Post on 18-Mar-2022
transcript
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Audit Vault & Database Firewall Overview
Wolfgang Thiem ORACLE Germany B.V. & Co.KG STCC Munich
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Today’s Agenda
What is Oracle Audit Vault & Database Firewall?
Deployment Best Practices
Q&A
4
1
2
3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Security Solutions – Defense-in-Depth
Masking & Subsetting
Privileged User Controls
Encryption & Redaction
PREVENTIVE
Activity Monitoring
Database Firewall
Auditing & Reporting
DETECTIVE ADMINISTRATIVE
Privilege & Data Discovery
Configuration Management
Key & Wallet Management
6
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Audit Vault and Database Firewall
Masking & Subsetting
Privileged User Controls
Encryption & Redaction
PREVENTIVE
Activity Monitoring
Database Firewall
Auditing & Reporting
DETECTIVE ADMINISTRATIVE
Privilege & Data Discovery
Configuration Management
Key & Wallet Management
7
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Today’s Agenda
What is Oracle Audit Vault & Database Firewall?
Deployment Best Practices
Q&A
8
1
2
3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Activity Auditing and Monitoring Flexible security with Oracle Audit Vault and Database Firewall
Monitoring (Database Firewalls)
Auditing (Audit Vault Agents)
Information Who, what, where, when Who, what, where, when
Before/After values Full execution and application context
Pathways Network All: stored procedures, direct connections,
scheduled jobs, operational activities
Impact on database
Completely independent, negligible performance impact
Requires native database auditing, minimal performance impact (<5%)
Purpose Prevent SQL-injections and other
unauthorized activity, enforce corporate data security policy
Ensure regulatory compliance, provide guaranteed audit trail to enable control
10
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Audit Log Consolidation Deployment Use-Cases
• Offload audit data from production databases and systems
• Consolidate heterogeneous audit data into single secure repository
• Perform compliance reporting out of the box with a click of a button
• Accelerate incident response and forensic investigations
• Alert on suspicious and unauthorised activities in real time
• Review user rights, identify dormant users and excessive privileges
• Detect and monitor changes to stored procedures
Comprehensive detective control with Audit Vault and Database Firewall
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Audit Vault Audit data consolidation • Consolidates and secures audit event data
• Extensive and customizable reporting
• Powerful, threshold based alerting
• Distributed as software appliance
12
Audit Data
Audit Data, Event Logs
SYBASE
Policies
Reports
Alerts
Audit Vault
!
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Central Repository for Audit and Event Data
• Fine-grade data access authorization model
• Privilege user repository protection with Database Vault
• Audit and event data lifecycle management
• High Availability
14
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
• Dozens of predefined compliance reports
• Custom reports
• Aggregate and filter data interactively in seconds
• Report scheduling, notification and attestation
15
Extensive and Customizable Reporting
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 16
Powerful Alerting
• Multi-event alerts with thresholds and duration
• Flexible alert conditions
• Customizable alert content
• Alerts via email or syslog
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall First line of defense
17
• Application layer firewall monitors SQL activity on network
• Grammar policy engine precisely identifies SQL statements
• Policy-based pass/log/alert/substitute/block
• Support both white-list and black-list security models
• Low latency, high availability and scalability
Database Firewall
✔ !
Applications
Users SYBASE
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall Deployment Use-Cases
• Comprehensive real-time application database activity monitoring
• Selected user database activity monitoring
• Anomaly detection in database activity
• Protection from all not authorized SQL interactions, user or schema access
• Blocking of SQL injection attacks
First line of defense for your databases
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall
19
Enforcing access with black-list based policy
Black-list Policy
Block
Allow Log
Databases
• Apply negative policy actions on session factors: IP address, application, database and OS user
• Block specific unauthorized SQL statements, users or object access
SELECT * from stock
where catalog-no=‘1001'
SELECT * from stock
where catalog-no=‘1001'
Legitimate access
Unauthorized access, eg. from not permitted IP address
✔ ✔
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall
20
Anomaly detection and threat blocking with white-list based policy
White-list Policy
Block
Allow Log
Databases
• Accurately detect and block out-of-policy SQL statements
• Automatically create SQL activity profile of users and/or applications
SELECT * from stock
where catalog-no=‘1001'
SELECT * from stock
where catalog-no='' union
select cardNo from Orders--'
Legitimate access
Unauthorized access, eg. SQL-injection
✔ ✔
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall
21
Transparent blocking with statement substitution
• Block unauthorized SQL statements by substituting with pre-defined innocuous SQL statement
• Preserve application-database connection while blocking
Database Firewall
! ✔
Databases
SELECT * FROM stock
Becomes SELECT * FROM dual where 1=0
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall Policy Engine Finding needles in the haystack of SQL
Requirement: “Audit all”
22
Unusual events
DCL
DDL DML
Solution:
• Database Firewall creates activity profile
• Logs new (i.e. “out of policy”) SQL
Challenge: scale (≥100k TPS ≈ 4TB/day)
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall Flexible deployment
• Out of band (off SPAN port)
– Passive monitoring
• Proxy mode
– Database clients connect to the IP address of Database Firewall
• In-line – Monitoring or blocking
• Host monitor
– Host agent mirrors traffic back to Database Firewall
25
Out of band
Proxy
Inline blocking and monitoring
Host monitor
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
EM Plug-in for Audit Vault and Database Firewall • Automatic deployment of
Audit Vault Agents
• Availability, performance and configuration monitoring of AVDF deployments
• Start/Stop/Delete control actions
26
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Audit Vault and Database Firewall
Database Firewall Protection
Database Activity Monitoring, Blocking of SQL injections and
other malicious SQL
Alerting & Reporting
Real-time alerting, customizable reporting, report
scheduling and attestation
Audit Data Consolidation
Heterogeneous databases OSs and other sources,
data lifecycle management
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Today’s Agenda
What is Oracle Audit Vault Database Firewall?
