You are on page 1of 232

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY.

COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

D73925
Edition 1.0
August 2011
D72591GC10
Firewall

Student Guide
Implementing Oracle Database

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Authors Copyright 2011, Oracle and/or it affiliates. All rights reserved.

James Spiller Disclaimer

Donna Keesling This document contains proprietary y information and is protected by


y copyright
y g and
other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
Technical Contributors and in any way. Except where your use constitutes "fair use" under copyright law, you
Reviewers may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
Tammy Bednar the express authorization of Oracle.
Adam Bentley
The information contained in this document is subject to change without notice. If you
Barbara Gingrande find any problems in the document, please report them in writing to: Oracle University,

Oracle University and Counterhouse Consultants Ltd use only


500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
Joel Goodman warranted
t d tto be
b error-free.
f
Wolfgang Klinger
Restricted Rights Notice
Wilson Lopez
Robert Mackowiak If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
James Orr applicable:
Narayanan T. Ramaswamy U.S. GOVERNMENT RIGHTS
Stuart Sharp The U.S. Governments rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Editors
Trademark Notice
Anwesha Ray
Raj Kumar Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.
Vijayalakshmi Narasimhan

Graphic Designer
Rajiv Chandrabhanu

Publishers
Syed Ali
Veena Narasimhan
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Contents

1 Introduction to Oracle Database Firewall


Objectives 1-2

Oracle University and Counterhouse Consultants Ltd use only


Understanding How Data is Compromised: 2010 Data Breach Investigations
Report 1-3
Understanding Oracles Defense-in-Depth Security Approach 1-4
Oracle Database Security Solutions 1-5
Oracle Database Firewall 1-9
Positive Security Model-Based Enforcement 1-10
Negative Security Model-Based Enforcement 1-11
Oracle Database Firewall Architecture 1-12
Protected Databases 1-14
Enforcement Point Architecture 1-15
Basic Data Center Environment 1-17
Oracle Database Firewall In-Line Deployment 1-18
Oracle Database Firewall Out-of-Band Monitoring 1-19
Database Firewall Resilient Pairs 1-20
Management Server Resilient Pairs 1-21
Oracle Database Firewall Applications 1-22
Using the Oracle Database Firewall Administration Console 1-23
Using the Oracle Database Firewall Analyzer 1-24
Summary 1-25
Practice 1-1 Overview: Exploring the Practice Environment 1-26
Understanding the Classroom Configuration 1-27
Quiz 1-28

2 Deploying Oracle Database Firewall


Objectives 2-2
Installation Overview 2-3
Deploying an Oracle Database Firewall System 2-4
Deploying a Stand-Alone System 2-5
Oracle Database Firewall Managed Deployment 2-6
Deploying a Local Monitor 2-7
Deploying a Remote Monitor 2-8
Oracle Database Firewall Ports 2-9
Supported Database Management Systems 2-10

iii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Oracle Database Firewall and Oracle Database Firewall Management


Server 2-11
Invoking the Installer 2-12
Creating a Password for the support User 2-13
Creating a Password for the sys User 2-14
Modifying a Network Device Connection 2-15
Configuring Network Settings 2-16

Oracle University and Counterhouse Consultants Ltd use only


Setting the Management Link IP Address 2-17
Logging in to the Oracle Database Firewall Administration Console 2-18
Changing the admin User Account Password 2-19
Installing Oracle Database Firewall Analyzer 2-20
Oracle Database Firewall Sizing 2-21
Oracle Database Firewall Management Server Sizing 2-23
Summary 2-24
Practice 2-1 Overview: Installing Oracle Database Firewall 2-25
Practice 2-2 Overview: Changing the admin User Password 2-26
Practice 2-3 Overview: Installing the Oracle Database Firewall Analyzer 2-27
Quiz 2-28

3 Configuring Oracle Database Firewall


Objectives 3-2
Configuring a Stand-Alone Oracle Database Firewall 3-3
Configuring an Oracle Database Firewall Management Server System 3-4
Creating an Enforcement Point 3-6
Enable Network Bridge 3-8
Oracle Database Firewall Operational Modes 3-9
Oracle Database Firewall Logging 3-10
Oracle Database Firewall Logs 3-11
Creating System Administrator Users 3-13
Understanding System Administrator Capabilities 3-14
Creating a New User 3-15
Creating Password Policies 3-16
Configure Email Server 3-17
Configuring Email Alerts for Third-Party Connectors 3-18
Summary 3-19
Practice 3-1 Overview: Setting the Date and Time 3-20
Practice 3-2 Overview: Configuring Enforcement Points 3-21
Practice 3-3 Overview: Creating a New System Administrator User 3-22
Practice 3-4: Configuring Email Alerts 3-23
Quiz 3-24

iv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

4 Configuring Policies
Objectives 4-2
Oracle Database Firewall Policy Enforcement 4-3
Policy Enforcement Flow 4-4
Configuring Policies 4-5
Oracle Database Firewall Preconfigured Policies 4-6

Oracle University and Counterhouse Consultants Ltd use only


Creating Policy Files 4-7
Custom Policy Development Overview 4-8
Enabling the Firewall Analyzer to Understand Database Usage 4-9
Creating a New Model 4-10
Creating a Model from Training 4-11
Setting Properties for Clusters 4-12
Setting Cluster Properties 4-14
Saving the Policy 4-15
Uploading the Policy 4-16
Specifying the Policy for the Enforcement Point 4-17
Refining the Policy 4-18
Baseline Anomalies 4-20
Sensitive Data Masking 4-21
Adding Login/Logout Policy 4-23
Summary 4-24
Practice 4-1 Overview: Starting the Collection Workload 4-25
Practice 4-2 Overview: Creating a Policy 4-26
Practice 4-3 Overview: Creating a Basic White List 4-27
Practice 4-4 Overview: Uploading and Applying the Policy 4-28
Practice 4-5 Overview: Executing Commands and Analyzing Results 4-29
Practice 4-6 Overview: Adding an Exceptions Policy 4-30
Quiz 4-31

5 Creating Advanced Configuration Policies


Objectives 5-2
Using Profiles 5-3
Defining Sets 5-4
Creating a Profile 5-5
Selecting a Profile in the Analysis Tab 5-6
Selecting a Profile in the Details Tab 5-7
Using a Novelty Policy 5-8
Novelty Policy Example 5-9
Creating a Novelty Policy 5-10
Summary 5-11

v
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 5-1 Overview: Creating a Policy for a New Application 5-12


Practice 5-2 Overview: Updating the Policy 5-13
Practice 5-3 Overview: Creating a Profile 5-14
Practice 5-4 Overview: Creating a Novelty Policy 5-15
Quiz 5-16

6 Reporting

Oracle University and Counterhouse Consultants Ltd use only


Objectives 6-2
Oracle Database Firewall Reporting System Overview 6-3
Oracle Database Firewall Reporting System Architecture 6-4
Oracle Database Firewall Reporting 6-5
Using the Summary Reports 6-6
Using the Summary Compliance Reports 6-7
Using the Search Log Function 6-8
Using the Search Log Results 6-9
Viewing Log Search Results 6-10
Creating Audit Reports 6-11
Using the Search Log Results in Audit Reports 6-12
Generating the Audit Report 6-13
Reporting with Other Tools 6-14
Example: Reporting with SQL*Plus 6-15
Summary 6-16
Practice 6-1 Overview: Creating Summary Reports 6-17
Practice 6-2 Overview: Creating Audit Reports 6-18
Quiz 6-19

7 Stored Procedure Auditing


Objectives 7-2
Stored Procedure Auditing Overview 7-3
Stored Procedure Auditing Architecture 7-4
Creating Users and Setting Permissions 7-5
Enabling Stored Procedure Auditing 7-7
Auditing Changes to Stored Procedures 7-8
Viewing the Stored Procedure Audit Report 7-9
Viewing SPA Audit Reports 7-10
Viewing Pending Approvals and Taking Action 7-11
Summary 7-12
Practice 7-1 Overview: Creating a User for Stored Procedure Auditing 7-13
Practice 7-2 Overview: Enabling Stored Procedure Auditing 7-14

vi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 7-3 Overview: Running a Manual Audit and Approving Changes to Stored
Procedures 7-15
Quiz 7-16

8 User Role Auditing


Objectives 8-2
User Role Auditing Overview 8-3

Oracle University and Counterhouse Consultants Ltd use only


User Role Auditing Architecture 8-4
Creating Users and Setting Permissions 8-5
Enabling User Role Auditing 8-7
Auditing Changes to User Roles 8-8
Viewing the User Role Audit Report 8-9
Viewing URA Audit Reports 8-10
Viewing Pending Approvals and Taking Action 8-11
Summary 8-12
Practice 8-1 Overview: Creating a User for User Role Auditing 8-13
Practice 8-2 Overview: Enabling User Role Auditing 8-14
Practice 8-3 Overview: Running a Manual Audit and Approving Changes to User
Roles 8-15
Quiz 8-16

9 Configuring and Using Local Monitoring


Objectives 9-2
Local Monitoring Overview 9-3
Oracle Database Firewall Architecture: Local Monitoring 9-4
Installing Oracle Database Firewall Monitoring Software 9-5
Installing Local Monitoring in an Oracle Database 9-6
Installing Local Monitoring in a Microsoft SQL Server Database 9-7
Installing Local Monitoring in a Sybase ASE Database 9-8
Enabling Local Monitoring 9-9
Summary 9-10
Practice 9-1 Overview: Installing the Local Monitoring Software in the Oracle
Database 9-11
Practice 9-2 Overview: Enabling Local Monitoring 9-12
Practice 9-3 Overview: Viewing Local Monitored Traffic 9-13
Quiz 9-14

10 Configuring and Using Remote Monitoring


Objectives 10-2
Remote Monitoring Overview 10-3
Oracle Database Firewall Architecture: Remote Monitoring 10-4

vii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Prerequisites for Remote Monitoring 10-5


Configuring the Remote Monitor in the Administration Console 10-6
Download Configuration File 10-7
Contents of the remote-agent.conf file 10-8
Executing the Remote Monitoring Script 10-9
Verifying that the Remote Monitor is Active 10-10
Summary 10-11

Oracle University and Counterhouse Consultants Ltd use only


Practice 10-1 Overview: Configuring the Remote Monitor 10-12
Practice 10-2 Overview: Executing the Remote Monitor Script 10-13
Practice 10-3 Overview: Viewing Remote Traffic 10-14
Quiz 10-15

11 Additional System Management Tasks


Objectives 11-2
Understanding Processed Traffic Log File Space Management 11-3
Archiving Data 11-4
Configuring a Destination 11-5
Manually Archive 11-6
Scheduling an Archive Job 11-7
Restoring from an Archive 11-8
Configuring syslog Logging 11-9
Deleting Logs and History 11-10
Summary 11-11
Practice 11-1: Defining the Archive Destination 11-12
Practice 11-2: Performing a Manual Archive 11-13
Quiz 11-14

viii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Introduction to Oracle Database Firewall

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Describe Oracle Database security solutions

Oracle University and Counterhouse Consultants Ltd use only


Describe Oracle Database Firewall architecture
Describe Oracle Database Firewall deployment options
Describe Oracle Database Firewall applications

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 1 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Understanding How Data is Compromised:


2010 Data Breach Investigations Report

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The 2010 Data Breach Investigations Report published by the Verizon Risk Team showed
that 98% of data breached came from servers. Launching successful attacks on larger
repositories can result in a more lucrative payday for the perpetrator. Application
environments, data warehouses, and databases in general are becoming larger and more
critical to business operations and thus pose a tempting target. Although organized crime has
become a major player in data breaches, insiders still account for a substantial number of
data breaches. The 2010 Data Breach Investigations Report also noted that privilege misuse
and hacking were the most common ways breaches occurred, and frequently leveraged lost
or stolen credentials and application SQL injection vulnerabilities to gain unauthorized access.
Securing data on servers requires multiple layers of protection spanning both technical and
administrative functions. Simple preventive measures such as disabling unused accounts and
prohibiting shared administrative accounts go a long way toward raising the security bar. In
addition, solutions such as encryption and privileged user controls inside the database play
an important part in securing applications. Those solutions, however, do not monitor the SQL
sent to the database over the trusted connection path. Oracle Database Firewall enables
perimeter security controls, providing a first line of defense around Oracle and non-Oracle
databases.

Implementing Oracle Database Firewall 1 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Understanding Oracles Defense-in-Depth


Security Approach
Monitor and block threats before they reach the database
Track changes and audit database activity
Control access to data within the database

Oracle University and Counterhouse Consultants Ltd use only


Prevent access by non-database users
Implement with:
Transparency: No changes to existing applications
High performance: No measurable impact on applications
Accuracy: Minimal false positives and negatives

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Defense-in-depth data security means looking at data security holistically. To do that, one
needs to look at the entire life cycle of the data, where the data resides, what applications
access the data, who is accessing the data and under what conditions, and ensuring that the
systems have been properly configured.
Oracle Corporation provides a comprehensive and transparent defense-in-depth security
architecture to help address the complex security and regulatory challenges found in todays
global economy. Oracle Advanced Security and Oracle Data Masking provide encryption and
de-identification solutions for sensitive data, protecting data at rest from unauthorized access
and reducing risk of data exposure in non-production environments. Oracle Database Vault
enforces strong operational controls in the Oracle database, providing a highly secure
environment for applications and helping address security issues associated with data
consolidation and outsourcing. Oracle Audit Vault securely consolidates and monitors
database audit data from Oracle and non-Oracle databases. Oracle Database Firewall
monitors inbound SQL traffic to Oracle and non-Oracle databases, helping prevent
unauthorized SQL and SQL injection attacks.

Implementing Oracle Database Firewall 1 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Security Solutions

Audit
Consolidation

Oracle University and Counterhouse Consultants Ltd use only


Unauthorized
Sensitive DBA Activity
Multi-factor
Authorization
Confidential
Applications DB Consolidation
Security
Network SQL Public
Monitoring
and Blocking

Encrypted Database Encrypted Backups Encrypted Traffic Data Masking

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall is the first line of defense for databases, providing real-time
monitoring of database activity on the network. Highly accurate SQL grammar-based
technology blocks unauthorized transactions, helping prevent internal and external attacks
from reaching the database.
Oracle Database provides robust audit support. Audit records include information about the
operation that was audited, the user performing the operation, and the date and time of the
operation. Audit records can be stored in the database audit trail or in operating system files.
Standard auditing includes operations on privileges, schemas, objects, and statements.
Oracle Audit Vault automates the audit collection, monitoring and reporting process, turning
audit data into a key security resource for detecting unauthorized activity.
Transparent Data Encryption is one of the three components of the Oracle Advanced Security
option, providing transparent encryption of stored data to support your compliance efforts.
Oracle provides robust support for encrypting entire database backups. Encryption is the only
defense when it comes to protecting business data when it is transported on tape or disk to
offsite storage for safekeeping. Oracle Corporation provides two solutions for encrypting
database backups: Oracle RMAN and Oracle Secure Backup.

Implementing Oracle Database Firewall 1 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Enterprises run the risk of breaching sensitive information when copying production data into
non-production environments for the purposes of application development, testing or data
analysis. Oracle Data Masking Pack helps reduce this risk by irreversibly replacing the original
sensitive data with fictitious data so that production data can be shared safely with IT
developers or offshore business partners. Accessible via Oracle Enterprise Manager, this
Management Pack provides end-to-end secure automation for provisioning test databases from
production in compliance with regulations.

