You are on page 1of 58

Oracle Database Firewall

Stuart Sharp
Oracle, Principal Sales Consultant, Information Security

-1-

Author

Copyright 2012, Oracle. All rights reserved.

Stuart Sharp

This documentation contains proprietary information of Oracle Corporation. It is provided


under a license agreement containing restrictions on use and disclosure and is also protected
by copyright law. Reverse engineering of the software is prohibited. If this documentation is
delivered to a U.S. Government Agency of the Department of Defense, then it is delivered
with Restricted Rights and the following legend is applicable:
Restricted Rights Legend
Use, duplication or disclosure by the Government is subject to restrictions for commercial
computer software and shall be deemed to be Restricted Rights software under Federal law,
as set forth in subparagraph (c)(1)(ii) of DFARS 252.227-7013, Rights in Technical Data and
Computer Software (October 1988).
This material or any portion of it may not be copied in any form or by any means without the
express prior written permission of Oracle Corporation. Any other copying is a violation of
copyright law and may result in civil and/or criminal penalties.
If this documentation is delivered to a U.S. Government Agency not within the Department of
Defense, then it is delivered with Restricted Rights, as defined in FAR 52.227-14, Rights in
Data-General, including Alternate III (June 1987).
The information in this document is subject to change without notice. If you find any
problems in the documentation, please report them in writing to Education Products, Oracle
Corporation, 500 Oracle Parkway, Redwood Shores, CA 94065. Oracle Corporation does not
warrant that this document is error-free.
Oracle and all references to Oracle Products are trademarks or registered trademarks of
Oracle Corporation.
All other products or company names are used for identification purposes only, and may be
trademarks of their respective owners.
Contact For This Document
Please direct any questions or comments regarding the contents of this document to Stuart
Sharp (stuart.sharp@oracle.com).

-2-

TABLE OF CONTENTS
TABLE OF CONTENTS ........................................................................................................ 3
AMAZON EC2 - Summary of Accounts and Passwords ....................................................... 4
LAB CONFIGURATION ORACLE DATABASE FIREWALL ...................................................... 5
LAB EXERCISE 00 ORACLE DATABASE FIREWALL OVERVIEW ............................................ 6
LAB EXERCISE 01 ORACLE DATABASE FIREWALL ENFORCEMENT POINTS TO MONITOR
AND PROTECT DATABASES .................................................................. 9
LAB EXERCISE 02 ORACLE DATABASE FIREWALL USE THE TRAFFIC ANALYZER TO
CONFIGURE POLICIES AND BLOCK UNAUTHORIZED TRAFFIC ............... 30
LAB EXERCISE 03 ORACLE DATABASE FIREWALL GAIN VISIBILITY AND SATISFY
REQUIREMENTS THROUGH REPORTING ............................................. 46

-3-

Virtual Box - Summary of Accounts and Passwords


IMAGE NAME AND IP ADDRESS:
dbfw-db
database-firewall-5.1
dbfw-win

database.oracle.com (192.168.56.41)
dbfirewall.oracle.com (192.168.56.30)
192.168.56.10

IMAGE OPERATING SYSTEM ACCOUNTS:


Windows - oracle/oracle
DB Sec - oracle/oracle
DB Sec - root/oracle

11g ACCOUNTS (database DB01):


sysman/oracle1
sys/oracle1
system/oracle1

Oracle Database Firewall:


admin/oracle1

-4-

LAB CONFIGURATION ORACLE DATABASE FIREWALL


OVERVIEW
For these lab exercises, you will need to have the following Virtual Box images running. The
labs are structured for all tasks to be performed from the Windows Desktop client, apart from
starting the database. The three virtual images are:

Database: Oracle 11gR1 (DB01)


Oracle Database Firewall 5.1
Windows Client

Confirm that you can connect the three environments you will be using for this lab:
1. Open the database Virtual Box image dbfw-db. Log in as oracle/oracle and doubleclick on the Lab 1: Start DB01 icon.
2. Open the Windows Virtual Box image dbfw-win. On the desktop, open the web
browser. In the browser, click on the DBFW Administration Console link or type
https://dbfirewall.oracle.com.
You should see a login page for the Oracle Database Firewall Administration Console.
Log in as admin/oracle1.
3. On the desktop, double-click on SQL Plus. Enter the username system and the
password oracle1. Type select * from demoapps.orders;. Two or more rows should
be returned.
You are now ready to start the hands-on labs.

