oracle audit vault and database firewall - doag

Copyright © 2015 Oracle and/or its affiliates. All rights reserved.

Oracle Audit Vault & Database Firewall Overview

Wolfgang Thiem ORACLE Germany B.V. & Co.KG STCC Munich


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Today’s Agenda

What is Oracle Audit Vault & Database Firewall?

Deployment Best Practices

Q&A

4

1

2

3


Oracle Security Solutions – Defense-in-Depth

Masking & Subsetting

Privileged User Controls

Encryption & Redaction

PREVENTIVE

Activity Monitoring

Database Firewall

Auditing & Reporting

DETECTIVE ADMINISTRATIVE

Privilege & Data Discovery

Configuration Management

Key & Wallet Management

6


Oracle Audit Vault and Database Firewall

Masking & Subsetting

Privileged User Controls

Encryption & Redaction

PREVENTIVE

Activity Monitoring

Database Firewall

Auditing & Reporting

DETECTIVE ADMINISTRATIVE

Privilege & Data Discovery

Configuration Management

Key & Wallet Management

7


Today’s Agenda

What is Oracle Audit Vault & Database Firewall?


Q&A

8

1

2

3


Database Activity Auditing and Monitoring Flexible security with Oracle Audit Vault and Database Firewall

Monitoring (Database Firewalls)

Auditing (Audit Vault Agents)

Information Who, what, where, when Who, what, where, when

Before/After values Full execution and application context

Pathways Network All: stored procedures, direct connections,

scheduled jobs, operational activities

Impact on database

Completely independent, negligible performance impact

Requires native database auditing, minimal performance impact (<5%)

Purpose Prevent SQL-injections and other

unauthorized activity, enforce corporate data security policy

Ensure regulatory compliance, provide guaranteed audit trail to enable control

10


Audit Log Consolidation Deployment Use-Cases

• Offload audit data from production databases and systems

• Consolidate heterogeneous audit data into single secure repository

• Perform compliance reporting out of the box with a click of a button

• Accelerate incident response and forensic investigations

• Alert on suspicious and unauthorised activities in real time

• Review user rights, identify dormant users and excessive privileges

• Detect and monitor changes to stored procedures

Comprehensive detective control with Audit Vault and Database Firewall


Audit Vault Audit data consolidation • Consolidates and secures audit event data

• Extensive and customizable reporting

• Powerful, threshold based alerting

• Distributed as software appliance

12

Audit Data

Audit Data, Event Logs

SYBASE

Policies

Reports

Alerts

Audit Vault

!


Central Repository for Audit and Event Data

• Fine-grade data access authorization model

• Privilege user repository protection with Database Vault

• Audit and event data lifecycle management

• High Availability

14


• Dozens of predefined compliance reports

• Custom reports

• Aggregate and filter data interactively in seconds

• Report scheduling, notification and attestation

15

Extensive and Customizable Reporting

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 16

Powerful Alerting

• Multi-event alerts with thresholds and duration

• Flexible alert conditions

• Customizable alert content

• Alerts via email or syslog


Database Firewall First line of defense

17

• Application layer firewall monitors SQL activity on network

• Grammar policy engine precisely identifies SQL statements

• Policy-based pass/log/alert/substitute/block

• Support both white-list and black-list security models

• Low latency, high availability and scalability

Database Firewall

✔ !

Applications

Users SYBASE


Database Firewall Deployment Use-Cases

• Comprehensive real-time application database activity monitoring

• Selected user database activity monitoring

• Anomaly detection in database activity

• Protection from all not authorized SQL interactions, user or schema access

• Blocking of SQL injection attacks

First line of defense for your databases


Database Firewall

19

Enforcing access with black-list based policy

Black-list Policy

Block

Allow Log

Databases

• Apply negative policy actions on session factors: IP address, application, database and OS user

• Block specific unauthorized SQL statements, users or object access

SELECT * from stock

where catalog-no=‘1001'

SELECT * from stock


Legitimate access

Unauthorized access, eg. from not permitted IP address

✔ ✔


Database Firewall

20

Anomaly detection and threat blocking with white-list based policy

White-list Policy

Block

Allow Log

Databases

• Accurately detect and block out-of-policy SQL statements

• Automatically create SQL activity profile of users and/or applications

SELECT * from stock


SELECT * from stock

where catalog-no='' union

select cardNo from Orders--'

Legitimate access

Unauthorized access, eg. SQL-injection

✔ ✔


Database Firewall

21

Transparent blocking with statement substitution

• Block unauthorized SQL statements by substituting with pre-defined innocuous SQL statement

• Preserve application-database connection while blocking

Database Firewall

! ✔

Databases

SELECT * FROM stock

Becomes SELECT * FROM dual where 1=0


Database Firewall Policy Engine Finding needles in the haystack of SQL

Requirement: “Audit all”

22

Unusual events

DCL

DDL DML

Solution:

• Database Firewall creates activity profile

• Logs new (i.e. “out of policy”) SQL

Challenge: scale (≥100k TPS ≈ 4TB/day)


Database Firewall Flexible deployment

• Out of band (off SPAN port)