Oracle University and Counterhouse Consultants Ltd use only

Implementing Oracle Database Firewall 1 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Security Solutions

Oracle Database security solutions:


Monitor and block threats before they reach the database
Track changes and audit database activity

Oracle University and Counterhouse Consultants Ltd use only


Control access to data within the database
Prevent access by non-database users
Provide transparency, superior performance, and accuracy

Monitoring Access Auditing & Encryption


& Blocking Control Tracking & Masking

Database Firewall Database Vault Audit Vault Advanced Security


Label Security Configuration Secure Backup
Identity Management Data Masking
Management Total Recall

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Monitoring and Blocking


Oracle Database Firewall: Monitors network SQL traffic before it reaches Oracle and non-
Oracle databases, helping to provide a first line of defense against SQL*Injection and other
unauthorized SQL.
Access Control
Oracle Database Vault: Enforces strong operational security controls inside the Oracle
database, preventing ad-hoc access to application data, changes to application structures,
and access to application data by privileged users
Oracle Label Security: Enforces data classification based access control at the row level and
multi-level security for government and defense organizations
Oracle Identity Management: Allows enterprises to manage end-to-end lifecycle of user
identities across all enterprise resources both within and beyond the firewall
Auditing and Tracking
Oracle Audit Vault: Reports and alerts on audit data from Oracle and non-Oracle databases,
enforcing the trust-but-verify principle and helping organizations simplify and reduce the cost
of compliance reporting

Implementing Oracle Database Firewall 1 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle Enterprise Manager Configuration Management Pack: Maintains a secure configuration
for Oracle software installations, periodically scanning for security related configuration settings
Oracle Total Recall: Provides a history of changes to sensitive data for forensic analysis
Encryption and Masking
Oracle Advanced Security Transparent Data Encryption (TDE): Transparently encrypts Oracle
database data before writing it to disk, protecting sensitive application data from direct access at
the operating system level and on backup media
Oracle Secure Backup: Transparently encrypts data during the backup process to tape media,
protecting the data in the event the tapes are lost or stolen

Oracle University and Counterhouse Consultants Ltd use only


Oracle Data Masking: Offline data de-identification solution that substitutes production data with
anonymous data values, protecting sensitive data from unnecessary exposure in development
and test environments

Implementing Oracle Database Firewall 1 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall

Oracle Database Firewall provides the first line of defense by:


Monitoring database activity to help prevent unauthorized
activity, application bypass, and SQL injections
Providing highly accurate SQL grammar based analysis

Oracle University and Counterhouse Consultants Ltd use only


Enforcing white list, blacklist, and exception-list based
security policies
Generating built-in and custom compliance reports

Allow
Log
Alert

Applications Substitute
Block
Oracle Microsoft Sybase IBM
Alerts Built-in Custom Policies
Reports Reports

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall is an active, real-time database firewall solution that provides white
list, black list and exception list policies, intelligent and accurate alerts, and monitoring with
very low management and administrative costs. Oracle Database Firewall is independent of
the database configuration and operation.
Unlike traditional SQL firewalls that relied on identifying out-of-policy SQL using strategies
such as regular expressions, string matching, and schema comparison, Oracle Database
Firewall delivers intelligent database firewall security, enabling policies to be set and adapted
quickly and accurately. Organizations can choose to deploy Oracle Database Firewall in
blocking mode as a database policy enforcement system to protect their database assets, or
to just monitor database activity for supplemental auditing and compliance purposes.
Oracle Database Firewall monitors data access, enforces access policies, highlights
anomalies, and helps protect against network based attacks originating from outside or inside.
Attacks based on SQL injection can be blocked by comparing SQL against the approved
white list of application SQL. Oracle Database Firewall is unique and offers organizations a
first line of defense, protecting databases from threats and helping meet regulatory
compliance requirement.

Implementing Oracle Database Firewall 1 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Positive Security Model-Based Enforcement

White-list based policies:


Enforce normal or expected behavior
Evaluate factors such as time, day, network, and application
Applications can self-generate white lists

Oracle University and Counterhouse Consultants Ltd use only


Out of policy SQL statements can be logged, alerted,
blocked or substituted with a harmless SQL statement

White List

Allow

Block
Applications

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall enforces zero-defect database security policies using a white list
security model. The white list policy is a set of approved SQL statements that can be sent to
the database. Oracle Database Firewall compares SQL traffic with the approved white list and
then based upon the policy, it chooses to block, substitute or alert on the SQL statement.
The positive security model is the preferred method for Oracle Database Firewall policy
enforcement.

Implementing Oracle Database Firewall 1 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Negative Security Model-Based Enforcement

Stop specific unwanted SQL commands, user, or table


access
Prevent privilege or role escalation and unauthorized

Oracle University and Counterhouse Consultants Ltd use only


access to sensitive data
Black list policies can evaluate factors such as day, time,
network, and application

Black List

Allow

Block
Applications

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In addition to the white list, positive security enforcement model, Oracle Database Firewall
also supports a black list model that enables policies to specify blocking of specific SQL
statements. As with white list policies, black list policies can be configured to allow specific
statements based on factors such as IP address, time of day, and program.
The negative security model tends to incur more overhead, and therefore is not the
recommended policy enforcement model when using Oracle Database Firewall.

Implementing Oracle Database Firewall 1 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Architecture

Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Database Firewall Database Firewall
Database Firewall Database Firewall (HA Mode)
Management Server Analyzer

Protected Databases Protected Databases Protected Databases

Remote/Local Monitor

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

An Oracle Database Firewall system can consist of the following components:


Database clients and applications: Generate the SQL statements to be monitored
Database Firewall: The server that runs the Oracle Database Firewall software. Each
Database Firewall collects SQL data from SQL databases, and then sends this SQL
data to the Database Firewall Management Server to be analyzed through reports.
Database Firewall Management Server: Aggregates and reports on logs from multiple
Oracle Database Firewalls, and provides centralized policy management
Oracle Database Firewall Analyzer: Enables user to develop baselines (policies) and
log SQL statements to be analyzed.
Oracle Database Firewall Administration Console: Web browser-based application
that you use to configure, manage, and monitor Oracle Database Firewall. It is available
on each Database Firewall (either stand-alone or managed) and Management Server.
Protected database: Database that is being monitored by Oracle Database Firewall. A
protected database can be an Oracle, Sybase ASE, Sybase SQL Anywhere, IBM DB2
UDB or Microsoft SQL Server database.

Implementing Oracle Database Firewall 1 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Remote monitor: Captures network traffic on the database host and sends it to the
Oracle Database Firewall
Local monitor: Captures non-network traffic on the database host and sends it to the
Oracle Database Firewall
You can configure pairs of Database Firewalls or pairs of Database Firewall Management
Servers, or both, to provide a high-availability system architecture. These pairs are known as
resilient pairs.

Oracle University and Counterhouse Consultants Ltd use only

Implementing Oracle Database Firewall 1 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Protected Databases

A protected database is
defined by the:
Database Clients
IP address and Applications

Oracle University and Counterhouse Consultants Ltd use only


TCP port number

Database Firewall Database Firewall


Database Firewall
Management Server Analyzer

Defined by the IP
address and TCP
port combination

Protected Databases

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

A protected database is defined by the combination of IP address and port number.

Implementing Oracle Database Firewall 1 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enforcement Point Architecture

Oracle University and Counterhouse Consultants Ltd use only


Protected Databases
Operating
System
Protocol

SQL Statement
Database Analysis substitution
Firewall
Enforcement
Settings and Policy Point

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

An enforcement point is an Oracle Database Firewall container that stores the settings that
enforce the Database Firewall policies that you create. The enforcement point takes the SQL
statements collected from the network traffic and decides how to handle them. In effect, the
enforcement point defines the relationship between the database and the policy.

Implementing Oracle Database Firewall 1 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enforcement Point Architecture


Database Address (IP:Port)

Database Address (IP:Port)

Database Address (IP:Port)

Database Address (IP:Port)

Enforcement Point 3

Oracle University and Counterhouse Consultants Ltd use only


Policy 3
Protected Databases

Database
Firewall
Enforcement Point 2
Policy 2 Database Address (IP:Port)
Protected Database 2

Enforcement Point 1

Policy 1 Database Address (IP:Port)

Protected Database 1

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Each Database Firewall can have multiple enforcement points. Each enforcement point will
apply to one or more databases. You can configure multiple databases to use one
enforcement point. All the databases protected by the same enforcement point must be of the
same database server type.
Note: A protected database is defined by the combination of IP address and port number.
The term database in the context of this page is used in the way that it is defined for Microsoft
SQL Server and Sybase. With Microsoft SQL Server and Sybase, there is one database
engine instance per enforcement point because there can be multiple databases per instance.
With Oracle Database, there is only one database per enforcement point because there is
only one database per database engine instance. But if multiple Oracle instances are using
one listener, all on the same port, the Database Firewall cannot distinguish to which instance
the traffic is being sent.
Oracle Database Firewall also enables you to pair two enforcement points. This configuration
would be appropriate in a high-availability architecture that employs two data centers in
different locations, each with a local database viewed from the client applications as a single
database.

Implementing Oracle Database Firewall 1 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Basic Data Center Environment

WAN

Distribution
Network
Switch
Firewall

Oracle University and Counterhouse Consultants Ltd use only


Core

Protected
Database

Syslog SEIM Management

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The diagram on the slide is a very simplified version of the data center showing an external
firewall separating the Internet from the Intranet, a set of core network switches or routers, a
set of distribution network switches, and a set of databases.
The following network definitions aid in understanding the placement of Oracle Database
Firewall in the diagrams on the next few pages:
A bridge is a device that transmits network packets from one network segment to
another. A bridge will pass all network traffic from one segment to the other.
A router is a more sophisticated device that has software or hardware that analyzes
each packet for source and destination addresses, and passes it only to the segment
where it is intended. Routers often include some type of firewall capability.
A span port is typically a port on a network router that can see all the network traffic that
passes through the device. This port is also called a mirror port because it gets a copy
of the packets. Traffic is segregated in a network router. The IP address of the incoming
packet determines which port it will go out on. Only the traffic intended for the segment
served by a particular port will be transmitted on that port. To monitor all the traffic
through a router, span ports or mirror ports can be created that can 'see' all the network
traffic or the traffic for particular segments.

Implementing Oracle Database Firewall 1 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall In-Line Deployment

WAN
Database Firewall
Enforcement Points Distribution
Network
Switch
Firewall

Oracle University and Counterhouse Consultants Ltd use only


Core

Protected
Database

Firewall
Management
Server Syslog SEIM Management

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this configuration Oracle Database Firewall is deployed in-line to protect all databases from
traffic entering and leaving the data center. The Database Firewall has one or more bridges.
For each bridge, two network interface cards are associated to be a bridge between two
segments. With an in-line deployment, the SQL traffic is passed through the Oracle Database
Firewall and inspected before it is forwarded to the database or blocked. This configuration is
required for protecting the database from SQL injection and similar attacks using malicious
SQL code.
There are two placements for the Database Firewall shown in this diagram. Typically you
would choose one. The first places the Database Firewall between the core network switches
and the distribution switches. This configuration may require multiple Database Firewall
installations to allow enough network interfaces and enforcement points. The second
configuration places the Database Firewall between the distribution network switch and each
of the protected databases.
In both cases, the subnet of the bridge in the Database Firewall is the same as the subnet of
the two devices to which the Database Firewall bridge is connected. The number of bridges
depend on the number of network segments to be protected, with two interfaces for each
bridge. The number of Database Firewalls needed will depend on the number of interfaces
and the total number of statements per second relative to the memory and processing power
available.

Implementing Oracle Database Firewall 1 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Out-of-Band Monitoring

WAN Database Firewall


Monitoring Points

Distribution
Network
Firewall Switch

Oracle University and Counterhouse Consultants Ltd use only


Core

Protected
Database

Firewall
Management
Server Syslog SEIM Management

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this configuration Oracle Database Firewall is deployed out-of-band to provide real-time


monitoring, alerting, and reporting. With an out-of-band deployment, the SQL traffic is copied
to Oracle Database Firewall while at the same time the SQL is sent directly to the database
usually by means of a span port. Auditing can provided for all traffic within the data center.
Out-of-band monitoring cannot block SQL traffic. This configuration allows you to monitor SQL
traffic for compliance. The Database Firewall can warn and alert for out of policy SQL
statements, but cannot block SQL traffic in this configuration.
There are two placements for the Database Firewall shown in this diagram. Typically you
would choose one. The first places the Database Firewall on a bridged or span port on the
core network switches. This configuration may require multiple Database Firewall installations
to allow enough network interfaces and enforcement points. The second configuration places
the Database Firewall on a span or bridged port of the distribution network switch for each of
the protected databases.

Implementing Oracle Database Firewall 1 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Database Firewall Resilient Pairs

Oracle Database Firewall


Management Server

Oracle University and Counterhouse Consultants Ltd use only


Oracle Database Oracle Database
Firewall Firewall
Resilient Pair

Network
Switch

Database Clients and Applications Protected Database

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To provide a high-availability system architecture, you can configure pairs of Database


Firewalls. During system configuration, one device is designated as the primary device and
the other is the secondary device. The primary device carries out all normal operations. The
secondary device monitors traffic and provides alerts only when the primary device fails. This
is a monitoring-only configuration, both Database Firewall appliances are in an out-of band
configuration. Blocking of SQL traffic is not possible.

Implementing Oracle Database Firewall 1 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Management Server Resilient Pairs

Oracle Database Firewall Oracle Database Firewall


Management Server Management Server

Resilient Pair

Oracle University and Counterhouse Consultants Ltd use only


Oracle Database Firewall

Network Switch Protected Database

Oracle Database Firewall

Protected Database
Database Clients and Applications

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You can configure a pair of Database Firewall Management Servers for an Oracle Database
Firewall system. The main benefit of a resilient pair of Oracle Database Firewall Management
Servers is that it provides continuous service to generate reports, monitor system status, and
change configuration settings in the event of a failure of the primary Oracle Database Firewall
Management Server.
The secondary Oracle Database Firewall Management Server obtains its configuration
settings automatically from the primary. To ensure that settings remain consistent between
the two devices, the Administration Console allows configuration settings to be saved only
from the primary Oracle Database Firewall Management Server.

Implementing Oracle Database Firewall 1 - 21


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Applications

Use the following applications to configure and administer the


Oracle Database Firewall system:
Oracle Database Firewall Administration Console:

Oracle University and Counterhouse Consultants Ltd use only


Configure, manage, and monitor Oracle Database Firewall
Oracle Database Firewall Analyzer: Create policies that
Database Firewalls use

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall Administration Console is a Web browser-based application


that you can use to configure, manage, and monitor Oracle Database Firewall. The
Administration Console is available on each Database Firewall and Management Server.
The Oracle Database Firewall Analyzer is a Microsoft Windowsbased application that you
can use to define policies.

Implementing Oracle Database Firewall 1 - 22


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Oracle Database Firewall


Administration Console
The Oracle
Database Firewall
Administration
Console is a

Oracle University and Counterhouse Consultants Ltd use only


browser-based
application used to
configure, manage,
and monitor Oracle
Database Firewall.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall Administration Console is used to configure, manage, and
monitor an Oracle Database Firewall system. Reporting capabilities are also provided in the
Administration Console. Detailed information on the features and usage of the Oracle
Database Firewall Administration Console is provided in the lesson corresponding to the
feature.

Implementing Oracle Database Firewall 1 - 23


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Oracle Database Firewall Analyzer

The Oracle
Database Firewall
Analyzer is used to
create policies that

Oracle University and Counterhouse Consultants Ltd use only


Database Firewalls
use to block, alert,
log or permit SQL
statements.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall Analyzer is used to create the policy that the Database
Firewalls use to block, alert, log or permit SQL statements for the database. Detailed
information on using the Oracle Database Firewall Analyzer to create policies is provided in
the lesson titled Configuring Policies.

Implementing Oracle Database Firewall 1 - 24


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Describe Oracle Database security solutions
Describe Oracle Database Firewall architecture

Oracle University and Counterhouse Consultants Ltd use only


Describe Oracle Database Firewall deployment options
Describe Oracle Database Firewall applications

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 1 - 25


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 1-1 Overview:


Exploring the Practice Environment
This practice covers the following topics:
Starting the Oracle VM VirtualBox virtual machines
Starting the Oracle Database instance and listener

Oracle University and Counterhouse Consultants Ltd use only


Determining the IP addresses for
The database server virtual machine (VM)
The Oracle Database Firewall VM
Testing the connectivity between the client on the
Microsoft Windows host and the database server VM

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will start the database instance and Oracle Database Firewall virtual
machines. You will also record the IP addresses that are being used by each machine and the
Microsoft Windows host.