-5-

LAB EXERCISE 00 ORACLE DATABASE FIREWALL


OVERVIEW
INTRODUCTION
The Oracle Database Firewall system secures and protects data in SQL databases. It blocks
attempted attacks, logs activity, and produces related warnings and provides tools to assess
vulnerabilities. The Database Firewall system enhances existing database security features, such
as encryption and user authentication, and brings significant advantages over traditional
database firewall systems. Traditional systems usually test the syntax of statements passed to
the database, recognizing predefined expressions. Creating a set of rules using this technique
requires a hand-crafted approach and can be very time-consuming and complex, even for
someone very knowledgeable about the database. Even if significant resources create
satisfactory protection for known threats, little protection may be offered for unknown threats.
The Database Firewall addresses these challenges.
The Oracle Database Firewall system works by analyzing the meaning of the SQL statements
that database clients send to the database. This provides a much higher degree of protection
than traditional database firewalls, because it does not depend on the source of an attack or on
recognizing the syntax of known security threats. The Database Firewall can block insider
misuse and the increasing number of previously unseen attacks (known as "zero-day" attacks),
including those targeted individually against your organization.
The Oracle Database Firewall protects without affecting the performance of the database
server or its client applications. The system protects from attacks originating from inside
firewalls, as well as from external sources. The central feature of an Oracle Database Firewall
system is the ability to scan and log SQL traffic to the monitored databases. The Database
Firewall system scans all SQL statements passed to the databases in real time. You can
configure enforcement points to monitor traffic, generate warnings of potential attacks, and
block harmful statements.

-6-

The Database Firewall is comprised of the following components:

Oracle Database Firewall


Oracle Database Firewall Management Server
Oracle Database Firewall Analyzer

Oracle Database Firewall


The system employs at least one Database Firewall for up to 80 Protected Databases which can
optionally report to the Management Server. The Database Firewall handles real-time recording
and analysis of SQL transaction requests and responses from a protected database, which may
be an Oracle, MySQL, Microsoft SQL Server, DB2, Sybase Adaptive Server Enterprise (ASE), or
Sybase SQL Anywhere database. The Database Firewall enforces policies based on session
factors (e.g. user name and client IP address), and grammatical characteristics of each SQL
statement such as tables accessed, SQL classification (read, write, create, etc), and grammatical
cluster (the classification of a SQL statement based on its grammatical structure).
An Oracle Database Firewall can be used as a transparent network bridge, simply inserted into
the network in a segment that lies between database clients/application servers and the
databases being protected. This in line bridge architecture requires no configuration changes
to database clients, applications or the database itself. The same Database Firewall can also be
configured as a proxy. This only requires the IP address and port of the database client or
application to be changed to the IP address and port assigned to the Database Firewall proxy
port. Most enterprise network switches and traditional firewalls can also be used to redirect
database traffic to an Oracle Database Firewall proxy port, allowing SQL traffic to be protected
without any changes to database clients or applications.

Oracle Database Firewall Management Server

-7-

The Database Firewall Management Server remotely manages all Database Firewalls that are
connected to it. It accumulates SQL statements from these firewalls, along with the associated
session details, stores and manages log files, provides business reports, and integrates with
third-party applications as needed.
Oracle Database Firewall Analyzer
The Oracle Database Firewall Analyzer creates the policy that the Database Firewalls use to
block, alert, log or permit SQL statements. Oracle Database Firewall Analyzer is installed on a
Microsoft Windows client computer and connects to the Management Server (or Stand-Alone
Database Firewall) to read logs created by the Database Firewalls.
A.

Lab Scenarios and Objectives

In our lab scenario we have a fictional company called ACME Corp which is evaluating its
security posture in preparation for a consolidation program. ACME Corp currently supports
multiple applications serving multiple external customers. Due to current security policy each
new application has to be hosted on a new server. This has caused the IT infrastructure to
expand rapidly and incur significant administration overhead. The consolidation program will
migrate multiple applications to a single platform. However, after reviewing the new
architecture ACMEs security team has raised a number of concerns. One of the chief concerns
is about SQL Injection being able to affect databases managed on a single platform. ACME has
decided to implement Oracle Database Firewall (DBFW) to address these security concerns. By
implementing DBFW to block unauthorized SQL traffic, ACME can continue to progress the
consolidation project.