– Passive monitoring

• Proxy mode

– Database clients connect to the IP address of Database Firewall

• In-line – Monitoring or blocking

• Host monitor

– Host agent mirrors traffic back to Database Firewall

25

Out of band

Proxy

Inline blocking and monitoring

Host monitor


EM Plug-in for Audit Vault and Database Firewall • Automatic deployment of

Audit Vault Agents

• Availability, performance and configuration monitoring of AVDF deployments

• Start/Stop/Delete control actions

26


Audit Vault and Database Firewall

Database Firewall Protection

Database Activity Monitoring, Blocking of SQL injections and

other malicious SQL

Alerting & Reporting

Real-time alerting, customizable reporting, report

scheduling and attestation

Audit Data Consolidation

Heterogeneous databases OSs and other sources,

data lifecycle management


Today’s Agenda

What is Oracle Audit Vault Database Firewall?


Q&A

28

1

2

3


Deployment Overview

• Understand and prioritise your database security needs

• Estimate aggregate volume of logged audit and event data

• Roll out audit logs consolidation, or activity monitoring, or both

Auditing?

Monitoring?

Blocking?


Making your audit data safe, secure and accessible with Oracle Audit Vault

Rolling Out Audit Log Consolidation

• Install and configure Audit Vault Server

• Register Secured Targets

Configure

Audit Vault

• Install and activate Audit Vault Agents on target hosts

• Configure native audit policies

Configure Targets • Configure archive

locations

• Configure data retention policies

Data Lifecycle

Settings

• Start collecting and consolidating audit data from trails

• Create baseline set of alerts

Alerts & Reports


Monitoring all relevant SQL activity on the network

Rolling Out Monitoring

• Deploy Database Firewalls

• Architect and configure Database Firewall networking

Setup

Database Firewalls

• Configure Enforcement Points

• Switch on Database Activity Monitoring

Configure Monitoring • Assign ‘Unique’

policy to Enforcement Points

• Fine-tune policy based on logged SQL

Configure Policy


Protecting your databases with Database Firewall

Rolling Out Blocking

• Review SQL activity for the period

• Identify sets of users with common behavior

Learn from Logged Data

• Define permitted session profiles and privileged users

• Specify what activity is to be logged

Create Whitelists • Deploy against

production traffic

• Tighten policy by rules on out of policy SQL

Refine Policy

• Set-up alerts on all out of policy activity

• Switch to Database Policy Enforcement Mode

Enable Blocking


Register AVDF in Enterprise Manager Configure AVDF operational monitoring with EM AVDF plug-in

• Automatic discovery of Secured Targets

• Automatic discovery and provisioning of AV Agents

• Availability, performance and configuration monitoring with thresholds and alerts

• State control for AVDF architectural components:

– AV Agents and Audit Trails

– Database Firewalls

– Secured Targets


Database Firewall deployment in-depth 1


Database Firewall on the Network

• For passive monitoring (DAM) deploy out-of-band

• Use Proxy mode for no impact on network infrastructure

• Deploy in-line DAM if planning to turn on DPE (blocking) in the future

Deployment recommendations

Apps

Users

Database Firewall Events

Out of band

Proxy

Inline blocking and monitoring

Reports

Alerts

Policies

!


High Availability deployments 2


Audit Vault High Availability Mode

• Audit Vault Server failover is based on Oracle Data Guard

• Agents fail-over mechanism is Transparent Application Failover (TAF)

• All fully configurable from the web Administrator Console

• 10 minutes of Audit Vault Server unavailability triggers failover

Active-standby

Audit Vault Primary

High Availability data link

Audit Vault Standby

Database Firewalls

Audit Vault Agents

Primary links (Active)

Secondary links (Dormant)


Active-active Database Activity Monitoring (DAM)

Database Firewall High Availability Deployment

High Availability Network switch

Inbound SQL requests

Audit Vault Server

De-

du

plic

atio

n

SQL traffic

Identical streams of activity logs SPAN

port

Identical streams of traffic to both Database Firewalls

Database Firewalls Configured as a Resilient Pair


Active-“hot standby” Database Policy Enforcement


Inbound SQL traffic

SQL traffic

Audit Vault Server

Activity Data

Network switch

STP-enabled path

STP-disabled path

Network switch

Activity Data

Database Firewall

Database Firewall


Active-active Database Policy Enforcement in Proxy mode


Inbound SQL Traffic Database Firewalls

Proxy port

Proxy port

Audit Vault Server

Load-balancer

Activity Data

Activity Data


Active-active Database Policy Enforcement in In-line mode


Inbound SQL Traffic Database Firewalls

Separate (switching) network path

Audit Vault Server

Layer 2 Traffic Manager

Activity Data

Activity Data

Separate (switching) network path


Today’s Agenda

What is Oracle Audit Vault Database Firewall?


Q&A

59

1

2

3


Oracle Database Firewall Take-aways

• SQL Grammar Analysis

• Accuracy in identifying invalid SQL based on whitelisting

• SQL Substitutions avoids App Error

• Higher accuracy increases trust

• Part of Oracle Defense-in-Depth

• Included Oracle-stack Repository

66

12.2

oracle audit vault and database firewall - doag

Documents