Implementing Oracle Database Firewall 1 - 26


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Understanding the Classroom Configuration

Microsoft
Windows IP Address: DBDIRECT
client 10.228.10.200 IP Address:
Host-Only Management 10.228.10.103
IP Address: Interface

Oracle University and Counterhouse Consultants Ltd use only


10.228.10.1 Network
Adapter Host-only
adapter

IP Address: Internal
192.168.36.220 intnet
Host-Only Network
Client Network Bridge 0 Adapter
IP Address: Adapter (intnet)
192.168.36.1 DB01
IP Address:
192.168.36.203
Oracle
Database
Firewall

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

There are two virtual machines in the classroom. One is for the Oracle Database Firewall
appliance and the other is a database server. The MS Windows host is acting as the source
of the client-generated SQL and also as the host for the Database Firewall Analyzer.
The database has a network connection that can only communicate on an internal network.
The only adapter it can connect to is the internal network adapter configured in the Database
Firewall virtual machine. The Database Firewall must be configured to be a bridge to allow
any communication between the client and the database in the classroom environment.
In the VirtualBox environment a host-only adapter can communicate with the host machine,
and any other host-only adapter that uses the same gateway. The gateway in the classroom
is the Windows host.
The Database Firewall management link is set in the network configuration as part of the
installation process. This is shown in the lesson titled "Deploying Oracle Database Firewall".
The bridge IP address is not set and is disabled by default when the enforcement point is
created, and must be changed in the Administration Console as shown in Activity Guide
"Configuring Enforcement Points".

Implementing Oracle Database Firewall 1 - 27


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

The Oracle Database Firewall may be deployed in-line or out -


of-band. What is the major difference in functionality between
the two?

Oracle University and Counterhouse Consultants Ltd use only


a. Out-of-band deployment can be configured with resilient
pairs of Database Firewalls, in-line deployment cannot.
b. In-line deployment can block SQL traffic, out-of-band
deployment cannot.
c. Out-of-band deployment can block, warn, and send alerts
on SQL traffic; in-line deployment cannot send alerts.
d. In-line deployment can monitor without blocking SQL
traffic; out-of-band can monitor and block traffic.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: b
Even though A is true, it is not the major functional difference. C and D are not true because
the out-of-band deployment cannot block SQL traffic.

Implementing Oracle Database Firewall 1 - 28


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Deploying Oracle Database Firewall

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Install Oracle Database Firewall

Oracle University and Counterhouse Consultants Ltd use only


Install Oracle Database Firewall Management Server
Install Oracle Database Firewall Analyzer

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 2 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installation Overview

Oracle Database Firewall is an appliance.


Installation software includes the Oracle Enterprise Linux
operating system.

Oracle University and Counterhouse Consultants Ltd use only


There are two installation configurations:
Oracle Database Firewall and Management Server
combined
Oracle Database Firewall Management Server alone
Installation performs basic configuration.
Additional configuration and maintenance tasks are
performed through the Administration Console web
interface.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall is an appliance. The Oracle Database Firewall software is


installed on a bare machine. The software includes the Oracle Enterprise Linux operating
system and the default configuration.
Once installed, the appliance is configured and maintained through the Oracle Database
Firewall Administration Console web interface.
The following are two basic installations:
The Database Firewall and Management Server in one system
The Database Firewall on system and the Management Server on another.
The Database Firewall Management Server is also an appliance.
When the Management Server is installed by itself, the Management Server on the
Database Firewall is disabled.

Implementing Oracle Database Firewall 2 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deploying an Oracle Database Firewall System

Oracle Database Firewall Oracle Database Firewall


Stand-Alone Deployment Managed Deployment

Oracle Database
Firewalls on

Oracle University and Counterhouse Consultants Ltd use only


x86 hosts

Oracle Database Firewall


and Oracle Database Oracle Database Firewall
Firewall Management Management Server on an
Server on one x86 host x86 host

Oracle Database Firewall


Analyzer on a Microsoft Oracle Database Firewall Analyzer
Windows client on a Microsoft Windows client

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In the simplest configuration, a stand-alone deployment, you install the Database Firewall
onto one Linux server, which uses an Oracle Linux environment. Then, you install the
Firewall Analyzer onto a client Microsoft Windows computer.
A more common scenario is the managed deployment where you install one or more
Database Firewalls, each onto a separate server, and one Database Firewall Management
Server onto a separate server. In this scenario, all the Database Firewall servers
communicate with one central Database Firewall Management Server. In turn, one or more
protected databases connects through each Database Firewall. You can install as many
Database Firewalls as your site needs.

Implementing Oracle Database Firewall 2 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deploying a Stand-Alone System

Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Database Database Firewall Database Firewall
Firewall Management Analyzer
Server

Protected Protected
Database Database

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In a stand-alone system, there is one server containing both the Database Firewall and the
Management Server. In this scenario, you can manage multiple enforcement points to
monitor or protect multiple databases.
Note: It is recommended that each enforcement point has only one database engine.

Implementing Oracle Database Firewall 2 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Managed Deployment

Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Database Firewall Database Firewall Database Firewall
Database Firewall
Management Server Analyzer

Protected Protected
Database Database

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

A more common deployment scenario is the managed deployment, where there are multiple
Database Firewalls and the Management Server is on a separate x86 host. Each Database
Firewall can monitor or block the SQL traffic to multiple databases.

Implementing Oracle Database Firewall 2 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deploying a Local Monitor

Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Database Database Firewall Database Firewall
Firewall Management Analyzer
Server

Oracle Oracle Oracle

Microsoft Sybase Microsoft Sybase Microsoft Sybase

Local Monitor

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

If you want to monitor SQL data originating from a local connection to the database server
and not through the network, then you can install the local monitoring software into the
protected database. (Be aware that local monitoring does not block SQL statements.) Then,
configure this database to communicate directly with a Database Firewall, which in turn
sends this SQL data to a Management Server.

Implementing Oracle Database Firewall 2 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deploying a Remote Monitor

Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Database Database Firewall Database Firewall
Firewall Management Analyzer
Server

Oracle Oracle Oracle

Microsoft Sybase Microsoft Sybase Microsoft Sybase

Remote Monitor

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

If you have many small databases in a distributed environment and you want Oracle
Database Firewall to monitor all of these small databases centrally, then you can install a
remote monitor on a Linux, UNIX, or AIX database. Be aware that remote monitoring does
not block SQL statements. The remote monitor is an agent that runs as root on the
database server. The remote monitor collects and sends the observed database SQL traffic
over the network to a Database Firewall that manages the remote monitor installations.

Implementing Oracle Database Firewall 2 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Ports

Port Number Description

22 Secure shell (encryption enabled)

443 Oracle Database Administration Console

Oracle University and Counterhouse Consultants Ltd use only


514 Syslog

1514 Oracle Database Firewall to Management Server

4560 Oracle Database Firewall Analyzer

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall uses the ports as listed on the slide.


Each port has a specific use. The secure shell port is configured for only the support OS
user. The Oracle Database Administration Console connects through port 443 and https.
Syslog uses port 514 for UDP traffic. If you are using syslog with TCP, you will define your
own port.

Implementing Oracle Database Firewall 2 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Supported Database Management Systems

Database Management System Versions

Oracle Database 8i, 9i, 10g, 11g

IBM DB2 9.x (Linux, UNIX, and Microsoft Windows)

Oracle University and Counterhouse Consultants Ltd use only


Microsoft SQL Server 2000, 2005, 2008

Sybase Adaptive Server Enterprise 12.5.4 15.0.x


(ASE)

Sybase SQL Anywhere 10.1.1

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The database management systems listed on the slide are supported as protected
databases with Oracle Database Firewall version 5.0.

Implementing Oracle Database Firewall 2 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Oracle Database Firewall and


Oracle Database Firewall Management Server
When the Database Firewall is installed:
Oracle Enterprise Linux is installed
Oracle Database Firewall is installed

Oracle University and Counterhouse Consultants Ltd use only


Oracle Database Firewall Management Server is installed
On first boot, the database is installed
When the Management Server is installed separately:
Oracle Enterprise Linux is installed
Oracle Database Firewall Management Server is installed
On first boot, the database is installed
On configuration, the Management Server disables the
Management Server on the Database Firewall machine

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall and Oracle Database Firewall Management Server are two
separate components. They can be installed together on a single machine, or separately on
two distinct machines. In either case, the entire machine is taken by the installation. The
installation process overwrites the primary disk, installing Oracle Enterprise Linux as the
operating system on that machine. When the Database Firewall is installed, the
Management Server is also installed.
When the Management Server is installed separately, the first action of the Management
Server is to disable the Management Server that was installed on the machine with the
Database Firewall.

Implementing Oracle Database Firewall 2 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Invoking the Installer

Insert the first disk as appropriate for the component you are
installing:
Oracle Database Firewall:

Oracle University and Counterhouse Consultants Ltd use only


Use the disk labeled Oracle Database Firewall 5.0 Disc 1.
This installation includes Oracle Database Firewall and
Oracle Database Firewall Management Server software.
Oracle Database Firewall Management Server:
Use the disk labeled Oracle Database Firewall Management
Server 5.0.
This installation is only required if the Oracle Database
Firewall Management Server is to be installed on a separate
server than Oracle Database Firewall.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Because the Database Firewall and Management Server installations include the Oracle
Enterprise Linux OS installation, installation starts with a boot up of the server machine.
Insert the appropriate CD into the server, and if necessary, set the BIOS to boot from the
CD. Then initiate the boot sequence.
The first CD in both installations transfers control to the OS installation. That is when you
are asked to insert the CD for Oracle Enterprise Linux. Later in the install process, you will
be asked to reinsert Disk 1.

Implementing Oracle Database Firewall 2 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Password for the support User

The support user account is an OS user in that is


installed as part of Oracle Database Firewall
The support user account is to be used only when

Oracle University and Counterhouse Consultants Ltd use only


requested to do so by Oracle Support

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The support OS user is only to be used as directed by Oracle Support. Make sure the
password is strong.

Implementing Oracle Database Firewall 2 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Password for the sys User

The sys account is the privileged database account in the


Oracle Database.
The sys password is set during installation.

Oracle University and Counterhouse Consultants Ltd use only


The sys user account is used for startup, shutdown, and
other administrative actions in the database.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The sys account is familiar to Oracle database administrators. It is the privileged account
that is used for database startup, shutdown, backup, and database patching. An OS user
account named oracle is created on the machine that has the appropriate privileges to
access the sys database account with OS authorization. The oracle user account has an
expired password so is disabled for login.
The administration of the database underlying the Database Firewall Server or Management
Server should be done only through the Management Server web interface.

Implementing Oracle Database Firewall 2 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Modifying a Network Device Connection

Network Devices window displays network device


connections.
Select the network device connection to be used as the

Oracle University and Counterhouse Consultants Ltd use only


Management Link.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Network device connections are shown with the hardware MAC addresses and basic
configuration information. The first device in the list is assumed to be the device hardware
Network Interface Card (NIC) that will be used by the Management Server.
The Management Server will use one of the network interfaces for the Administration
Console server and communication with the Management Server if it is installed on a
separate machine.
The brx devices link two devices as a bridge. Make sure that the client side device is linked
to the database side device by the same brx device. In a normal Database Firewall
configuration, the clients for a database or set of databases will use the same subnet as the
databases. There is no physical connection between the clients and the database except
through the Database Firewall bridge. This physical configuration allows the Database
Firewall to be configured to monitor the SQL statements as they pass through or to monitor
and block the statements.
Oracle Database Firewall can be configured to have several bridges, but there must two
NICs for each bridge. The IP addresses are configured later.
If you select a particular device such as eth1, you can change configuration details as
shown in the next slide.

Implementing Oracle Database Firewall 2 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring Network Settings

Settings enable you to map physical ports to the Oracle


Database Firewall interfaces and bridges.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

At this stage of the installation, you can identify which physical device is configured to which
ethx device by using the identifying the function that will cause the light on the interface to
blink. This is very important in the case of a Database Firewall where there are many
interfaces. You can change the following settings:
Up: Moves the device up in the list
Down: Moves the device down in the list
Identify: Identifies the device for 10 seconds
Refresh: Refreshes device details in the list of links
Moving the interface up or down changes the ethx that is mapped to the interface, and the
bridge that is mapped to the interface.
Refresh checks the physical link again and will change the Link: field in the header if the
cable is connected or disconnect.
Note: In the screenshot shown in the slide, the Link field at the top shows no, indicating
the cable is disconnected.

Implementing Oracle Database Firewall 2 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Setting the Management Link IP Address

Installation process creates an Administration Console on


each Oracle Database Firewall and Oracle Database
Firewall Management Server.

Oracle University and Counterhouse Consultants Ltd use only


Administration Console IP address defaults and can be
changed after boot up.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When the Database Firewall machine completes the boot up, the Network Settings Console
window appears. In this window, you can change the IP address, network mask and default
gateway address for the management link. Use the arrow keys to select which item to
change, then press return to go to a window that allows you to edit the value. The tab key
moves you out of the edit field, and escape saves and returns to the Network Settings
Console window. This window is available any time in the Administration Console of the
Database Firewall machine. Enter Alt-F1 to display the Network Settings Console.
Note: If you change these settings after configuring the firewall management server, several
other settings will need to be changed as well.
Alt-F2 through Alt-F8 provide access to additional terminal screens. Alt-F9 provides the
messages displayed during start up.

Implementing Oracle Database Firewall 2 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Logging in to the Oracle Database Firewall


Administration Console
You can log in to the Administration Console from any browser
on a machine that can ping the Management link IP address.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To connect to the Administration Console, enter the following URL in a browser from any
machine that can ping the Database Firewall server:
https://<IP_Address_of_DBFW_Server>/user/login
The name of the Database Firewall server can be used instead of the IP address if the
name is resolved properly.

Implementing Oracle Database Firewall 2 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Changing the admin User Account Password

You are prompted to change the default password of the


admin user the first time you launch the Administration
Console.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

On the first login to the Administration Console as the admin user, you will be required to
change the password. The default password is admin. The Change Password page gives
you an indication of whether the password is considered strong or weak. A strong password
uses upper and lower case characters, numerals, and special characters, and is at least 8
characters long.
Note: Do not lose the admin user password. This password cannot be reset. The best
practice is to create additional users with administrator privileges and reserve the admin
user account to access the Firewall server as a contingency.

Implementing Oracle Database Firewall 2 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Oracle Database Firewall Analyzer

Install Oracle Database Firewall Analyzer on a Microsoft


Windowsbased machine.
Use the disk labeled Oracle Database Firewall Utilities 5.0.

Oracle University and Counterhouse Consultants Ltd use only


Install the Firewall Analyzer by double-clicking the
OracleDatabaseFirewallAnalyzerInstaller.exe
file.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall Analyzer is available only on Windows-based systems. To


install the Analyzer, insert the CD labeled Oracle Database Firewall Utilities 5.0 into the
machine, and execute the OracleDatabaseFirewallAnalyzerInstaller.exe
program file.

Implementing Oracle Database Firewall 2 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Sizing

Sizing core and memory:


Database Firewall requires 1 core and 2 GB of memory.
Each enforcement point uses 1 core and 1-2 GB of memory.

Oracle University and Counterhouse Consultants Ltd use only


Enforcement points can share a core.
Sizing disk:
80 GB is the minimum space required by the installer.
Depends on policy:
logall: 650 bytes/statement at 1,000 tps 55 GB/day
log unique: Uses less

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When sizing the server to be used for Oracle Database Firewall, the primary considerations
are:
Number of enforcement points
Number of transactions per second
Level of logging required
The Database Firewall itself uses one core, and each enforcement point uses one core.
Adding more core beyond 1+the number of enforcement points does not help.
Disk sizing is very dependent on the logging policy chosen. The logall policy can consume
large amounts of disk space. Typically logall is used only for an initial proof of concept or
testing phase. Log unique uses much less disk space. The amount of space needed will
depend on the ratio of unique to repeated statements.