-8-

LAB EXERCISE 01 ORACLE DATABASE FIREWALL


ENFORCEMENT POINTS TO MONITOR AND PROTECT
DATABASES
INTRODUCTION
Oracle Database Firewall, part of Oracle's comprehensive portfolio of database security
solutions, is the first line of defence for both Oracle and non-Oracle databases. It monitors
database activity on the network to help prevent unauthorized access, SQL injections, privilege
or role escalation, and other external and internal attacks - all in real time. Based on innovative
SQL grammar technology that can reduce millions of SQL statement into a small number of SQL
characteristics, Oracle Database Firewall offers unmatched accuracy, scalability, and
performance. Enforcement of positive (white list) and negative (black list) security models
provides protection from threats without time consuming and costly false positives. Oracle
Database Firewall also enables organizations to address DPA, PCI, SOX, and other regulatory
requirements without changes to existing applications or databases, and demonstrate
compliance with over a hundred built-in customizable reports.
A.

Lab Scenarios and Objectives


In this lab exercise, you will accomplish the following:
1. Create a Proxy port on the Oracle Database Firewall
2. Create and setup an enforcement point in Oracle Database Firewall
3. Reconfigure the Application server to connect to the Database Firewall Proxy
4. Generate database activity using an HR Application
5. Perform a SQL Injection attack
6. Upload and activate a Database Firewall blocking policy
7. Prove the HR Application works as expected
8. Attempt the same SQL Injection attack with blocking
9. Build a Blocking Policy using traffic generated in a test environment
10. Create a detailed report of database traffic in the Database Firewall
Management Console

B.

Setup and Preparation


You should have completed LAB EXERCISE 00 ORACLE DATABASE FIREWALL
OVERVIEW
Connected to the Windows Environment.
Connected to the Oracle Database Firewall Web Administration Console.
Connected to the Oracle database.

-9-

C.

Configure Proxy Ports and Enforcement Points to Monitor and Protect Databases
1. If you have not already connected to the Windows Desktop and started the web
browser, do so now.
2. Click on the Oracle Database Firewall link in the Favorites toolbar, or type in
https://dbfirewall.oracle.com.
3. You will be taken to the Oracle Database Firewall (DBFW) Administration Console
login page. Login with the default administration user. The username is
admin, and the password is oracle1. Click the login button after entering
the credentials.
We will now create a Proxy port, an Enforcement Point and a Protected Database.
The Proxy port specifies which network card (and therefore which IP Address) and
TCP port will be used for an Enforcement Point. An Enforcement Point is the Oracle
Database Firewall object that is responsible for monitoring and logging SQL
statements passed to the database for a given interface on the Database Firewall.
Multiple enforcement points can be used to monitor traffic to different databases or
the same database at different locations in the network.
We will be monitoring an Oracle 11g database hosted on Oracle Linux dbfw-db
server. The Database Firewall will monitor and block activity to the database based
on policy that we will create in the next lab. You will use the Database IP Address
provided at the top of this document to create the Enforcement Point and Protected
Database.
Creating a Proxy Port
1. Click on the System tab at the top right of the page. Under System on the
lefts-side menu, click on Network.
2. Scroll to the bottom of the page and click on Change in the right-hand corner.

-10-

3. In the Management Interface category, go to the section titled Proxy and


enter the port number 1534 (this can be any number between 1024 and 65536
that is not already in use on the Database Firewall system). Tick Enabled and
click on Add.

The traffic source ID should say Management: 1534. Database clients


connecting to databases protected by this Proxy port should be configured to
connect to the Management IP Address of the Database Firewall, and port 1534.
4. Scroll to the bottom of the page and click on Save.

Creating an Enforcement Point


1. Click on the Dashboard tab at the top of the page, once there, click on the
Monitor databases link in the middle of the page.

You will be taken into the Enforcement Point Setup Wizard. Type in OracleEP
for the name of the Enforcement Point and click on Next.

-11-

2. Enter the following information, making sure the Protected Database box
shows Create New. Click on Add after entering the database IP address and
port, then click Next:
Name:
Database Type:
Address:
Port:

OracleDB
Oracle
192.168.56.41
1521

3. On the third step of the wizard select the logall-nomask.dna policy radio
button. This will configure the Enforcement Point to monitor everything.

-12-

You will see a confirmation page that shows the configuration. Check that the
Protected Database Address has the correct IP address and port
(192.168.56.41:1521). Click Finish to create the Enforcement Point.

