Databases and the content they store are among the most valuable IT assets – and the most targeted by hackers.
In an effort to help secure databases, Oracle today is launching the new Oracle Database Firewall as an approach to defend databases against SQL injection and other database attacks.
“People deploy network firewalls to analyze and monitor traffic that goes into their data center. The Oracle Database Firewall takes this one step further,” Vipin Samar, Oracle vice president of Database Security, told InternetNews.com. “We look at the the SQL that is going between the application servers and the database. We analyze the SQL to see if it is good or if it is a SQL injection attack and then we can block the statement from going to the database.”
The Oracle Database Firewall is derived from technology that Oracle acquired in May 2010 with the acquisition of database firewall vendor Secerno. Samar noted that Oracle has improved the Secerno technology and changed some of the underlying pieces. For one, the Oracle Database Firewall is now built on top of a hardened version of Oracle Enterprise Linux. And the underlying data store has moved from a PostgreSQL base to Oracle Database. Additionally, Samar noted that the Oracle Database Firewall supports IBM DB2,Sybase ASE and Microsoft SQL Server in addition to Oracle’s namesake database.
Support for Oracle’s open source MySQL database isn’t part of the initial Database Firewall release. Samar noted that the technology can be extended to other databases and likely will be at some point in the future.
The way the Oracle Database Firewall works is by learning what SQL is good, by first watching the traffic between a server and a database. Samar explained that the system creates a set of whitelist SQL statements that are allowed to run. SQL Injection attacks are discovered by virtue of the fact that attacks introduce SQL that has not yet been seen by the system.
“We’re not focusing on the way in which a malicious user is injecting the SQL since it can really be done in a lot of different ways,” Samar said. “We just say that whatever SQL is not in the whitelist is bad SQL.”
Samar added that the system logs all the SQL so an administrator can review if the SQL is in fact valid or if it is an attack.
SQL Injection attacks are often exploited due to input sanitation issues in application code. Vendors including IBM now have solutions that enable web application developers to scan their code to try and mitigate such SQL Injection attack vectors.
The Oracle Database Firewall is specifically tuned for SQL and isn’t quite the same as what a typical Web Application Firewall (WAF) delivers. Samar explained that typical WAFs are focused on HTTP traffic. In contrast he stressed that the Oracle Database Firewall is looking at the SQL data flow between an application server and the database. He added that the Database Firewall can be used as a complementary technology to a WAF, which is more focused on the web application elements.
As such, Samar noted that Oracle is not currently linking the Database Firewall with updates that Oracle issues as part of the quarterly Critical Patch Update (CPU) cycle from Oracle. He noted that CPU-based vulnerabilities can come from SQL issues as well as other application vulnerabilities.
“This is a SQL firewall and those are the most dangerous attacks,” Samar said. “We don’t have to go and protect the database against CPU attacks since in a broad sense we are protecting the database from any SQL it has not seen before. So hopefully it should do well against attacks that are listed in the CPU.”
The Oracle Database Firewall joins other Oracle technologies that are designed to help protect database security. Samar noted that Oracle has solutions for encrypting database data as well as ensuring user privileges with DatabaseVault.
“Database Firewall is a good first layer of defense for databases but it won’t protect you from everything,” Samar said. “It’s part of a defense in depth strategy which addresses the various ways that hackers can get into a system.”