Implementing Oracle Database Firewall 2 - 21


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Sizing

Sizing CPU:
Allow one core for overhead
Allow one core per 5,000 TPS in general

Oracle University and Counterhouse Consultants Ltd use only


Sizing memory:
2 GB of memory (minimum)
1 -2 GB per protected database based on use level
Sizing disk:
80 GB is the minimum space required by the installer.
Depends on logging level:
100 GB minimum
300 GB recommended

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When sizing the server to be used for Oracle Database Firewall, the primary considerations
are the number of transactions per second (TPS). The number of cores required can be
estimated by allocating one core for overhead, and adding another core for every 5,000
transactions per second monitored by Database Firewall. This number is an estimate for a
mixed database type environment. The TPS varies in an homogeneous environment.
The recommended amount of memory is at least 2 GB, with an additional 1 to 2 GB per
protected database, depending on the level of use, 1 GB for light use, 1.5 GB for medium,
and 2.GB for heavy use. The system will function with less than the recommended memory,
but a larger memory size will improve performance during periods of high throughput.
Disk space is used for temporary storage of log files containing the captured SQL traffic and
associated data. Available disk space should be large enough to retain several days of log
files in case communication between the Database Firewall and the Management Server is
interrupted (for example, link failure between data centers). Normally the log files are
transferred within minutes of creation to the Management server. Log files are deleted
immediately after the transfer is confirmed.
For more details see the Oracle Database Firewall Size Best Practices technical white
paper at http://www.oracle.com/technetwork/database/focus-areas/security/wp-database-
firewall-sizing-416962.pdf

Implementing Oracle Database Firewall 2 - 22


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall


Management Server Sizing
Sizing CPU:
2 cores (recommended minimum)
Sizing memory:

Oracle University and Counterhouse Consultants Ltd use only


2 GB of memory (recommended minimum)
Sizing disk:
Depends on policy
logall: 1000 bytes/statement at 1,000 tps 85GB/day
log unique: Much better

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The volume of transactions logged will be the primary influence on the specification of the
Management Server.
The Management Server can operate on one core. It is recommended that two to eight
cores be available, depending primarily on the amount of data being logged and the number
and size of reports being generated. The number of databases being protected should be
considered as a secondary factor.
The minimum recommendation for memory is 2 GB. Memory should be increased up to 8
GB for systems with heavy loads.
Disk sizing is very dependent on the logging policy chosen. With an assumption that one
statement requires 1000 bytes of storage after binary logging, summarization, reporting and
compression, a load of 1000 tps with the log all policy requires 85 GB per day of storage.
That is approximately 1 TB every 12 days. The log all policy can consume large amounts of
disk space. Typically the log all policy is used only for an initial proof of concept or during
the testing phase. Log unique uses much less disk space. The amount of space needed will
depend on the ratio of unique to repeated statements. Log unique only logs one sample of a
statement with the same source IP address, database username, operating system
username, and client program name per hour.

Implementing Oracle Database Firewall 2 - 23


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Install and deploy Oracle Database Firewall
Install and deploy Oracle Database Firewall Management

Oracle University and Counterhouse Consultants Ltd use only


Server
Install Oracle Database Firewall Analyzer

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 2 - 24


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 2-1 Overview:


Installing Oracle Database Firewall
This practice covers installing Oracle Database Firewall in a
stand-alone configuration.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will review a viewlet showing the installation of Oracle Database
Firewall in a stand-alone configuration.
The installation of Oracle Database Firewall is shown in a viewlet, as the actual time to
install can take 1-2 hours depending on the hardware.

Implementing Oracle Database Firewall 2 - 25


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 2-2 Overview:


Changing the admin User Password
This practice covers changing the admin user password.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will perform the first login to the Database Firewall Management
Console and change the admin user password.

Implementing Oracle Database Firewall 2 - 26


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 2-3 Overview:


Installing the Oracle Database Firewall Analyzer
This practice covers installing Oracle Database Firewall
Analyzer.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you perform an installation of the Oracle Database Firewall Analyzer on the
Windows host system.

Implementing Oracle Database Firewall 2 - 27


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

Which of the following is not true when the Oracle Database


Firewall is installed ?
a. The existing disks are reformatted.

Oracle University and Counterhouse Consultants Ltd use only


b. The Oracle Linux operating system is installed first.
c. A Oracle database is installed on first boot.
d. A minimum of three network interfaces is required.
e. 500 GB of disk space is required for logs.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: e
All except E are required. The recommended size of disk space for logs is 300 GB. This is
not required for installation. 80 GB of disk space is required for installation.

Implementing Oracle Database Firewall 2 - 28


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Configuring Oracle Database Firewall

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Configure settings for a stand-alone Oracle Database

Oracle University and Counterhouse Consultants Ltd use only


Firewall
Configure enforcement points
Configure settings for an Oracle Database Firewall
Management Server
Create an Oracle Database Firewall user
Configure email alerts for third-party connectors

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 3 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring a Stand-Alone Oracle Database


Firewall
1. Set the date and time.
2. Specify the Network Time Protocol (NTP) time server.
3. Specify the network settings.

Oracle University and Counterhouse Consultants Ltd use only


4. Enable securelog access for using other reporting tools.
5. Configure syslog destinations and forwarding of syslog
messages.
6. Configure enforcement points.
7. Configure the bridge IP address for blocking and local
monitoring.
8. Verify your configuration.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall is configured through a web interface. The tasks listed on the
slide can all be performed in the Administration Console when the Oracle Database Firewall
is installed with the Management Server on a single server. Access the Administration
Console using the https://ip_address/user/login URL where ip_address is the IP address of
the Database Firewall server. This is the same IP address that is set for the management link
as shown in the lesson titled Deploying Oracle Database Firewall.
To verify the configuration there must be some SQL traffic.

Implementing Oracle Database Firewall 3 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring an Oracle Database Firewall


Management Server System
1. Perform the following initial tasks on each Management
Server:
A. Specify system settings.

Oracle University and Counterhouse Consultants Ltd use only


B. Enable secure log access.
C. Set the date and time.
D. Specify the NTP time server.
E. Configure syslog destinations and syslog forwarding.
2. Perform the following tasks on each Oracle Database
Firewall:
A. Configure time settings.
B. Change the IP address or specify IP address of the
gateway and DNS servers.
C. Specify the Management Server certificate and IP address.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When the Management Server is on a physically separate server, the tasks are divided
between the Management Server and the Database Firewall. The first set of tasks is
performed on the Management Server and the second set is performed on each Database
Firewall server. The access to both are through a web interface using the
https://ip_address/user/login URL where the ip_address is the IP address of either
Management Server or the Database Firewall server.
It is important that the time setting be the same on all the servers, to allow the correlation of
events in the log file. The simplest method is to use a network time protocol server.

Implementing Oracle Database Firewall 3 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring an Oracle Database Firewall


Management Server System
3. Perform the following final tasks on each Management
Server:
A. For a resilient pair of Management Servers , specify partner

Oracle University and Counterhouse Consultants Ltd use only


settings.
B. Add each Database Firewall.
C. Optionally, define a resilient pair of Database Firewalls.
4. Configure enforcement points.
5. Verify the configuration.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Step 3 is optional. Perform these tasks if you are configuring a high availability (HA) set of
servers. Configure the primary and secondary Management Servers. Add the Database
Firewall servers. Define which Database Firewall servers are paired.
In the system where the Management Server is separate from the Database Firewall, the
enforcement points are configured in the Management Server. In an HA configuration, the
enforcement points are configured on the primary Management Server.

Implementing Oracle Database Firewall 3 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating an Enforcement Point

An enforcement point is a container holding:


A list of protected databases
Compliance settings

Oracle University and Counterhouse Consultants Ltd use only


Operational mode:
Database Activity Monitoring (DAM)
Database Policy Enforcement (DPE)
Policy information
Built-in policies for monitoring
Custom policies

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

An enforcement point is an Oracle Database Firewall container that stores the settings that
enforce the Database Firewall policies that you create. The enforcement point takes the SQL
statements collected from the network traffic and decides how to handle it. In other words, the
enforcement point defines the relationship between the database and the policy.
An enforcement point has a name and is applied to a database type (product line). Each
database is defined by its IP address and port number. A server name may be used instead
of an IP address if Domain Name Services (DNS) is enabled. You can have multiple
databases configured to use one enforcement point, but they must be of the same product
line, for example Oracle Database.
An enforcement point may have one or more compliance settings. The generated reports will
base their settings on the compliance settings. The compliance types are:
SOX: SarbanesOxley Act compliance
PCI: Payment Card Industry compliance
DPA: Data Protection Act compliance
GLBA: Gramm-Leach-Bliley Act compliance
HIPAA: Health Insurance Portability and Accountability Act compliance

Implementing Oracle Database Firewall 3 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The operational mode determines the behavior of the enforcement point. If the enforcement
point is to be used only to log statements and provide warnings of potential attacks,
select Database Activity Monitoring (DAM). If the enforcement point is also required to block
potential attacks, use Database Policy Enforcement (DPE). DPE is available only if you set a
policy. Each policy is specific to a database product line. An enforcement point can only have
a single policy, but that policy can be applied to multiple databases from the same database
product line.
By default, no policy is enforced, even if the DPE mode is specified.
The built-in policies provide several options for collecting SQL to be used to create a policy.
The default logging policy set in the Enforcement Point Wizard is passall.dna which does no

Oracle University and Counterhouse Consultants Ltd use only


logging. If this is the first time you are creating a policy, then it is recommended that you
select the unique.dna policy.
Note: In this course, the logall policy is used to provide more log data with less workload.
Custom policies are created by using the Database Firewall Analyzer software and then they
are uploaded.

Implementing Oracle Database Firewall 3 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enable Network Bridge

To use DPE mode, the Network Bridge must:


Have the correct IP address
Be enabled

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The network bridge is not enabled by default, and it is assigned a default IP address on
installation that may not be appropriate for the site configuration.
For each subnet that is being protected by the Database Firewall, there will be a bridge
connecting two network interfaces. The IP address of the bridge must be in the same subnet
as the two network segments that it connects.
In the practice environment, the client IP address is 192.168.36.1, the database IP address is
192.168.36.203, the subnet mask is 255.255.255.0, and the bridge address must be
192.168.36.x where x is a value between 1 and 255. The value we chose for the bridge
address is 192.168.36.220.
You can set this value and enable the bridge. Click the List button under the Traffic sources
section in the Monitoring tab to display the page shown in the slide.
Click the Name of the network to change the IP address or mask of the bridge.

Implementing Oracle Database Firewall 3 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Operational Modes

Operational Mode Description

Database activity monitoring (DAM) The system detects and logs unusual
(Also known as monitoring mode) activity. It produces warnings, but does
not block potential threats.

Oracle University and Counterhouse Consultants Ltd use only


Can be implemented in-line or out-of line

Database policy enforcement (DPE) The system detects and logs unusual
(Also known as blocking mode) activity. It produces warnings and blocks
potential attacks.
Must be in-line

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

There are two operational modes for Oracle Database Firewall: Database activity monitoring
(DAM) and Database policy enforcement (DPE).
DAM mode only monitors the SQL activity and does not block any SQL statements. In DAM
mode, the Database Firewall makes a copy of the SQL statement then applies the policy.
Potential attack warnings can be generated in DAM mode. You will use the Firewall Analyzer
to develop a policy that specifies which statements to allow. Any statement that does not
match the policy will generate a warning, but will be passed through to the database. When a
new policy is put in place, it is recommended that the policy be used in DAM mode for a while
to be sure that all normal SQL activity will be allowed and then change the operational mode
to enforce the policy. This mode is also used to monitor for compliance.
DPE mode monitors the SQL activity and the Database Firewall will block SQL statements as
specified in the policy. In DPE mode, the Database Firewall examines each SQL statement
coming through the Database Firewall, applies the policy and then forwards it to the database.
Potential attack blocking can be enforced by developing a policy and setting the operational
mode to database policy enforcement (DPE). In this mode, SQL statements will be blocked.
Using the Firewall Analyzer to create the policy, you can categorize the statements into
groups, and then assign actions to these groups. The actions specify which groups of
statements should be passed through and which should be blocked.
For both modes, the level of logging is specified as part of the policy.

Implementing Oracle Database Firewall 3 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Logging

Oracle Database Firewall can perform targeted logging to


minimize the use of storage for logs
Logging rules are stored in a policy

Oracle University and Counterhouse Consultants Ltd use only


Use Oracle Database Firewall log information to:
Monitor the system and generate reports
Compare with the data used to create a policy
Perform forensic analysis for audit and compliance purposes

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In the Database Firewall there is a set of built-in policies. These policies only contain rules for
logging. Each of these built-in policies specifies a different level of logging. The
passall.dna policy indicates that no logging is performed. The unique.dna policy
indicates all statements that have a unique combination of cluster, source IP address, and
user name within the last hour are logged. The logall.dna policy logs all SQL traffic.
Audit logging can be implemented by setting the operational mode to Database Activity
Monitoring (DAM) and choosing a built-in policy. In this mode, logging of SQL activity will
occur but no statements will be blocked. The log files can be reviewed and analyzed for
normal and abnormal activity.

Implementing Oracle Database Firewall 3 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Logs

Log Description

Traffic All SQL statements, database login, and logout events


required by the policy.

Oracle University and Counterhouse Consultants Ltd use only


Event System events not directly related to the Oracle
Database Firewall software.

Administration Login ID of any user that changes configurations for


system actions in the Administration Console.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Database Firewall creates three types of logs:


Traffic Log: Stores all SQL statements and database login and logout events that the policy
requires.
Each logged statement and event can include a set of attributes that provide additional
information about the originator, including:
The database user login name
The IP address of the database client
The user's operating system login name
The name of the client program
If the information about the originator is not available from the SQL traffic directly, a direct
database interrogation (DDI) feature enables a Database Firewall to query the database to
obtain the information. DDI can be enabled or disabled as required. DDI can only be used
with Microsoft SQL Server and Sybase SQL Anywhere.
Refer to the Oracle Database Firewall Administration Guide for further information.

Implementing Oracle Database Firewall 3 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
In addition, you can enable a database response monitoring feature, which stores all
responses that the protected database makes to SQL statements and login and logout
requests, in the traffic log.
Event Log: Stores system events that are not directly related to the Database Firewall
software, such as operating system warnings.
Administration Log: Stores the login ID of any user who changes configurations for system
actions such as shutdowns, restarts, and policy uploads, in the Administration Console.

Oracle University and Counterhouse Consultants Ltd use only

Implementing Oracle Database Firewall 3 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating System Administrator Users

The default system administrator user is admin.


Create new administrator users to improve security and
provide separation of duties.

Oracle University and Counterhouse Consultants Ltd use only


Users can be created in stand-alone and managed
Database Firewalls.
Users can be created in Management Servers.
Users are local to each system.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The default administrator user name is admin (lower case). This user is defined in the
Administration Console, not on the operating system so it can only be used through the
Administration Console interface. For better security and separation of duties, it is
recommended that you reserve the admin user account as a back-up user account, and
create a separate administrative account for one or more existing users for day-to-day
operations. This provides you with a back-up administrative user account if the primary
administrator is not available.
You can use the Users menu of the System page to create, list, and edit Administration
Console user accounts. A valid user name and password must be provided when the
Administration Console is started, or when a user of the Firewall Analyzer software connects
using Train on Log Data or Test with Log Data.
You can create users in both stand-alone and managed Database Firewalls, and in the
Management Server. These user accounts are local to each system, even after you have
configured a Database Firewall to connect to a Management Server.

Implementing Oracle Database Firewall 3 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Understanding System Administrator Capabilities

Capabilities of the system administrator vary based on the


deployment:
Stand-Alone Database Firewall: System administrator user

Oracle University and Counterhouse Consultants Ltd use only


can perform all functions
Management Server System (Managed Database
Firewall):
Database Firewall: System administrator user can only
change network settings, view network traffic, remove the
Database Firewall from the Management Server, perform
tasks specific to the Database Firewall
Management Server: System administrator user can create
and manage enforcement points, configure policies, create
reports, archive data

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

For a stand-alone Database Firewall, in which both the Database Firewall and the
Management Server are on the same server, the administrator user can perform all functions.
However, if the Database Firewall is on a server separate from the Management Server, after
you connect the Management Server to this Database Firewall, the administrator functions
change. Example:
Database Firewall administrator: Can only change network settings, view network traffic,
remove the Database Firewall from the Management Server, and similar tasks specific to the
current Database Firewall
Management Server administrator: Can create and manage enforcement points, configure
policies, run reports, archive, and so on
For all of the user account options, you can create as many users as your site requires.
To ensure full traceability of system changes, the administration log stores the login ID of any
person who makes a change from the Administration Console. Having separate
Administration Console accounts enables you to easily track users who make changes to the
Database Firewall system in this log.

Implementing Oracle Database Firewall 3 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a New User

Use the Administration Console to create a new user


Grant a user role:
System Administrator: Full access to all options in the

Oracle University and Counterhouse Consultants Ltd use only


Administration Console and connect from the Firewall
Analyzer
View-only User: View log data, change his/her password,
and connect from the Firewall Analyzer
Log Administrator: View log data, change his/her password,
run archive and restore jobs, connect from the Firewall
Analyzer

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In the Administration Console, click the System tab, and then click Add User. On the Add
User page, you will enter the username, the name of the user, email address, role, and
password.
The user role provides a way to enforce separation of duties with three separate roles.
The system administrator has full privileges in the Administration Console.
View-only users have privileges to change their password, view log data, and connect from
the Firewall Analyzer.
Log administrators have all the view-only user privileges and can run archive and restore
jobs.