4. We will now configure the Enforcement Point to activate response monitoring.


In the Enforcement Point Summary page you will see the OracleEP entry we
just created. Click on the Settings button for this Enforcement Point.

Check each of the Activate Database Response Monitoring and the Full error
message annotation check-boxes. This will enable DBFW to monitor the
response to a given piece of SQL and monitor error messages. Click Save once
complete. Notice that the Traffic Source is the Proxy port we configured
(Management:1534).

-13-

For higher-throughput databases, it is possible to dedicate multiple CPU cores to


a protected database. This can also be useful when running in resourceconstrained virtual environments.
To make this change, click on the 'Monitoring' tab. Under 'Protected
Databases', click on 'List'. Click on the protected database you just created
('OracleDB'). Under 'Settings', change 'Maximum SQL Processors' to 2, and click
on 'Save'.

-14-

Click on the Dashboard tab at the top of the screen. Notice that in the
Enforcement Point summary section you will see the OracleEP entry.

Reconfigure the Application Server to Use the Database Firewall Proxy Port
We will reconfigure the tnsnames.ora file on the Application Server to connect to
the Database Firewall Proxy port. This will ensure that all connections that
reference DB01 will be protected by the Database Firewall. When using a Database
Firewall Proxy port in a production environment, it is best practice to use network
firewalls or settings on the database server to force clients to connect via the Proxy
port.
1. On the Windows desktop, double click on the icon TNS NAMES.
2. Under the DB01 section, change the host to dbfirewall.oracle.com and the
port to 1534. Save the file.
We will now test that the Database Firewall is monitoring traffic to the Oracle 11g
Databases. Open a command prompt window by clicking on the cmd icon on the
Windows desktop. You can also go to the Start Button  Run...  and type in
cmd.
3. We will connect to the Oracle 11g database called DB01. Enter the following:
> sqlplus system/oracle1@db01
> select name from v$database;

-15-

This will connect you to the database and confirm that we are able to complete
SQL statements.

4. Return to the Database Firewall Administration Console. If necessary, re-open


Firefox and navigate to the Oracle Database Firewall and login with admin.
You will notice that there are now some Total Statements in the Throughput
Status: OK section.

-16-

D.

HR Application Test

We will now launch and test a training HR application. This exercise will generate
SQL statements that are passed through the database firewall and logged. It is
representative of how a White List policy can be developed in a Test Environment
and subsequently deployed in Production. White List policies are simply the set of
approved SQL commands that the firewall expects to see.
The User Acceptance Testing environment is often the best place to update a white
list to support a new application, or to support new functionality for an existing
application. When a UAT environment is available, the Database Firewall policies
can be left in strict blocking mode in production during the update process. The new
policies can be activated on the production database firewalls before the changes in
functionality are introduced to the application production environment.
1. Start the Application server by double-clicking on the Shortcut to startserv.bat
icon on the Desktop.

2. This will launch a DOS window. Be sure to leave this window open.

3. Open a new web browser and click on HR Application on the browser shortcut
bar (or type the URL http://localhost:8080/hr_app) and click on the Login
button.

-17-

4. Enter the following credentials to login:


Username: malfoy
Password: oracle

5. Click on the Search Employees link.

-18-

6. Search for all Full-Time employees by selecting the Full-Time Employee option
from the Employee Type drop-down list and clicking on Search in the bottom
left-hand corner.

Notice that only employees in the Engineering Department are listed. In the top
right-hand corner you will see that the user malfoy you logged in with is
restricted to view only Engineering employees.
7. Search for employees whose first name begins with Fra. Enter Fra in the First
Name field and click on Search.

8. Clear the first name field and search for all employees whose last name begins
with K by entering K in the last name field and clicking on Search.

-19-

E.

SQL Injection Attack


SQL Injection attacks are used to hijack a trusted application connection to a
database and execute queries that can be used to steal records and compromise
corporate networks. In the first stage of this exercise, you will use a simple attack
that will force the database to return a complete list of all employee records.
1. Return to the HR Application Search Employee screen.
2. In the Last Name field, enter the following:
K OR 1=1 -Make sure you use two dashes following the second 1.
3. Click on Search.
Notice that a list of ALL employees is returned, included employee records
outside the Engineering department.