Deployment Best Practices
Q&A
28
1
2
3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Deployment Overview
• Understand and prioritise your database security needs
• Estimate aggregate volume of logged audit and event data
• Roll out audit logs consolidation, or activity monitoring, or both
Auditing?
Monitoring?
Blocking?
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Making your audit data safe, secure and accessible with Oracle Audit Vault
Rolling Out Audit Log Consolidation
• Install and configure Audit Vault Server
• Register Secured Targets
Configure
Audit Vault
• Install and activate Audit Vault Agents on target hosts
• Configure native audit policies
Configure Targets • Configure archive
locations
• Configure data retention policies
Data Lifecycle
Settings
• Start collecting and consolidating audit data from trails
• Create baseline set of alerts
Alerts & Reports
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Monitoring all relevant SQL activity on the network
Rolling Out Monitoring
• Deploy Database Firewalls
• Architect and configure Database Firewall networking
Setup
Database Firewalls
• Configure Enforcement Points
• Switch on Database Activity Monitoring
Configure Monitoring • Assign ‘Unique’
policy to Enforcement Points
• Fine-tune policy based on logged SQL
Configure Policy
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Protecting your databases with Database Firewall
Rolling Out Blocking
• Review SQL activity for the period
• Identify sets of users with common behavior
Learn from Logged Data
• Define permitted session profiles and privileged users
• Specify what activity is to be logged
Create Whitelists • Deploy against
production traffic
• Tighten policy by rules on out of policy SQL
Refine Policy
• Set-up alerts on all out of policy activity
• Switch to Database Policy Enforcement Mode
Enable Blocking
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Register AVDF in Enterprise Manager Configure AVDF operational monitoring with EM AVDF plug-in
• Automatic discovery of Secured Targets
• Automatic discovery and provisioning of AV Agents
• Availability, performance and configuration monitoring with thresholds and alerts
• State control for AVDF architectural components:
– AV Agents and Audit Trails
– Database Firewalls
– Secured Targets
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall deployment in-depth 1
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Database Firewall on the Network
• For passive monitoring (DAM) deploy out-of-band
• Use Proxy mode for no impact on network infrastructure
• Deploy in-line DAM if planning to turn on DPE (blocking) in the future
Deployment recommendations
Apps
Users
Database Firewall Events
Out of band
Proxy
Inline blocking and monitoring
Reports
Alerts
Policies
!
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
High Availability deployments 2
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Audit Vault High Availability Mode
• Audit Vault Server failover is based on Oracle Data Guard
• Agents fail-over mechanism is Transparent Application Failover (TAF)
• All fully configurable from the web Administrator Console
• 10 minutes of Audit Vault Server unavailability triggers failover
Active-standby
Audit Vault Primary
High Availability data link
Audit Vault Standby
Database Firewalls
Audit Vault Agents
Primary links (Active)
Secondary links (Dormant)
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Active-active Database Activity Monitoring (DAM)
Database Firewall High Availability Deployment
High Availability Network switch
Inbound SQL requests
Audit Vault Server
De-
du
plic
atio
n
SQL traffic
Identical streams of activity logs SPAN
port
Identical streams of traffic to both Database Firewalls
Database Firewalls Configured as a Resilient Pair
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Active-“hot standby” Database Policy Enforcement
Database Firewall High Availability Deployment
Inbound SQL traffic
SQL traffic
Audit Vault Server
Activity Data
Network switch
STP-enabled path
STP-disabled path
Network switch
Activity Data
Database Firewall
Database Firewall
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Active-active Database Policy Enforcement in Proxy mode
Database Firewall High Availability Deployment
Inbound SQL Traffic Database Firewalls
Proxy port
Proxy port
Audit Vault Server
Load-balancer
Activity Data
Activity Data
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Active-active Database Policy Enforcement in In-line mode
Database Firewall High Availability Deployment
Inbound SQL Traffic Database Firewalls
Separate (switching) network path
Audit Vault Server
Layer 2 Traffic Manager
Activity Data
Activity Data
Separate (switching) network path
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Today’s Agenda
What is Oracle Audit Vault Database Firewall?
Deployment Best Practices
Q&A
59
1
2
3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Oracle Database Firewall Take-aways
• SQL Grammar Analysis
• Accuracy in identifying invalid SQL based on whitelisting
• SQL Substitutions avoids App Error
• Higher accuracy increases trust
• Part of Oracle Defense-in-Depth
• Included Oracle-stack Repository
66
12.2
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. 67