Implementing Oracle Database Firewall 3 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Password Policies

Create password
policies to enforce
strong passwords.

Oracle University and Counterhouse Consultants Ltd use only


Password policy
applies to all users
managed by the
Database Firewall.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Setting a password policy is strongly recommended. The password policy is set on the User
Security Settings page. Access the Security menu item under Users to navigate to the User
Security Settings. On this page, you require the use of strong passwords. Set a password of
the required length, the password expiration time in days, and whether the user can ever use
a previously used password.

Implementing Oracle Database Firewall 3 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configure Email Server

Select Email Configuration in


the System menu.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To use email alerts, you must first configure a destination mail server where the alert will be
sent. A server using simple mail transport protocol (SMTP) Is required. This server is typically
on another machine. Go to the System tab and select Email Configuration as shown on the
slide.
The email configuration page allows you to configure the name and address of the mail
server, and the user that is sending the mail.

Implementing Oracle Database Firewall 3 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring Email Alerts for Third-Party


Connectors

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The recipients of email alerts may be configured after the SMTP server has been configured.
Specify the email addresses of the recipients, separated by a space, tab, or each in a new
line.

Implementing Oracle Database Firewall 3 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Configure settings for a stand-alone Oracle Database
Firewall

Oracle University and Counterhouse Consultants Ltd use only


Configure enforcement points
Configure settings for an Oracle Database Firewall
Management Server
Create an Oracle Database Firewall user
Configure email alerts for third-party connectors

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 3 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 3-1 Overview:


Setting the Date and Time
This practice covers setting the date and time.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will set the time for the management console. The time setting is used to
record the time of logged events. So the correct time is important to correctly interpret the
logs.

Implementing Oracle Database Firewall 3 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 3-2 Overview:


Configuring Enforcement Points
This practice covers the following topics:
Configuring the EP_DB01 enforcement point
Setting the initial policy

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will set an enforcement point for the DB01 database.

Implementing Oracle Database Firewall 3 - 21


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 3-3 Overview:


Creating a New System Administrator User
This practice covers creating a new system administrator user.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will add yourself as a new System Administrator user.

Implementing Oracle Database Firewall 3 - 22


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 3-4: Configuring Email Alerts

This practice covers configuring an email connector.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you configure a connector to send emails to a mail server.

Implementing Oracle Database Firewall 3 - 23


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

An enforcement point can have one of two operational modes


and a choice of several logging policies. Which mode and
policy would you initially choose so that you could get a list of
each type of SQL statement, but not interfere with the

Oracle University and Counterhouse Consultants Ltd use only


application, with a minimum use of log space?
a. Database policy enforcement (DPE) with logall-
nomask.dna
b. Database activity monitoring (DAM) with passall.dna
c. Database policy enforcement (DPE) with unique.dna
d. Database activity monitoring (DAM) with logall.dna

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: c
With the unique.dna policy, there will be a minimum amount of logging. The operational mode
is not relevant as this is a monitoring-only policy.

Implementing Oracle Database Firewall 3 - 24


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring Policies

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Describe the security model and policy enforcement

Oracle University and Counterhouse Consultants Ltd use only


Supply logged data to the Firewall Analyzer
Supply SQL statement files to the Firewall Analyzer
Create a new model
Create a policy
Deploy a policy

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 4 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Policy Enforcement

Oracle Database Firewall policy enforcement architecture


provides:
Performance and scalability: Millions of statements can be

Oracle University and Counterhouse Consultants Ltd use only


simplified into a small number of SQL characteristics or
clusters
High level of accuracy: SQL grammarbased analysis to
enforce normal activity
Flexible enforcement:
Statements can be blocked
Statements can be passed and an alert generated
Another SQL statement can be substituted for the statement
Statements can be logged only

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

An Oracle Database Firewall cluster is a set of semantically similar SQL statements that is
created when the Oracle Database Firewall Analyzer reads logged SQL statements, either to
create a model or when testing against new logged SQL data. The Analyzer uses its built-in
knowledge of the SQL syntax to categorize the SQL statements into semantic clusters.
SQL statements are processed using a powerful grammar-based analysis engine that
decomposes and categorizes the SQL. In addition to looking at the SQL statement, policies
can evaluate factors such as IP address, time, and program name.
Oracle Database Firewall monitors data access, enforces access policies, highlights
anomalies, and helps protect against network-based attacks originating from outside or inside.

Implementing Oracle Database Firewall 4 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Policy Enforcement Flow


SQL Connection

If YES (match), then EXIT


Exception Factors

Oracle University and Counterhouse Consultants Ltd use only


If YES (match),
then EXIT
Session Profile 1 Session Profile 2 Background

If YES (match), then EXIT


Novelty Policies

Apply rule, then EXIT


Default Rule

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Policy enforcement flow is key to understanding which statements will be matched and which
will not. If a statement is matched, then an action can be taken. If it is not matched, then
default rules determine the action taken by the Database Firewall.
Note: You may want to bookmark this page for future reference.

Implementing Oracle Database Firewall 4 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring Policies

Policies are easily configured by using:


White list for positive security enforcement
Can be automatically generated for any application

Oracle University and Counterhouse Consultants Ltd use only


Allowed behavior can be defined for any user or application
Transactions that do not match the policy are rejected
blacklist for negative security enforcement
Stop unwanted transactions, users or schema access
Prevent privilege or role escalation and illegal access to
sensitive data by using factors
Selectively block any part of transaction in context to your
business and security goals

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall supports white list and blacklist based policies.
A white list is a set of approved SQL statements. SQL traffic is compared with the white list.
Based upon the policy, Database Firewall alerts, blocks, or substitutes a statement for the
SQL statement.
A blacklist is used to block specific SQL statements.
Note: There is nothing in the Oracle Database Firewall product that refers to white list or
blacklist. Whether it is a white list or a blacklist depends upon how you configure the policy.

Implementing Oracle Database Firewall 4 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Preconfigured Policies

Policy Description

logall-nomask.dna Log all statements for offline analysis without masking data

logall.dna Log all statements for offline analysis

Oracle University and Counterhouse Consultants Ltd use only


logsample.dna Log a sample of statements for offline analysis

passall.dna Pass all statements and log none

unique-nomask.dna Log examples of statements for offline analysis covering


each distinct source of traffic in the statements

unique.dna Log examples of statements for offline analysis covering


each distinct source of traffic

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall includes the policies listed on the slide as part of the product
installation.
Note: You must select a policy when you define an enforcement point.

Implementing Oracle Database Firewall 4 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Policy Files

Policy file: A set of rules that the Database Firewall uses


when it monitors SQL traffic.
Use the Oracle Database Firewall Analyzer to create an

Oracle University and Counterhouse Consultants Ltd use only


initial policy file from SQL statements logged while
monitoring database traffic.
A set of logged SQL statements provides a model of
expected operation.
A policy file can be generated from a train file or a server
trace file.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

A policy file is a configuration file that is used by Oracle Database Firewall to determine the
threat severity, action level, and logging level it should use for each SQL statement
encountered.
You can use the Oracle Database Firewall Analyzer to create an initial policy file by
monitoring database traffic. This set of logged SQL statements provides a model of operation
and is input to the policy creation. There is the possibility that some of the traffic that is
collected is not normal or acceptable.
A policy may be generated from a train file or server trace file. A train file is a manually
generated text file for an Oracle Database. A server trace file is generated by a Microsoft SQL
Server database.
After the model is generated, your can customize the policy file for your site-specific
requirements.
Detailed information on this process is provided in this lesson.

Implementing Oracle Database Firewall 4 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Custom Policy Development Overview

1. Enable the Oracle Database Firewall Analyzer to


understand typical database usage by supplying logged
data or SQL statement files via a model.

Oracle University and Counterhouse Consultants Ltd use only


2. Use the Oracle Database Firewall Analyzer to create and
save the policy.
3. Use the Administration Console to upload the policy to the
Database Firewall Management Server and enable the
policy for an enforcement point.
4. Refine the policy.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

For the Oracle Database Firewall to be effective, you can supply logged data or SQL
statement files via a model to enable the Database Firewall Analyzer to understand the typical
use of the database.
Once the model is supplied and a policy is defined, you use the Administration Console to
upload the policy to the Database Firewall Management Server. After the policy is uploaded,
you can enable the policy for a defined enforcement point.
Additional information on each of these steps is provided in this lesson.

Implementing Oracle Database Firewall 4 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enabling the Firewall Analyzer to Understand


Database Usage
To enable the Oracle Database Firewall Analyzer to
understand the normal ways that client applications use the
database:

Oracle University and Counterhouse Consultants Ltd use only


Supply logged data via a Train on Log Data model
Directly from the traffic log of Database Firewall
Place the Database Firewall in Log Unique Mode by
selecting unique.dna as the initial policy
Supply SQL statement files via a Train on File model
Via a text file
From a Microsoft SQL Server trace file

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To develop an effective policy, Oracle Database Firewall must understand the typical or
normal SQL statements that are part of the applications. Prior to developing a policy, you
can provide data to the Oracle Database Firewall Analyzer from logged data or SQL
statement files. This data is supplied via a model. Additional information about models
follows.
The logged data can come from any level of logging. By using the unique.dna policy, the
Database Firewall captures only the statements that are different, thus reducing the size of
the log files.

Implementing Oracle Database Firewall 4 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a New Model

Model:
File that stores logged data or SQL statement files used to
create a policy

Oracle University and Counterhouse Consultants Ltd use only


Stores all data used to develop a policy, including properties
and analysis data
Create a model from:
Training on logged data
Training on a SQL statement file
Two files are created:
filename.smdl
filename.smdl_data

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

A model stores all the data used to develop a policy, including properties and analysis data.
The model is stored in two files as described on the slide.
When you create a model, you can specify that the model is created by training on logged
data or by training on a SQL statement file. Training on logged data means that the data is
obtained directly form the traffic log of Database Firewall. This is the recommended way to
supply data for the model. Training on a SQL statement file requires that a text file
containing a list of SQL statements be created and supplied to Database Firewall. For
Microsoft SQL Server only, you can also supply a binary log file containing a list of SQL
statements.
After you create the model, analyze the data to refine the policy.

Implementing Oracle Database Firewall 4 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Model from Training

Use the Oracle Database Firewall Analyzer to create a new


model from training:

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To create a new model, launch the Oracle Database Firewall Analyzer and click Create a
New Model from Training. To create a model based on logged data, select Train on Log
Data and click Change. Specify the database where the statements were executed and the
time range for the logged data.

Implementing Oracle Database Firewall 4 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Setting Properties for Clusters

Use the Details or Baseline tab to set the following properties


for each cluster in the model:
Action: Permits, blocks, or generates warning when it

Oracle University and Counterhouse Consultants Ltd use only


encounters a statement that matches the cluster
Logging Level: Logs, logs all statements, logs statements
that have a unique combination of cluster, source IP
address, database username, operating system username,
and client program name.
Threat Severity: Anticipated threat from statements in the
cluster. Threat severity is logged when a statement is
logged.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

After determining which statements you want to include in your policy, use the Details or
Baseline tab to set the cluster properties:
Action
- Unassigned: No specific action has been set. The policy will pass any statements
that match an existing cluster that has an Unassigned action level. The
unassigned statements will then use any action that is provided by the default rule.
- Block: The policy will block all statements that match the cluster.
- Warn: The policy will generate a warning for all statements that match the cluster.
This status can be displayed in the Administration Console and generates a syslog
message.
- Pass: The policy will allow all statements that match the cluster.
Logging Level
- Unassigned: No specific logging level has been set. The policy will not log any
statements that match an existing cluster that has an Unassigned logging level.
- Never: Never logs statements that match the cluster.

Implementing Oracle Database Firewall 4 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
- Sample: Logs only a sample of statements. The default sample frequency is 10,
and is set up in the Administration Console. For example, if the frequency is 10,
then a statement that matches a sample-logged cluster is logged on its first
occurrence. Thereafter, there must be a further 10 statements that are exactly the
same as the original for the statement to be logged again.
- Always: Logs all statements that match the cluster.
- Unique: Logs all statements that have a unique combination of cluster, source IP
address, and user name within the last hour. Therefore, a statement is not logged
if all three of these attributes match those of an existing statement that has been
logged in the past hour. The statement is logged only if at least one of these

Oracle University and Counterhouse Consultants Ltd use only


attributes is different.
If the user name is not known, the policy will log the statement, providing there is
no other logged statement that belongs to the same cluster, has the same source
IP address and has no associated user name.
This logging level is recommended for policy development because it provides an
effective sample of traffic without having to log all statements.
Threat Severity: Each cluster can have an optionally-assigned threat severity. There
are six threat severity levels, ranging from Unassigned to Catastrophic (threat severity
5). When Oracle Database Firewall logs a statement, the threat severity of the statement
is also logged. Third-party reports and syslog can be used to display statements based
on the logged threat severity.

Implementing Oracle Database Firewall 4 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Setting Cluster Properties

Use the Oracle Database Firewall Analyzer to set cluster


properties:

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Select the cluster, right-click and select Properties. The Cluster Properties window is
displayed.
A cluster is a single statement or a group of statements that are selected. You can order and
filter on various columns to display the set of statements you wish to group together.

Implementing Oracle Database Firewall 4 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Saving the Policy

After you have developed a policy, save the policy to a file:


1. Select Create Policy in the File menu of the Firewall
Analyzer.

Oracle University and Counterhouse Consultants Ltd use only


2. Specify the following:
a. Folder to save the policy file
b. Policy file name
3. Click Save.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When you save a policy, you must provide a policy name. This name will be the file name with
a default extension of .dna. The file is saved by default in the smdl directory. Take note of
where the policy file is saved so that you will be able to locate it for uploading.
Note: In the course practice environment, the default directory is My Documents.

Implementing Oracle Database Firewall 4 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Uploading the Policy

After saving the policy file, use the Administration Console to


upload the policy to the Database Firewall Management Server.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

After you have saved the policy in a .dna file, you upload it to the Oracle Database Firewall
Management Server.
Perform the following steps to upload the policy:
1. Click Upload in the Policies section on the Monitoring tab page.
2. Browse for the Policy.
3. Provide a description of the policy. As the policies are refined, the description becomes
more important so that you can identify the policy when you apply the policy to an
enforcement point.

Implementing Oracle Database Firewall 4 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Specifying the Policy for the Enforcement Point

After you have uploaded the policy to the Database Firewall


Management Server, select the newly created policy for the
enforcement point.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

After the policy is uploaded, it appears on the settings page of the enforcement point. The
policies are listed in alphabetical order.
Select the policy you wish to apply to the enforcement point and click Save.

Implementing Oracle Database Firewall 4 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Refining the Policy

Policy development is an iterative process:


Maintain Log Mode Unique after the policy has been
deployed so that new SQL statements will be logged.

Oracle University and Counterhouse Consultants Ltd use only


Use the Firewall Analyzer to import new SQL statements
for comparison with the current policy.
Analyze the data and assign threat severities, action
levels, and logging levels to each new cluster.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Once you have defined a policy for your enforcement point, you should continue to review
reports to ensure your policy meets your compliance requirements. You may further refine the
policy as necessary.
Use unique log policies after you have deployed the initial policy. This enables Oracle
Database Firewall to log new SQL statements, which you then can import into the Analyzer
for analysis against the statements used to build the current policy. Unique log policies also
enable you to detect policy anomalies (such as anomaly default rules). This way, you can
identify possible security vulnerabilities and improve the policy further. You can repeat this
process as many times as required.

Implementing Oracle Database Firewall 4 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Refining the Policy

Statements from clients Unique Log Mode

Oracle University and Counterhouse Consultants Ltd use only


Logged SQL
statements

Policy
Analysis
Update

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The policy definition may need to be updated based on additional analysis as shown in the
diagram in the slide.
Maintain Log Mode Unique after the policy has been deployed so that new SQL statements
will be logged. As additional statements are executed, they are compared with logged SQL
statements. You can also use the Firewall Analyzer to import new SQL statements for
comparison with the current policy.
Analyze the data and assign threat severities, action levels, and logging levels to each new
cluster.
Continuing to log statements and perform analysis can help you to find default rules that have
no associated policy. These are called anomaly default rules. It is advisable to log and
produce a warning for such statements.