-20-

4. Click on the checkbox next to the Debug Yes button and click on Search.
The query ends like this:
and upper(a.LASTNAME) like 'K' OR 1=1 --%' order by a.LASTNAME, a.FIRSTNAME
The text in red causes ALL records to be returned (since 1=1), while the text in
blue is ignored because it is commented out by the use of the double dash.

The second example will force the database to retrieve credit card information from
another table elsewhere in the database and display it in the employee records
screen.

-21-

5. Clear the Last Name field. Copy the full text below and paste it in the Last Name
field.
K%' union select '1', name, cardnumber,'1','1','1','1','1','1',0,0,'1','1',sysdate,sysdate,0,'1','1','1','1' from ORDERS --

Click on the checkbox next to Debug Yes and click on Search.


(if you receive a SQL error, check the command ends with two dashes with no space in between)

The full name field for the first two records now displays a credit card number
followed by the card owners name.

These simple examples illustrate what can be done through SQL Injection exploits
and the danger they pose to most corporations.

-22-

F.

Activate a Database Firewall blocking policy


A blocking policy for the training HR Application is available on a shared folder and must
be uploaded to the Database Firewall before being applied to the Enforcement Point.
1. Return to the Database Firewall Administration console. Click on the
Monitoring tab.
2. Under Policies, click on Upload. Click on Browse and My Network Places.
3. Double click on VBOXSVRdbfw-disc on Vboxsrv and select uat-hr-appblocking.dna. Enter the description: HR Application White List with Blocking,
then click on Save.
4. To activate this policy, click on the Monitoring tab.
5. Click on the Settings button for the OracleEP Enforcement Point.
6. Scroll down to the list of policies and select the policy uat-hr-app-blocking.dna.
Click on Save.

-23-

G.

Verify HR Application with blocking policy


With the blocking policy in place, it is important to verify that end users can carry out
normal activity without interference. To do this, we will run through the test searches
you performed earlier.
1. Return to the HR Application and click on Logout on the top menu.

2. Log in again as user malfoy with password oracle.


3. Return to the Search Employees screen.
4. Verify that the searches run earlier still work:
i. Under Employee Type, select Full-Time Employee and click on Search
ii. Enter Fra in the First Name field and click on Search
iii. Clear the First Name field, then enter K in the Last Name field and click
on Search

-24-

H.

Block SQL Injection


With the blocking policy in place, you will now show that SQL injection will be
blocked. Note that the block policy you applied will substitute any out-of-policy
queries with the statement:
SELECT 1 FROM dual WHERE 1=2
Since the condition 1=2 is never true, the query will always return the result No
records found, and the application will display no records.
1. From the HR Application Search Employee screen, enter the following in the
Last Name field and click on the Debug checkbox:
K OR 1=1

The same query with the injected condition OR 1=1 is sent to the database as
before, but this time it returns no records. The Database Firewall intercepted it,
determined that it was out of policy, and substituted it with the statement
select 1 from dual where 1=2.
2. Clear the last name field and enter this line again:
K%' union select '1', name, cardnumber,'1','1','1','1','1','1',0,0,'1','1',sysdate,sysdate,0,'1','1','1','1' from ORDERS --

Again, the application will return no records, including no credit card details.
3. Return to the Database Firewall using admin/oracle1 and click on the
Dashboard tab.
-25-

You will see the count of out-of-policy (unseen) statements under Threat
Status, with examples of those statements appearing under Top Ten Threats.
I.

Forensic Reporting
1. Finally, we will create a log search to review all of the traffic that has been
captured. Navigate to the Reporting tab then click on Search Log in the
Traffic Log section.

2. Enter Search Number 1 in the Title field. Then click on the Search button.
This will search everything for the past one day, showing us 100 results.

-26-

3. You will be taken to the Log Search Results page and shown the report being
generated. It will show a status of pending until the report is completed and
ready for you to access. The page will automatically refresh.

4. Once the Status is completed, click on the name link, Search Number 1
under report Title section.

-27-

5. You will see all of the SQL statements that have been monitored by DBFW.
These are the normal statements that we expect from our application. Notice
that, by default, we are not blocking anything.

6. Click on any one of the Descriptions to review more details about any of the
specific statements.

-28-

7. You will see that we are capturing a lot of information about the SQL statements.

J.

