firewall?
Q&A
28
Deployment Overview
Understand and prioritise your
database security needs
Estimate aggregate volume of
logged audit and event data
Roll out audit logs consolidation, or
activity monitoring, or both
Auditing?
Monitoring?
Blocking?
Rolling Out Audit Log Consolidation

Making your audit data safe, secure and accessible with Oracle Audit Vault
Install and configure

Audit Vault Server
Register Secured
Targets
Configure
Audit Vault
Configure Targets
Install and activate
Audit Vault Agents
on target hosts
Configure native
audit policies
Configure archive
locations
Configure data
retention policies
Data Lifecycle
Settings
Alerts & Reports

Start collecting and
consolidating audit
data from trails
Create baseline set
of alerts
Rolling Out Monitoring

Monitoring all relevant SQL activity on the network
Deploy Database
Firewalls
Architect and
configure Database
Firewall networking
Setup
Database Firewalls
Configure
Monitoring
Configure
Enforcement Points
Switch on Database
Activity Monitoring
Assign Unique
policy to
Enforcement Points
Fine-tune policy
based on logged SQL
Configure Policy
Rolling Out Blocking

Protecting your databases with Database Firewall
Review SQL activity

for the period
Identify sets of users
with common
behavior
Learn from
Logged Data
Create Whitelists
Define permitted
session profiles and
privileged users
Specify what activity
is to be logged
Deploy against
production traffic
Tighten policy by
rules on out of policy
SQL
Refine Policy
Enable Blocking
Set-up alerts on all
out of policy activity
Switch to Database
Policy Enforcement
Mode
Register AVDF in Enterprise Manager

Configure AVDF operational monitoring with EM AVDF plug-in
Automatic discovery of Secured Targets

Automatic discovery and provisioning of AV Agents
Availability, performance and configuration monitoring with thresholds and

alerts
State control for AVDF architectural components:
AV Agents and Audit Trails
Database Firewalls
Secured Targets
Database Firewall deployment in-depth
Database Firewall on the Network
Out of band
Deployment recommendations
For passive monitoring (DAM)

deploy out-of-band
Use Proxy mode for no impact on
network infrastructure
Deploy in-line DAM if planning to
turn on DPE (blocking) in the
future
Proxy
Users
Inline blocking
and monitoring
Apps
Database Firewall
Events
Alerts
Reports
Policies
High Availability deployments
Audit Vault High Availability Mode

Active-standby
Audit Vault Server failover is based

on Oracle Data Guard
Agents fail-over mechanism is
Transparent Application Failover
(TAF)
Primary links
(Active)
Database
Firewalls
High Availability
data link
All fully configurable from the web

Administrator Console
10 minutes of Audit Vault Server
unavailability triggers failover
Audit Vault Primary
Secondary links
(Dormant)
Audit Vault
Agents
Audit Vault Standby
Database Firewall High Availability Deployment

Active-active Database Activity Monitoring (DAM)
Database Firewalls
Configured as a Resilient Pair
Identical streams of traffic

to both Database Firewalls
High Availability
Network switch
SQL
traffic
SPAN
port
Identical streams
of activity logs
De-duplication
Inbound
SQL requests
Audit Vault Server

Active-hot standby Database Policy Enforcement
Activity Data
STP-enabled
path
Database
Firewall
Audit Vault Server
Inbound
SQL traffic
Network
switch
Network
switch
SQL traffic
STP-disabled
path
Database
Firewall
Activity Data

Active-active Database Policy Enforcement in Proxy mode
Activity Data
Proxy
port
Inbound
SQL Traffic
Audit Vault Server
Load-balancer
Database Firewalls
Proxy
port
Activity Data

Active-active Database Policy Enforcement in In-line mode
Activity Data
Separate (switching)
network path
Inbound
SQL Traffic
Audit Vault Server
Layer 2 Traffic
Manager
Database Firewalls
Separate (switching)
network path
Activity Data
Todays Agenda
1
What is Oracle Audit Vault Database Firewall?
Q&A
59
Oracle Database Firewall Take-aways

SQL Grammar Analysis
Accuracy in identifying invalid SQL based on
whitelisting
12.2
SQL Substitutions avoids App Error

Higher accuracy increases trust
Part of Oracle Defense-in-Depth
Included Oracle-stack Repository
66
67

Doag Regio STGT Avdbfw

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Doag Regio STGT Avdbfw

Caricato da

Copyright:

Formati disponibili

Oracle Audit Vault &

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Safe Harbor Statement

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

What is Oracle Audit Vault & Database Firewall?

Deployment Best Practices

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Oracle Security Solutions Defense-in-Depth

Encryption & Redaction

Key & Wallet Management

Masking & Subsetting

Privilege & Data Discovery

Privileged User Controls

Auditing & Reporting

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Oracle Audit Vault and Database Firewall

Encryption & Redaction

Key & Wallet Management

Masking & Subsetting

Privilege & Data Discovery

Privileged User Controls

Auditing & Reporting

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

What is Oracle Audit Vault & Database Firewall?

Deployment Best Practices

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Database Activity Auditing and Monitoring

Who, what, where, when

Who, what, where, when

All: stored procedures, direct connections,

Completely independent, negligible

Requires native database auditing, minimal

Prevent SQL-injections and other

Ensure regulatory compliance, provide guaranteed

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Audit Log Consolidation Deployment Use-Cases

Offload audit data from production databases and systems

Perform compliance reporting out of the box with a click of a button

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Consolidates and secures audit event data

Central Repository for Audit and Event Data

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Extensive and Customizable Reporting

Aggregate and filter data

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

Application layer firewall monitors

Support both white-list and blacklist security models

Database Firewall Deployment Use-Cases

Comprehensive real-time application database activity monitoring

Anomaly detection in database activity

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

SELECT * from stock

SELECT * from stock

Apply negative policy actions on session factors: IP address, application, database

Block specific unauthorized SQL statements, users or object access

SELECT * from stock

SELECT * from stock

Accurately detect and block out-of-policy SQL statements

Copyright 2015 Oracle and/or its affiliates. All rights reserved.

SELECT * FROM stock

Block unauthorized SQL statements by substituting with pre-defined innocuous