Implementing Oracle Database Firewall 4 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Baseline Anomalies

Any statement that does


not match any policy
rule is an anomaly.

Oracle University and Counterhouse Consultants Ltd use only


The default rule
determines the action,
logging level, and threat
of statements that are
anomalies.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Baseline Anomalies are those statements that do not match any rule in the policy.
Refer to the "Policy Enforcement Flow" diagram presented earlier in this lesson. On that
diagram, you can see that the default rule is applied last in the sequence, and then only to
those statements that have not been matched by any other rule.

Implementing Oracle Database Firewall 4 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Sensitive Data Masking

Turn data masking on or off.


Apply masking to all statements or only statements
meeting given criteria.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Selecting Sensitive data masking in the Tools menu displays a dialog that allows you to set
up rules for automatic masking of sensitive data in log files, such as credit card numbers.
If a logged statement matches the masking policy set up in this dialog, the policy
automatically replaces all user data in that statement, that is, string constants, integer
constants, hexadecimal constants, and float constants, with alternative characters. The
characters used depend on the data type.
The masking process prevents sensitive data from appearing in log files.
To mask sensitive data, select Mask sensitive data. You can mask all sensitive data in
all statements by selecting For all statements.
To mask only certain statements select "Only for statements matching the following
criteria"
Note: If you use "Only for statements matching the following criteria" be sure to include "*" as
one of the columns, so the SELECT * FROM statement does not cause sensitive data to be
logged.

Implementing Oracle Database Firewall 4 - 21


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
To choose the types of statements.
- Having columns: All statements that contain any of the columns selected in this
area will have sensitive data masked.
- Having procedures: If the Any checkbox is selected, all statements that contain a
procedure will have sensitive data masked. If you deselect Any, all statements that
contain any of the procedures selected in the area will have sensitive data
masked.
You can use the Add, Remove or Populate buttons to choose the columns or procedures:
Add enables you to specify a column or procedure name.

Oracle University and Counterhouse Consultants Ltd use only


Remove enables you to remove the selected column or procedure from the list.
Populate enables you to add all the columns or procedures that are in the current model.
Note: Make sure you select the checkboxes next to the columns or procedures you want
masking to apply to.
If Invalid statements is selected, data in invalid statements (those that the policy would not
parse) is also masked, where possible. Note that, because the syntax of invalid statements
may not be correct, masking of all data in invalid statements may not be possible.
Note: If Treat double quoted strings as identifiers is deselected in the Policy Options dialog,
text in double quotation marks will also be masked.

Implementing Oracle Database Firewall 4 - 22


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Adding Login/Logout Policy

Set policies for:


Logins
Failed logins

Oracle University and Counterhouse Consultants Ltd use only


Logouts

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Selecting Login/Logout Policy in the Tools menu displays a dialog that allows you to specify
the actions the policy must apply when a database client logs into or logs out of the database.
The dialog contains three policy sections, Login Policy, Failed Login Policy, and Logout
Policy. It also contains a Notes box that allows you to record notes about the policy. The
notes are not used or reported elsewhere.
Login Policy: You can use the Login Policy section to specify the login action level and
threat severity of successful or unsuccessful database user logins, and whether to log
logins.
Failed Login Policy: You can use this section to block a client or generate an alert
(warning) after a number of consecutive unsuccessful logins. If triggered, blocking or
alerting continues for a period of time up to the specified Reset period.
Logout Policy: You can use the Logout Policy section to specify the logout action level
and threat severity of database user logouts, and whether to log logouts.
Note: These policies are applied to an IP address, not to a user. This can be used to foil
automated login attempts from a single IP address.

Implementing Oracle Database Firewall 4 - 23


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Describe the security model and policy enforcement
Supply logged data to the Firewall Analyzer

Oracle University and Counterhouse Consultants Ltd use only


Supply SQL statement files to the Firewall Analyzer
Create a new model
Create a policy
Deploy a policy

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 4 - 24


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 4-1 Overview:


Starting the Collection Workload
This practice includes starting a workload on your DB01
database.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you initiate a workload on your DB01 database.

Implementing Oracle Database Firewall 4 - 25


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 4-2 Overview:


Creating a Policy
This practice covers the following topics:
Creating a new model from training on logged data
Viewing summary statistics

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you begin the policy creation process.

Implementing Oracle Database Firewall 4 - 26


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 4-3 Overview:


Creating a Basic White List
This practice covers the following topics:
Setting properties for expected SQL statements (the white
list)

Oracle University and Counterhouse Consultants Ltd use only


Defining the login/logout policy
Setting the properties for statements not part of the white
list

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you define your white list.

Implementing Oracle Database Firewall 4 - 27


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 4-4 Overview:


Uploading and Applying the Policy
This practice covers the following topics:
Uploading the policy
Applying the policy to your enforcement point

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you upload the policy and apply it to your enforcement point.

Implementing Oracle Database Firewall 4 - 28


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 4-5 Overview:


Executing Commands and Analyzing Results
This practice covers the following topics:
Executing SQL statements
Verifying that the white list definition is correct

Oracle University and Counterhouse Consultants Ltd use only


Performing forensic analysis

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you verify that the policy you created is working correctly.

Implementing Oracle Database Firewall 4 - 29


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 4-6 Overview:


Adding an Exceptions Policy
This practice covers the following topics:
Adding an exception for a specific user
Uploading and applying the refined policy

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will add an exceptions policy. Exceptions provide a means for bypassing
policy rules and are often used for DBAs, whose activity is not routine and is difficult to define
via a white list. In this practice, you add a DBA user who will be permitted to perform queries.
However, the activity of the user will be fully audited.

Implementing Oracle Database Firewall 4 - 30


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

In what order is the policy enforcement flow applied:


a. Profiles, default rule, exceptions, and then novelty policies
b. Novelty policies, profiles, default rule, and then exceptions

Oracle University and Counterhouse Consultants Ltd use only


c. Exceptions, profiles, novelty policies, and then a default
rule
d. A default rule, exceptions, novelty policies, and then
profiles

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: c

Implementing Oracle Database Firewall 4 - 31


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Creating Advanced Configuration Policies

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Create a profile

Oracle University and Counterhouse Consultants Ltd use only


Create a novelty policy

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 5 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using Profiles

Profile:
A type of filter used to control the display of data
A policy rule factor used to apply policy rules by database

Oracle University and Counterhouse Consultants Ltd use only


users, IP addresses, operating system users, client
programs, and times of day
Profile is a combination of any of the following types of
sets:
IP address: Named set of IP addresses of database clients
DB user: Named set of database user login names
Client program: Named set of client programs
OS user set: Named set of operating system user names
Timeslice: Named set of hours in a week

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Profiles are used in two ways:


As a filter to limit the data in the Analysis tab so you can be more selective about the
data you display
As a factor to determine the statements to which to apply the policy rules.
The profile allows you to apply different rules to particular sets of users. The profile sets must
be defined before they can be assigned to a profile.
When Profiles are used in the Analysis tab, they act as filters changing the displayed
statements. When they are used in the Baseline or Details tabs, they are applied as rules in
the policy, and do not affect the displayed statement clusters.

Implementing Oracle Database Firewall 5 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Defining Sets

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Before you can select sets in a profile, the sets must be defined. You can create sets in the
Firewall Analyzer by clicking the Tools menu item, then selecting the type of set you wish to
create as shown in the upper left of the slide.
The first dialog box for the set is blank. DB User Sets is the example shown in the upper
center of the slide. Click Add to create a DB User Set.
In the dialog box, shown in the lower right, type a Name for the set, then select the users you
wish to add to the set from the list on the right. This list is populated from the users listed in
the training file, or from logs you have loaded for analysis. Click the single left angle bracket to
move the selected users to the Selected DB Users list on the left, or click the double left angle
bracket to move all the users from Recorded list to the Selected list.
The Add button allows you to enter any name, or use the "*" wildcard character.
Click OK to create the set.
The lower left of the slide shows the DB User Sets dialog box after several sets have been
created. From this dialog box you can add, edit, or delete sets.
Each of the set types has a similar dialog box for creating a set.

Implementing Oracle Database Firewall 5 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Profile

1. Define each set to be used in the profile.


2. Create the profile:
A. Name the profile.

Oracle University and Counterhouse Consultants Ltd use only


B. Select the sets to be used in the profile.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You can create a profile as follows:


1. Select Profile from the Tools menu to display the Profiles box as shown in the lower
right of the slide.
2. Click Add to display the Profile dialog box as shown in the lower right of the slide.
3. Provide a profile name and select one or more sets to be included in the profile.
The profile definition includes one or more of the following sets:
IP Address Set: A set of one or more IP addresses of database clients.
DB User Set: A set of one or more database user login names.
Client Program Set: A set of one or more database client program names
OS user set: A set of one or more operating system user names.
Timeslice: A timeslice is a set of one or more hours in a week.
When a profile is selected, it will filter the displayed values based on the sets in the profile. If
the profile only has a DB User Set, then only the statements issued by those users will be
shown.
When a profile has more than one set, the intersection of those sets is used.

Implementing Oracle Database Firewall 5 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Selecting a Profile in the Analysis Tab

Select Profile in the View menu.


Only those clusters with SQL statements
originating from the sources and times

Oracle University and Counterhouse Consultants Ltd use only


matching the selected profile are displayed in
the Analysis tab.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

By selecting a profile in the Analysis tab, you can restrict the data that is displayed. When you
first select Profile in the View menu, you are prompted to select a profile. You can change the
profile by selecting Change Profile in the View menu. Once you have selected a profile, only
the clusters with statements that have originated from the database users, IP addresses, OS
users, client programs, and times in the selected profile are displayed.
As an example, if the profile includes only a DB user set, the tab will display only those
clusters with statements that have originated from the database users in the DB user set,
irrespective of their IP address, and so forth. If the profile includes both a DB user set and a
timeslice, only clusters with statements that have occurred from one of the defined users
during one of the hours in the timeslice are displayed.
The Background Profile is the default in the Analysis tab.

Implementing Oracle Database Firewall 5 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Selecting a Profile in the Details Tab

Select Profile in the View menu.


It enables you to set up policy rules for the selected profile.
Selecting a profile in the Details tab does not affect the

Oracle University and Counterhouse Consultants Ltd use only


cluster display.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

If you have not selected a profile, any policy rules you define are applied to the "background"
policy rules, that is, the action, logging level, and threat severity to use when no specific
profile policy rules apply.
When you select a profile in the View menu for the Details tab, you can restrict the policy rules
you define to the statements that meet the selected profile.
The policy rules for the selected profile will override the background rules. For example, if the
profile includes a DB user set and timeslice, then any rules you define will apply only for
statements that occur during one of the active periods in the timeslice from a database user
who is in the DB user set. If the profile does not include a timeslice, the selected rules will
apply, irrespective of the time a statement that matches the cluster occurs.
Unlike the Analysis tab, selecting a profile in the Details or Baseline tab does not affect the
clusters displayed (all clusters remain displayed).

Implementing Oracle Database Firewall 5 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using a Novelty Policy

Novelty policy: Specifies the action level, logging level, and


threat severity to use for unseen statements that operate
on selected tables and/or classes of statement

Oracle University and Counterhouse Consultants Ltd use only


Used to loosen or tighten the default unseen statement
policies for specific classes of statements, tables, or both
Not matched by policies

If YES (match), then EXIT


Novelty Policies

If YES (match), then EXIT


Default Rule

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In the slide, the last portion of policy enforcement flow is shown. Statements that have not
been matched by other policy elements are tested against the novelty policies, and if still not
matched are matched to the default rule associated with baseline anomalies. Since there is
only one default rule for baseline anomalies, novelty policies are used to specify the action
level, logging level and threat severity to use for statements that operate on selected tables,
classes of statements or both.
For example, if the default action level is Warn, the user may want to set up novelty policies
that apply a Pass action level to unseen statements that operate on tables containing public
information, and a Block action to all unseen statements that operate on tables containing
sensitive information.
Note: If a default rule matches more than one novelty policy, the worst-case policy is used.
For example, a policy that blocks takes priority over a policy that warns.
You use the Default Rule for Baseline Anomalies section in the Summary tab to specify the
default action level, logging level, and threat severity to use for statements that match no
novelty policy.

Implementing Oracle Database Firewall 5 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Novelty Policy Example

Tables contain Tables contain


public data? sensitive data?

Oracle University and Counterhouse Consultants Ltd use only


Yes Yes Default action:
Warn

Action: Pass Action: Block

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

An example of setting novelty policies is as follows:


Set up a default action level of Warn. Then set up novelty policies that apply a Pass action
level to unseen statements that operate on tables containing public information and a Block
action to all unseen statements that operate on tables containing sensitive information.
Other examples of novelty policies are:
Restrict access to sensitive data by blocking access to sensitive tables and allow access to
other tables.
Applications that use dynamic SQL are difficult to white list, one strategy is to set the novelty
policy to allow only read-only access to certain tables, which will allow most proper uses of
dynamic SQL, and defeat some SQL injection techniques.
Note: Policies built with a white list approach, that define allowed statements, are less difficult
to analyze than policies that use a mixed white list and blacklist method.

Implementing Oracle Database Firewall 5 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Novelty Policy

1. On the Summary tab, click New


Novelty Policy.
2. In the New Novelty Policy dialog

Oracle University and Counterhouse Consultants Ltd use only


box, select the tables and
statement classes for the novelty
policy. Click OK.
3. In the Policy Rules section of the
Summary tab, right-click the
novelty policy rule and click
Properties.
4. Specify the action level, logging
level, and threat severity for the
policy.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Perform the following steps to create a novelty policy:


1. Click New Novelty Policy on the Summary tab.
2. In the New Novelty Policy dialog box, select the tables and statement classes for the
novelty policy, and then click OK. If you do not select any specific tables, all tables are
implicitly selected. If you do not select any specific statement classes, all statement
classes are implicitly selected.
3. In the Policy Rules section of the Summary tab, right-click the novelty policy rule and
click Properties.
4. Specify the action level, logging level, and threat severity to use. Specify statement
substitution if required. Click OK.

Implementing Oracle Database Firewall 5 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Create a profile
Create a novelty policy

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 5 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 5-1 Overview:


Creating a Policy for a New Application
This practice covers the following topics:
Creating the HR App User DB User set
Creating a new policy

Oracle University and Counterhouse Consultants Ltd use only


Uploading the policy and assigning it to your enforcement
point
Testing your configuration

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will modify the existing white list policy to allow all activity of a new
application.

Implementing Oracle Database Firewall 5 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 5-2 Overview:


Updating the Policy
This practice covers the following topics:
Updating with log data
Updating the policy for exception matches

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will update your policy using exception matches.

Implementing Oracle Database Firewall 5 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 5-3 Overview:


Creating a Profile
This practice covers the following topics:
Setting properties
Creating a profile

Oracle University and Counterhouse Consultants Ltd use only


Removing the exception policy

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you define a profile.

Implementing Oracle Database Firewall 5 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 5-4 Overview:


Creating a Novelty Policy
This practice covers the following topics:
Defining the novelty policy rule
Defining the anomaly default rule

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will set a rule that blocks read access to a sensitive table. All other out-of-
baseline behavior will generate alerts without blocking.

Implementing Oracle Database Firewall 5 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

A policy can contain multiple profiles. Each profile holds sets of


factors which are used to group statements. Which of the
following cannot be used in a profile?

Oracle University and Counterhouse Consultants Ltd use only


a. Table names
b. Client IP addresses
c. Database user names
d. Client programs
e. Column names
f. Statement types (DML, Read-Only, DCL)
g. Day and time periods

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: a, e, f
Table names, column names, and statement types cannot be specified in profile sets, but they
can be specified in rules.