Summary
1. You accomplished the following in this lab exercise:
i. Create a Proxy port.
ii. Create and setup an Enforcement Point in Oracle Database Firewall
iii. Generate database activity using an HR Application
iv. Perform a SQL Injection attack
v. Activate a Database Firewall blocking policy
vi. Prove the HR Application works as expected
vii. Upload and apply a blocking policy
viii. Attempt the same SQL Injection attack with blocking
ix. Create a detailed report of database traffic in the Database Firewall
Management Console
-29-

LAB EXERCISE 02 ORACLE DATABASE FIREWALL USE


THE TRAFFIC ANALYZER TO CONFIGURE POLICIES AND
BLOCK UNAUTHORIZED TRAFFIC

INTRODUCTION
White list, Black list, Exception list policies
Oracle Database Firewall examines the grammar of the SQL statements being sent to the
database, analyzes their meaning, and determines the appropriate security policy to apply. This
highly accurate approach provides a significantly higher degree of protection than firstgeneration database monitoring technologies that relied on recognizing the "signature" of
known security threats. By enforcing normal application behaviour, Oracle Database Firewall
helps organizations avoid the costly and disruptive false positives and false negatives common
with other approaches. Oracle Database Firewall recognizes SQL injection attacks on
compromised applications and blocks them before they reach the database.
Iterative Development Cycle of the Policy
Oracle Database Firewall Analyzer enables you to design baselines efficiently in minimum time.
Successful deployment of a Database Firewall system depends on an effective policy. The
process of developing a policy involves an iterative process that keeps refining and improving
the policy.
The cycle is as follows:
1. Oracle Database Firewall collects and logs SQL statements from clients in Training
Mode.
2. The Database Firewall then analyzes and tests the logged SQL statements against the
statements used to build the current policy. This creates a better understanding of how
the database is used and an awareness of areas where the policy needs to be improved
or application programming changed.
3. The Analyzer allocates the new statements to the appropriate clusters, and when
necessary, creates new clusters. If new clusters have been created, action and logging
levels for these should be assigned, either automatically or manually.
4. Once you have made modifications, you can deploy the policy in the typical way.

-30-

A.

Lab Scenarios and Objectives


In this lab exercise, you will accomplish the following:
1. Complete an iterative development cycle of the policy
2. Use the Oracle Database Firewall (DBFW) Analyzer to analyze and train on traffic
logs.
3. Develop a baseline policy

B.

Setup and Preparation

C.

Completion of LAB EXERCISE 01 ORACLE DATABASE FIREWALL ENFORCEMENT


POINTS TO MONITOR AND PROTECT DATABASES

USE THE TRAFFIC ANALYZER TO CONFIGURE POLICIES AND BLOCK UNAUTHORIZED


TRAFFIC
1. In order to create a baseline policy that DBFW uses to block SQL statements, you
will use the Oracle DBFW Analyzer product. Start the DBFW Analyzer by doubleclicking its icon on the desktop, as shown below:

The Oracle Database Firewall system must understand the normal way that
client applications use the database. This is accomplished by supplying logged
data to the Analyzer before you start developing a new baseline. We will create
a new model based on database traffic recorded during application testing on
August 1 2011. Click on the Create a New Model from Training button.

-31-

Click on the Change button in the Train on Log Data section. This will allow us
to login to DBFW.
Training Mode logs SQL traffic specifically for developing a new baseline. The
logged data enables the Analyzer to understand how client applications use the
database and enables rapid development of a baseline that reflects actual use of
the database and its client applications.

Enter the IP address of the DBFW server (192.168.56.30). Enter the username of
admin and password oracle1. Click OK.

-32-

You will then see the Protected Databases listed and the timeframe with which
you wish to create your new model. Use the HR_Test database. Ensure that all
of the Training Options are set, as shown below. Click OK to start creating the
model. The available data range will be August 1st 2011.

Click on Train. This will start the analysis of the monitored traffic captured by
DBFW.

-33-

The time taken to train depends on the size of the captured data and the
resources available to the DBFW Analyzer.

2. The Summary tab will be shown initially. This shows you a summary of the
model that we are creating. Click on the Properties tab.

-34-

This will show a summary of the information were using to create a model.

Click on the Baseline tab. Using its built-in knowledge of the SQL language, the
Analyzer automatically groups the SQL statements into sets of semantically
similar statements known as clusters. Clustering simplifies policy construction
and helps the operator analyze the data to understand how client applications
use the database. Clusters allow administrators to create policies with a high
degree of confidence that they have control of the environment.

-35-

Select all of the clusters on the page, use control-A to select everything. Then,
right click on the page and select Properties.