Implementing Oracle Database Firewall 5 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Reporting

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Explain the Oracle Database Firewall reporting system

Oracle University and Counterhouse Consultants Ltd use only


Use Summary reports
Use Summary Compliance reports
Use Audit reports

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 6 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall


Reporting System Overview
Three types of built-in reporting systems:
Forensic
Includes every transaction that is logged by the active policy

Oracle University and Counterhouse Consultants Ltd use only


Filtered by the user for content
No hardcopy output
Audit
Based on the Search Log Results record set with results
displayed in Audit reports
Data is refreshed when new reports are run or the report set
is refreshed by user
Summary
Created by the system during the summarization process
Results are based around cluster results

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall reporting system is based on tables stored in the SECURELOG
schema in the Oracle database that is installed with the Management Server.
The forensic tables, TRAFFIC_LOG_QUERIES and TRAFFIC_LOG_QUERY_RESULTS, contain
information about all the SQL statements that Oracle Database Firewall logs. Data in these
tables can be viewed through the Administration Console.
In addition to the two tables described previously, Oracle Database Firewall creates a new
table for each search. This table is derived from TRAFFIC_LOG_QUERY_RESULTS and is
named TRAFFIC_LOG_QUERY_RESULTS_ID where ID is the identifier of the search. This
table is deleted when the corresponding entry in TRAFFIC_LOG_QUERIES is deleted.
The database object auditing tables contain information about the stored procedures and user
roles collected by the stored procedure auditing and user role auditing functions. The data in
these tables can be viewed through the audit reports available in the Administration Console.
The summary tables store general information about the data that is being monitored, such as
the names of the users logging in, the monitored databases, user sessions, database traffic,
events, and sample SQL statements.
Detailed information about the tables is available in the Oracle Database Firewall
Administration Guide.

Implementing Oracle Database Firewall 6 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall


Reporting System Architecture
Traffic log files are automatically summarized and data is
stored in the summary tables.
Search Log Results form the record sets for audit reports.

Oracle University and Counterhouse Consultants Ltd use only


Pulled by Management
Server to temp store

File being Summary


summarized Tables

Log file on
DBFW Search Log Search Log
Results filter Results

Files awaiting
summarization

Reporting
Database
Traffic log files in
permanent store

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Traffic log files are summarized every hour by default. Summary tables are used to generate
summary reports.
The Search Traffic Log function is used to generate audit reports when requested.

Implementing Oracle Database Firewall 6 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Reporting

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Reporting tab of the Oracle Database Firewall Administration Console provides an
interface for the following types of reports:
Traffic Log: The traffic log stores details of all logged SQL statements.
Audit reports: These reports include only the data included in a selected traffic log
search.
Summary reports: These reports extract the requested information from the traffic log
while the report is being created. They contain only summarized data.
Reports are generated using a built-in reporting tool. The reports can be viewed as Adobe
Acrobat PDF documents or in a Microsoft Excel spreadsheet format.

Implementing Oracle Database Firewall 6 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Summary Reports

Access the Summary reports page by clicking Summary


reports on the Reporting page.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Summary reports are generated by extracting the required information from the traffic log
when the report is requested.
To access the Summary Reports page, click the Summary reports link on the Reporting
page. Then choose the type of Summary report you wish to view.
Traffic log files are summarized every hour. You can force the files to be summarized at any
time by clicking Summarize Now on the specific summary report page.

Implementing Oracle Database Firewall 6 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Summary Compliance Reports

Specify compliance reporting for a protected database:


When adding a protected database
On the Protected Database Details page

Oracle University and Counterhouse Consultants Ltd use only


Compliance reports include data from all protected
databases with the relevant compliance classification.
Multiple compliance reporting standards may be specified
for a protected database.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Database Firewall compliance reports include data from all protected databases classified
with the relevant compliance category. You can include a database in a compliance category
on the Protected Database Details page.
The compliance types are defined as follows:
SOX: Sarbanes-Oxley Act
PCI: Peripheral Component Interconnect
DPA: Data Protection Act
GLBA: Gramm-Leach-Bliley Act
HIPAA: Health Insurance Portability and Accountability Act

Implementing Oracle Database Firewall 6 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Search Log Function

Search Log creates a record set that can be


automatically updated each time it is run.
Dates can be relative or absolute.

Oracle University and Counterhouse Consultants Ltd use only


Results can be restricted to a maximum number of results.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Each time you run the Search log function, you must specify a title for the search. The search
conditions are saved. This search can be accessed and run again, refreshed or deleted in the
Log Search Results page.
By setting the dates to be relative, the same search can be refreshed with a current set of
data.

Implementing Oracle Database Firewall 6 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Search Log Results

Access Search Log Results in the Administration


Console or by running an audit report.
Provide the name of the search result being processed.

Oracle University and Counterhouse Consultants Ltd use only


Use any report with any result set as the record attributes
are the same.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Log Search Results provide a convenient way to specify a data set for any number of audit
reports. Each log search result set return a set of records with the same attributes, so a report
designed to report on one result set, can be used against any result set.
After specifying the search criteria and executing the search, you can view the results in the
Administration Console from the Log Search Results link on the Reporting tab. Alternatively,
you can view a formatted report by selecting the Search identifier when running a report from
the Audit Reports group.

Implementing Oracle Database Firewall 6 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing Log Search Results

Oracle University and Counterhouse Consultants Ltd use only


Click to view the
search results.

Click to apply a filter.

Click the link to


see the details.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You can view the log search result by clicking the title on the Log Search Results page under
the Reporting tab. Details of a specific statement can be viewed by clicking on the description
column which provides a drop-down list of details associated with the statement.
You can apply further filters to the information displayed by clicking on the Filter button. This
affects what is viewed on the page and does not affect the contents of the log search result
itself.

Implementing Oracle Database Firewall 6 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Audit Reports

Audit reports are created from traffic log search results.


These reports are based on data that is moved from log
files in the Management Server into temporary tables

Oracle University and Counterhouse Consultants Ltd use only


named TRAFFIC_LOG_QUERY_RESULTS_n in the
reporting database.
Use an input filter to control the amount of data in each
traffic log query table.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Access the Audit reports from Reporting page by clicking the Audit reports link.
Audit reports depend on Traffic Log search results. Click Search Log on the Audit reports
page or in the Traffic Log section of the Reporting page.
Log Search Results are the basis for the Audit reports. The log search collects log records
from the log files stored on the Management Server based on the conditions specified on the
Search Traffic Log page. The log search results are stored in temporary tables in the
Management Server database.
Use a log search to set the limits to the data you wish to view in the Audit report.

Implementing Oracle Database Firewall 6 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Using the Search Log Results in Audit Reports

Search Log Traffic results are accessed via audit reports.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

After specifying the search criteria and executing the search, you can view a formatted report
by navigating to the Audit Reports report group display.

Implementing Oracle Database Firewall 6 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Generating the Audit Report

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You can view the report in an Adobe Acrobat PDF format, or as a Microsoft Excel
spreadsheet by clicking Customize.
Click Schedule to schedule the report for regular execution and email the report to a specified
address.

Implementing Oracle Database Firewall 6 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Reporting with Other Tools

To use other reporting tools:


Allow access to the SECURELOG schema reporting tables
Enable remote access for the report user

Oracle University and Counterhouse Consultants Ltd use only


Use TNS naming or Easy Connect
Make a remote connection

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To use third party reporting tools, the report user account (DBFW_REPORT) must be unlocked
on the Management Server database. As the root user execute the following commands:
su - oracle
. oraenv
ORACLE_SID [oracle] = dbfwdb
sqlplus / as sysdba
ALTER USER dbfw_report IDENTIFIED BY <password> ACCOUNT UNLOCK;
EXIT;
To allow access to the SECURELOG schema reporting tables, use the Administration
Console as follows:
1. Navigate to the System settings page in the System tab.
2. Click Change.
3. On the Edit Network Configuration page, find the Secure Log Access.
4. Change the setting from disabled to 'all' or a list of allowed IP addresses.
5. Click Apply.

Implementing Oracle Database Firewall 6 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Example: Reporting with SQL*Plus

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The screenshot in the slide shows an example of connecting to the Management Server
database using an easy connect string:
$ sqlplus dbfw_report/oracle_4U@//10.228.10.200:1521/dbfwdb
The screenshot also shows the results from an example SELECT statement:
SQL> select * from securelog.summary_clusters
2 where rownum <5;

Implementing Oracle Database Firewall 6 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Explain the Oracle Database Firewall reporting system
Use Summary reports

Oracle University and Counterhouse Consultants Ltd use only


Use Summary Compliance reports
Use Audit reports

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 6 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 6-1 Overview:


Creating Summary Reports
This practice covers creating a Database Traffic Anomalies
report.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you generate a report to view a summary of statements outside of policy by
day.

Implementing Oracle Database Firewall 6 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 6-2 Overview:


Creating Audit Reports
This practice covers the following topics:
Generating a search of the traffic log
Viewing a search log result

Oracle University and Counterhouse Consultants Ltd use only


Creating an audit report for activity by the JTAYLOR
database user

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you create an audit report for activity by the JTAYLOR database user.

Implementing Oracle Database Firewall 6 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

The Audit reports extract data from the traffic logs on the
Database Firewall Management Server:
a. True

Oracle University and Counterhouse Consultants Ltd use only


b. False

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: b

Implementing Oracle Database Firewall 6 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

Compliance reporting must be enabled in the enforcement


point in order that the proper data is collected:
a. True

Oracle University and Counterhouse Consultants Ltd use only


b. False

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: a

Implementing Oracle Database Firewall 6 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Stored Procedure Auditing

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Create users and set permissions for stored procedure

Oracle University and Counterhouse Consultants Ltd use only


auditing
Enable stored procedure auditing in the Database Firewall
Audit changes to stored procedures

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 7 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Stored Procedure Auditing Overview

Stored procedure auditing: Audit and approve/decline


changes to stored procedures on monitored databases
Approving and declining changes has no effect on the

Oracle University and Counterhouse Consultants Ltd use only


stored procedures in the database
Stored procedure auditing is supported for the following
types of databases:
Oracle Database
Microsoft SQL Server
Sybase ASE
Sybase SQL Anywhere
IBM DB2 LUW

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The stored procedure auditing feature of Oracle Database Firewall enables you to audit and
approve changes to stored procedures on monitored databases for compliance purposes.
You can also decline changes to stored procedures. However, this has no affect on the actual
stored procedures in the database. Approving and declining changes to stored procedures is
a means to comply with audit regulations.

Implementing Oracle Database Firewall 7 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Stored Procedure Auditing Architecture

Database users update


stored procedures

Oracle University and Counterhouse Consultants Ltd use only


Checks for updates
Send updates to Database
Database Firewall Database Firewall Database Firewall
Firewall
Management Server Analyzer

Monitored Oracle Database users update


SPA user
database stored procedures

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall connects to the database at scheduled intervals to determine if any
changes or additions have been made to stored procedures.
When you activate stored procedure auditing, you can specify how frequently the audit job
should execute. Additional information on activating stored procedure auditing is provided
later in this lesson.

Implementing Oracle Database Firewall 7 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Users and Setting Permissions

To use stored procedure auditing, create users and set


permissions on the monitored databases by uncompressing the
appropriate database file in the database/spa directory of the
Utilities disk and executing scripts as follows:

Oracle University and Counterhouse Consultants Ltd use only


Oracle Database:
Execute the spa_setup.sql script to create a user and
grant necessary privileges to the user.
Microsoft SQL Server:
Execute the spa_add_user.sql script to create the user.
Execute the spa_add_db_permissions.sql or
spa_add_all_db_permissions.sql script to grant
permissions to the user.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To use stored procedure auditing, you execute a script on each database to define a user that
will be able to access the required objects that indicate a change to a stored procedure. The
user connects to the database, and retrieves procedure and user information.
For Oracle databases, execute the spa_setup.sql script. The script prompts for username
and password. The user is created and granted CREATE SESSION, and SELECT on
SYS.DBA_OBJECTS and SYS.DBA_SOURCE.
For Microsoft SQL Server databases, execute the spa_add_user.sql script to create the
user. Execute spa_add_db_permissions.sql script to grant user permissions for a
specified database or spa_add_all_db_permissions.sql to grant user permissions
for all databases. The scripts grant VIEW DEFINITION, and SELECT on SYS.ALL_OBJECTS
and DBO.SYSCOMMENTS for Version 8 and higher databases. The script grants SELECT on
DBO.SYSOBEJCTS and DBO.SYSCOMMENTS for earlier versions.

Implementing Oracle Database Firewall 7 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Users and Setting Permissions

Sybase ASE:
Execute the spa_add_user.sql script to create the user.
Execute the spa_add_db_permissions.sql to grant

Oracle University and Counterhouse Consultants Ltd use only


permissions to the user.
Sybase SQL Anywhere:
Install the SQL Anywhere ODBC driver for Linux.
Execute the spa_setup.sql script to create the user and
grant the necessary privileges to the user.
IBM DB2:
Create a user or use an existing user account.
Grant SELECT on SYSCAT.ROUTINES to the user.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

For a Sybase Adaptive Server Enterprise (ASE) database, execute spa_add_user.sql to


create the user. Execute the spa_add_db_permissions.sql script to grant the user
permissions. The script grants SELECT on DBO.SYSDATABASES, DBO.SYSOBJECTS, and
DBO.SYSCOMMENTS.
For a Sybase SQL Anywhere database, you must first install the SQL Anywhere ODBC drive
for Linux. Then execute the spa_setup.sql script to create a user and grant privileges to
the user. The script grants CONNECT, and SELECT on SYS.SYSUSER, SYS.SYSPROCEDURES,
and SYS.SYSPROCPARM.
For an IBM DB2 database, there are no scripts to be executed. Create a new user or use an
existing user account for stored procedure auditing. Grant SELECT on SYSCAT.ROUTINES to
the user.

Implementing Oracle Database Firewall 7 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enabling Stored Procedure Auditing

Use the Administration Console to activate stored procedure


auditing for a selected enforcement point.
Specify the IP
address for the

Oracle University and Counterhouse Consultants Ltd use only


server, the TCP port,
and the database
name.
Specify the
username and
password.

Specify the audit


frequency.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You enable or activate stored procedure auditing through the Oracle Database Firewall
Administration Console. Select your enforcement point and click Settings. Specify the IP
address for the database server, the TCP port, and the database name. Supply the name and
password of the user that you created by executing the spa_setup.sql or
spa_add_user.sql script. Specify a time for the first stored procedure audit to execute.
Indicate the frequency with which you want the audits to execute. The default is once a week.
If you want to execute an immediate audit, you can do so by navigating to the Manage
Enforcement Point page and clicking Run Now in the Stored Procedure Auditing Control
section.

Implementing Oracle Database Firewall 7 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Auditing Changes to Stored Procedures

Stored procedure auditing activities include:


Running a manual stored procedure audit
Viewing all additions or changes made to stored

Oracle University and Counterhouse Consultants Ltd use only


procedures
Approving and declining changes
Viewing approvals
Viewing approval history

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The following activities pertain to stored procedure auditing:


Running a manual stored procedure audit: In addition to a regularly scheduled audit,
you can invoke a stored procedure audit immediately by clicking Run Now in the
Stored Procedure Auditing Control section of the Managed Enforcement Point page.
Viewing all additions or changes made to stored procedures: You can select a
stored procedure and view the actual code that was executed when the procedure was
created or modified.
Approving and declining changes: After changes have been recorded in the Oracle
Database Firewall, you can view the changes and then indicate whether the changes
are approved or declined. Note that the approval or declining of changes is for auditing
purposes only. No changes are made to the stored procedures in the database.
Viewing approvals and approval history: Through the reports you can view a list of
the changed stored procedures, approvals, and a complete approval history.

Implementing Oracle Database Firewall 7 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing the Stored Procedure Audit Report

Access stored procedure auditing reports from the Reporting


tab.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The following stored procedure audit reports can be viewed:


Summary: Lists the enforcement points which have stored procedure auditing enabled.
This page shows the number of fully approved stored procedures, the number that are
pending approval, and the total number of audit history records.
Approved: Lists each stored procedure that has at least one approval.
Pending: Lists each stored procedure that is awaiting at least one approval.
Audit History: Lists all previous and pending approvals.
You can further refine the approved, pending, and audit history reports by using the Filter
feature on each report.

Implementing Oracle Database Firewall 7 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing SPA Audit Reports

Additional reports can be accessed on the Audit reports/SPA


page:

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You can view additional stored procedure auditing reports as follows:


1. Click Audit reports on the Reporting page.
2. Click the SPA report group link on the Audit Reports page.
3. Click the appropriate link depending on the type of report you wish to view.
There are three types of SPA reports available:
Details of SPA Changes Pending Approval: Provides a report indicating stored
procedure code changes that are pending approval. The report also includes an
approval block at the end.
Summary of SPA Approved Changes: Provides a listing of stored procedures and an
indication of what type of changes have occurred, such as New or 1 modification.
Summary of SPA Changes Pending Approval: Provides a listing of stored procedures
that have been changed and are awaiting approval. The report also includes an
approval block at the end.
The reports can be viewed in Adobe PDF or in Microsoft Excel format. Each report can be
saved (retained) or scheduled to run as a recurring report.