We will set all of this simulated application traffic to be allowed to access the
protected database. Select the following:
Actions:
Logging Level:
Threat Severity:

Pass
Always
Insignificant

Click OK to set these properties for all the SQL statement clusters.

-36-

Notice that the action, logging and threat columns have been set for each SQL
statement clusters.

3. We will also create a Login/Logout policy to allow users to authenticate to the


protected Oracle Database. Click on the Tools menu, then on the
Login/Logout Policy.

-37-

Enter the following into the Login/Logout Policy Dialog:


Login Policy
Action:
Threat Severity:
Logout Policy
Action:
Threat Severity:

Pass
Insignificant
Pass
Insignificant

Click OK when completed.

Return to the Summary tab.

-38-

4. Now that we have classified all of our authorized SQL traffic we will set the
options about what to do in the event of unauthorized SQL traffic. DBFW
classifies unauthorized as being an anomaly, in that, as far as DBFW is concerned
the SQL traffic has not been added to the White List and is therefore not
allowed. Right click on the Default Rule section at the bottom of the screen.
Then, select the Properties section.

Enter the following in the Default Rule dialog:


Action:
Logging Level:
Threat Severity:

Block
Always
Major

Then, select the Substitute Statement checkbox and enter the following SQL:
select 100 from dual where 1=2
NOTE: Do not enter a semi-colon.
This substitution capability is a key differentiator for Oracle Database Firewall. In
Database Policy Enforcement (DPE) mode only, the Analyzer enables you to
define a substitute statement for each blocked cluster. When a SQL statement
matches, the cluster is blocked and the substitute statement is used instead. This
can prevent undesirable effects (e.g. avoiding a communication loop) and may
display a suitable error to the database user who originated the statement.

-39-

After entering this policy you will see it represented at the bottom of the page.

5. This policy is now ready to be uploaded to the DBFW server and enforced. Click
on the File menu and then select Create Policy.

-40-

Browse to My Documents and enter the following file name:


Lab2_Block_Unseen
This will be saved in the Administrators Document folder.

Leave the Oracle DBFW Analyzer open.

6. Return to the DBFW Web Administration Console. Login with the admin user if
necessary. Click on the Monitoring tab, then on the List link in the Policies
section. You will see all of the default policies and a section with uploaded
policies. Click on the Upload link in the Policies section to upload our new
policy.

Click on the Browse button, then select the Documents folder on the left hand
navigation pane. You will then be able to select the Lab2_Block_Unseen.dna file
we just created.

-41-

Click Open once you have selected the file.

Enter a meaningful description. We entered Lab 02. Example 01. Block All
Out-of-Policy Statements. Informing us that DBFW will block everything that
has not already been authorized. Click on Save.

-42-

You will see that the policy has been uploaded successfully and is visible in the
Uploaded Policies section.

7. To implement the policy, we will have to modify the Enforcement Point


OracleEP that we created earlier. Click on the Monitoring tab, followed by the
List link in the Enforcement Points section on the left hand side. Then click on
the Settings button for the OracleEP Enforcement Point.

-43-

Select the new policy Lab2_block_unseen.dna from the radio button list. Then
click Save.

In the summary screen you will see that our new policy is now active.

-44-

8. To test the policy, return to the HR Application. Logout and log back in again.
Run a search on all full-time employees. Now enter the basic SQL injection
attack in the Last Name field:
OR 1=1 -Return to the DBFW Administration Console. Notice that in the Dashboard tab
that there is a list of the Top Ten Threats containing SQL Statements that you
have just seen as being blocked.

D.

Summary
1. You accomplished the following in this lab exercise:
i. Completed an iterative development cycle of the baseline policy
ii. Used the Oracle Database Firewall (DBFW) Analyzer to analyze and train
on traffic logs.
iii. Developed and deployed a baseline policy
iv. Verified that policy is enforced and ensure that unseen traffic is blocked
2. Additional Information
i. For more information, see:
1. Oracle Database Firewall http://www.oracle.com/technetwork/database/databasefirewall/index.html
2. Oracle Database Firewall Data Sheet http://www.oracle.com/us/products/database/database-firewallds-161826.pdf?ssSourceSiteId=otnen
-45-

LAB EXERCISE 03 ORACLE DATABASE FIREWALL GAIN


VISIBILITY AND SATISFY REQUIREMENTS THROUGH
REPORTING

INTRODUCTION
Flexible reporting and alerting
Oracle Database Firewall includes dozens of prebuilt reports that can be easily customized for
regulations such as PCI, HIPAA and SOX. Real-time alerts can also be setup for fast response to
any policy exception. For privacy and compliance requirements, personally identifiable
information contained in logged SQL can be masked.
A.

Lab Scenarios and Objectives


In this lab exercise you will accomplish the following:
1. Create a Read-only Report User
2. Generate and review available reports
3. Gain experience with report groups and hierarchies

B.

Setup and Preparation

Completion of LAB EXERCISE 01 ORACLE DATABASE FIREWALL ENFORCEMENT


POINTS TO MONITOR AND PROTECT DATABASES
Completion LAB EXERCISE 02 ORACLE DATABASE FIREWALL USE THE TRAFFIC
ANALYZER TO CONFIGURE POLICIES AND BLOCK UNAUTHORIZED TRAFFIC

-46-

C.

GAIN VISIBILITY AND SATISFY REQUIREMENTS THROUGH REPORTING


1. Return to the DBFW Administration Console. If you are not already logged in,
please login as admin using the password oracle1. We will create a new
user that is solely responsible for managing DBFW reports. Go to the System
tab and click on the Add New link in the Users section.

2. We will create a user called mwaldron with a password of oracle1. This


user will have the View-Only User Role. Enter the following information in the
Add User screen:
Username:
First Name:
Last Name:
Role:
Force Password Change:
Password:

mwaldron
Mark
Waldron
View-Only User
<<Uncheck>>
oracle1

-47-

3. You will be returned to the user list screen, showing that the new user has been
created successfully. Click on the Logout button. We will login as the
mwaldron user to access DBFW reports.

4. Enter the login credentials you just created username mwaldron and
password oracle1, then click Login.

-48-

5. Notice that your welcome message now shows the user as mwaldron.

6. Navigate to the reports, by clicking on the Reporting tab.

-49-

7. We will start by viewing a report showing all DB access attempts grouped by


database user. There are dozens of reports provided by default in DBFW. The
reports can be customized to meet your specific requirements. We will review a
few reports to help you build comfort with the selection. Click on the Summary
Reports link.

8. Notice that you can also see report groups for some common regulations. DBFW
includes reports supporting PCI, DPA, SOX and other regulations. Click on the
General Reports link.

-50-

9. Click on Data Access. This report group will show information for protected
databases from an access perspective.

10. Click on the Database traffic analysis report by user. This will generate a PDF
report showing our access information.

11. Click on Generate sample data. When this completes, click on Update report.
12. The report is generated dynamically. Do not refresh the browser window, DBFW
will automatically refresh until the report is created.

-51-

13. You can view the PDF report embedded in the browser, or download it to be
distributed/viewed offline. Please take a moment to review the report. Notice
that it is showing a summary of the access attempts and is also categorized by
DML, DDL etc.

Scroll down to read the remainder of the report.

-52-

Once you are finished with this report, click on the Main Group in the Reports
section. This will return you to the top level reporting group.

14. Click on the Audit Reports link.

15. Click on the Database Traffic Analysis by User Detail link. This report will show
us monitored data grouped by database and database user.

-53-

16. Click on Generate sample data. When this completes, click on Update report.
The report will take a few moments to dynamically create.

17. Please take some time to review the report.

-54-

Once you are finished with this report, click on the Main Group in the Reports
section. This will return you to the top level reporting group.

18. Click on the Summary Reports link.

19. Click on the General Reports link.

-55-

20. Click on the Data Access link.

21. Click on the Alerted Policy Anomalies by Client IP link.

22. Click on Generate sample data. When this completes, click on Update report.

-56-

23. Finally, lets quickly review the report. You can filter data based upon a number
of provided fields.

-57-

24. Notice that you can specify a number of filters to use including Database User,
Client IP, Blocked or Warned, what time period the report is for and what output
format the report will be produced in.

D.

Summary
1. You accomplished the following in this lab exercise:
i. Created a Read-only Report User
ii. Generated and review available reports
iii. Gained experience with report groups and hierarchies
2. Additional Information
i. For more information, see:
1. Oracle Database Firewall http://www.oracle.com/technetwork/database/databasefirewall/index.html
2. Oracle Database Firewall Data Sheet http://www.oracle.com/us/products/database/database-firewallds-161826.pdf?ssSourceSiteId=otnen

-58-

You might also like