Implementing Oracle Database Firewall 7 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing Pending Approvals and Taking Action

View the pending stored procedure approvals and take action


on them on the Pending Approvals for Stored Procedures page.

Oracle University and Counterhouse Consultants Ltd use only


Click Filter to Click Approve All
specify filter for bulk approval
settings. of all changes.

Click the stored Click Decline or


procedure name Accept for a
link to view the specific store
stored procedure. procedure.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When you click Pending in the Stored Procedure Auditing section of the Reporting tab, the
Pending Approvals for Stored Procedures page is displayed. This page displays a list of
auditing stored procedures.
You can click the stored procedure name link to view the SQL text used to create the stored
procedure.
When you click the space just below the stored procedure link, a modification history for the
stored procedure is displayed. Additional information on this feature is provided in the practice
for this lesson.
You can approve and decline the changes for a specific stored procedure by clicking the
appropriate button. You can also approve pending changes to all stored procedures listed in
the Pending Approvals report (based on the selected filters) by clicking Approve All.

Implementing Oracle Database Firewall 7 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Create users and set permissions for stored procedure
auditing

Oracle University and Counterhouse Consultants Ltd use only


Enable stored procedure auditing in the Database Firewall
Audit changes to stored procedures

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 7 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 7-1 Overview:


Creating a User for Stored Procedure Auditing
This practice involves executing the spa_setup.sql script on
your Oracle database to define a user and grant the required
privileges for stored procedure auditing.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you create a user in the DB01 database for stored procedure auditing. The
user is created and privileges are granted to the user by executing the spa_setup.sql
script found on the Oracle Database Firewall Utilities disk.

Implementing Oracle Database Firewall 7 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 7-2 Overview:


Enabling Stored Procedure Auditing
This practice includes the following tasks:
Activating stored procedure auditing for your DB01
database

Oracle University and Counterhouse Consultants Ltd use only


Testing that the configuration is correct

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you enable stored procedure auditing in your DB01 database.

Implementing Oracle Database Firewall 7 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 7-3 Overview: Running a Manual Audit


and Approving Changes to Stored Procedures
This practice includes the following tasks:
Initiating an initial manual audit of your DB01 database
Approving the initial changes to the stored procedures

Oracle University and Counterhouse Consultants Ltd use only


Updating a few stored procedures, running another audit,
reviewing the changes, and approving the changes

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you initial a manual audit and approve changes to the stored procedures in
your DB01 database.

Implementing Oracle Database Firewall 7 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

Which of the following functions does stored procedure auditing


perform?
a. Creates a baseline of stored procedures

Oracle University and Counterhouse Consultants Ltd use only


b. Compares changes to the baseline
c. Keeps a record of approved and pending changes
d. Blocks the use of unapproved changes

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: a, b, c

Implementing Oracle Database Firewall 7 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

User Role Auditing

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Create users and set permissions for user role auditing

Oracle University and Counterhouse Consultants Ltd use only


Enable user role auditing in the Database Firewall
Audit changes to user roles

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 8 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

User Role Auditing Overview

User role auditing: Audit and approve changes to user


roles in databases on a specific server
Approving and declining changes has no effect on the

Oracle University and Counterhouse Consultants Ltd use only


users in the database
User role auditing is supported for the following types of
databases:
Oracle Database
Microsoft SQL Server
Sybase ASE
Sybase SQL Anywhere
IBM DB2

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The user role auditing feature of Oracle Database Firewall enables you to audit and approve
changes to user roles on monitored databases for compliance purposes. You can also decline
changes to user roles. However, this has no effect on the actual users in the database.
Approving and declining changes to user roles is a means to comply with audit regulations.

Implementing Oracle Database Firewall 8 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

User Role Auditing Architecture

Database users grant and


revoke roles

Oracle University and Counterhouse Consultants Ltd use only


Checks for updates
Send updates to Database Firewall
Database Firewall Database Firewall Database Firewall
Management Server Analyzer

URA user Monitored Oracle Database users grant and


database revoke roles

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Database Firewall connects to the database at scheduled intervals to determine if any
changes have been made to the roles granted to users.
When you activate user role auditing, you can specify how frequently the audit job should
execute. Additional information on activating user role auditing is provided later in this lesson.

Implementing Oracle Database Firewall 8 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Users and Setting Permissions

To use user role auditing, create users and set permissions on


the monitored databases by uncompressing the appropriate
database file in the database/ura directory of the Utilities
disk and executing scripts as follows:

Oracle University and Counterhouse Consultants Ltd use only


Oracle Database:
Execute the ura_setup.sql script to create a user and
grant necessary privileges to the user.
Microsoft SQL Server:
Execute the ura_add_user.sql script to create the user.
Execute the ura_add_db_permissions.sql or
ura_add_all_db_permissions.sql script to grant
permissions to the user.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To use user role auditing, you execute a script on each database to define a user that will be
able to access the required objects that indicate any change to a users roles. The user
connects to the database, and retrieves user and role information.
For Oracle databases, execute the ura_setup.sql script. The script prompts for a
username and password. The user is created and granted CREATE SESSION, and SELECT on
SYS.DBA_USERS, SYS.DBA_ROLE_PRIVS, SYS.DBA_SYS_PRIVS, SYS.PROXY_USERS and
SYS.V_$PWFILE_USERS.
For Microsoft SQL Server databases, execute the ura_add_user.sql script to create the
user. Execute the ura_add_db_permissions.sql script to grant user permissions for a
specified database or ura_add_all_db_permissions.sql to grant user permissions for
all databases.

Implementing Oracle Database Firewall 8 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Users and Setting Permissions

Sybase ASE:
Execute the ura_add_user.sql script to create the user.
Execute the ura_add_db_permissions.sql to grant

Oracle University and Counterhouse Consultants Ltd use only


permissions to the user.
Sybase SQL Anywhere:
Install the SQL Anywhere ODBC driver for Linux.
Execute the ura_setup.sql script to create the user and
grant the necessary privileges to the user.
IBM DB2:
Create a user or use an existing user account.
Grant SELECT on SYSIBMADM.AUTHORIZATIONSIDS and
SELECT on SYSCAT.DBAUTH to the user.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

For a Sybase Adaptive Server Enterprise (ASE) database, execute ura_add_user.sql to


create the user. Execute the ura_add_db_permissions.sql script to grant the user
permissions.
For a Sybase SQL Anywhere database, you must first install the SQL Anywhere ODBC driver
for Linux. Then execute the ura_setup.sql script to create a user and grant privileges to
the user.
For an IBM DB2 database, there are no scripts to be executed. Create a new user or use an
existing user account for user role auditing. Grant SELECT on
SYSIBMADM.AUTHORIZATIONIDS and SYSCAT.DBAUTH to the user.

Implementing Oracle Database Firewall 8 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enabling User Role Auditing

Use the Administration Console to activate user role auditing


for a selected enforcement point.
Specify the IP
address for the

Oracle University and Counterhouse Consultants Ltd use only


server, the TCP port,
and the database
name.

Specify the
username and
password.

Specify the audit


frequency.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You enable or activate user role auditing through the Oracle Database Firewall Administration
Console. Select your enforcement point and click Settings. Specify the IP address for the
database server, the TCP port, and the database name. Supply the name and password of
the user that you created by executing the ura_setup.sql or the ura_add_user.sql
script. Specify a time for the first user role audit to execute. Indicate the frequency with which
you want the audits to execute. The default is once a week. If you want to execute an
immediate audit, you can do so by navigating to the Manage Enforcement Point page and
clicking Run Now in the User Auditing Control section.

Implementing Oracle Database Firewall 8 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Auditing Changes to User Roles

User role auditing activities include:


Running a manual user role audit
Viewing all additions or changes made to user roles

Oracle University and Counterhouse Consultants Ltd use only


Approving and declining changes
Viewing approvals
Viewing approval history

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The following activities pertain to user role auditing:


Running a manual user role audit: In addition to a regularly scheduled audit, you can
invoke a user role audit immediately by clicking Run Now in the User Auditing Control
section of the Managed Enforcement Point page.
Viewing all additions or changes made to user roles: You can select a user and view
the actual code that was executed when the user roles were granted or modified.
Approving and declining changes: After changes have been recorded in the Oracle
Database Firewall, you can view the changes and then indicate whether the changes
are approved or declined. Note that the approval or decline of changes is for auditing
purposes only. No changes are made to the users in the database.
Viewing approvals and approval history: Through the reports you can view a list of
the changed user roles, approvals and a complete approval history.

Implementing Oracle Database Firewall 8 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing the User Role Audit Report

Access user role auditing reports from the Reporting tab.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The following user role audit reports can be viewed:


Summary: Lists the enforcement points which have user role auditing enabled. This
page shows the number of fully approved user role changes, the number that are
pending approval, and the total number of audit history records.
Approved: Lists each user that has at least one approval.
Pending: Lists each user that is awaiting at least one approval.
Audit History: Lists all previous and pending approvals.
You can further refine the approved, pending, and audit history reports by using the Filter
feature on each report.

Implementing Oracle Database Firewall 8 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing URA Audit Reports

Additional reports can be accessed on the Audit reports/URA


page:

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

You can view additional user role auditing (URA) reports as follows:
1. Click Audit reports on the Reporting page.
2. Click the URA report group link on the Audit Reports page.
3. Click the appropriate link depending on the type of report you wish to view.
There are three types of URA reports available:
Details of URA Changes Pending Approval: Provides a report indicating user role
changes that are pending approval. The report also includes an approval block at the
end.
Summary of URA Approved Changes: Provides a listing users and an indication of
what type of role change has occurred, such as New or 1 modification.
Summary of URA Changes Pending Approval: Provides a listing of users that have
been changed and are awaiting approval. The report also includes an approval block at
the end.
The reports can be viewed in Adobe PDF or in Microsoft Excel format. Each report can be
saved (retained) or scheduled to run as a recurring report.

Implementing Oracle Database Firewall 8 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Viewing Pending Approvals and Taking Action

View the pending user role approvals and take action on them
on the Pending Approvals for User Role page.

Oracle University and Counterhouse Consultants Ltd use only


Click Filter to Click Approve All
specify filter for bulk approval
settings. of all changes.

Click the user Click Decline or


role name link to Accept for a
view the user role specific user role.
definition.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

When you click Pending in the User Role Auditing section of the Reporting tab, the Pending
Approvals for User Roles page is displayed. This page displays a list of audited user roles.
You can click the user role name link to view the SQL text used to create the user role.
When you click the space just below the user role link, a modification history for the user role
is displayed. Additional information on this feature is provided in the practice for this lesson.
You can approve and decline the changes for a specific user role by clicking the appropriate
button. You can also approve pending changes to all user roles listed in the Pending
Approvals report by clicking Approve All.

Implementing Oracle Database Firewall 8 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Create users and set permissions for user role auditing
Enable user role auditing in the Database Firewall

Oracle University and Counterhouse Consultants Ltd use only


Audit changes to user roles

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 8 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 8-1 Overview:


Creating a User for User Role Auditing
This practice involves executing the ura_setup.sql script on
your Oracle database to define a user and grant the required
privileges for user role auditing.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you create a user in the DB01 database for user role auditing. The user is
created and privileges are granted to the user by executing the ura_setup.sql script found
on the Oracle Database Firewall Utilities disk.

Implementing Oracle Database Firewall 8 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 8-2 Overview:


Enabling User Role Auditing
This practice includes the following tasks:
Activating user role auditing for your DB01 database
Testing that the configuration is correct

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you enable user role auditing in your DB01 database.

Implementing Oracle Database Firewall 8 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 8-3 Overview: Running a Manual Audit


and Approving Changes to User Roles
This practice includes the following tasks:
Initiating an initial manual audit of your DB01 database
Approving the initial changes to user roles

Oracle University and Counterhouse Consultants Ltd use only


Granting and revoking privileges, running another audit,
reviewing the changes, and approving the changes

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you initiate a manual audit and approve changes to user roles in your DB01
database. In addition, you make new changes to roles and view the changes.

Implementing Oracle Database Firewall 8 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

With user role auditing, changes to user privileges are not


available to the user until the changes have been approved.
a. True

Oracle University and Counterhouse Consultants Ltd use only


b. False

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: b

Implementing Oracle Database Firewall 8 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Configuring and Using Local Monitoring

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Describe the function of local monitoring

Oracle University and Counterhouse Consultants Ltd use only


Install Oracle Database Firewall monitoring software
Enable local monitoring

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 9 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Local Monitoring Overview

Local monitoring software enables an enforcement point to


monitor SQL traffic that originates from sources with direct
access to the database.

Oracle University and Counterhouse Consultants Ltd use only


Local monitoring send only logs of local traffic to the
Firewall across the network.
Local monitoring software is installed directly into the
database that you are monitoring.
Local monitoring is available for:
Oracle Database
Microsoft SQL Server
Sybase ASE

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Oracle Database Firewall local monitoring feature enables an enforcement point to
monitor, not block, SQL traffic originating from sources with direct access to the database,
such as console users or batch jobs executing on the database server. Local monitoring does
not send traffic across the network. The Oracle Database Firewall local monitoring software is
installed directly into the database that you are monitoring. Local monitoring uses an
additional table in the database to log the following:
The last statement sent to the database by a console user or other process.
All statements originating from console users or processes that affect the data in the
database, such as ALTER TABLE and DROP TABLE operations.
The table is cleaned after the information is pulled to the Database Firewall.
Oracle Database Firewall supports local monitoring for Oracle Database, SQL Server, and
Sybase ASE databases, but not for Sybase SQL Anywhere.
Note: If the monitored database is a Microsoft SQL Server 2005 or later database, ensure
that the database uses mixed-mode authentication.

Implementing Oracle Database Firewall 9 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Architecture:


Local Monitoring

Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Captures monitored
SQL
Database Firewall Database Firewall Database Firewall
Management Server Analyzer

Console User
Protected Databases Protected Databases

Local Monitor

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

With local monitoring, the Oracle Database Firewall collects data by querying the database at
regular intervals, and then uses the data in the same manner as statements originating from
database clients. Depending on the design of the policy, the statements may be logged or
produce warnings. Because local monitoring is not inline between the traffic and the
database, the statements cannot be blocked.

Implementing Oracle Database Firewall 9 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Oracle Database Firewall Monitoring


Software
Installation scripts are in the database\localmonitor
folder of the Oracle Database Firewall Utilities disk.
Installation process creates two database users and grants

Oracle University and Counterhouse Consultants Ltd use only


privileges as follows:

User Privileges

DBFW_CONSOLE_ACCESS CREATE SESSSION


ADMINISTER DATABASE TRIGGER
CREATE PROCEDURE
CREATE SEQUENCE
CRETAE TABLE
CREATE TRIGGER

DBFW_CONSOLE_ACCESS_QRY CREATE SESSION

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The local monitoring software installation creates two users, DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY. Each user is granted privileges as described in the slide.

Implementing Oracle Database Firewall 9 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Local Monitoring in an Oracle Database

1. Uncompress the oracle compressed file located in the


database/localmonitor directory of the Utilities disk.
2. Log in to the database as a user with the CREATE USER

Oracle University and Counterhouse Consultants Ltd use only


privilege.
3. Execute the dcam_new_user.sql script to create the
DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users specifying
passwords as arguments.
4. Log in as the DBFW_CONSOLE_ACCESS user and execute
the dcam_setup.sql script.
5. Disable the DBFW_CONSOLE_ACCESS user.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The scripts you use to create the DBFW_CONSOLE_ACCESS and


DBFW_CONSOLE_ACCESS_QRY users, grant privileges, and create tables and triggers used by
the local monitoring system are located in the Oracle compressed file in the
database/localmonitor directory of the Utilities disk.
The DBFW_CONSOLE_ACCESS user is only used when you execute the dcam_setup.sql
script. After executing the dcam_setup.sql script, you can disable the user by locking the
account.

Implementing Oracle Database Firewall 9 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Local Monitoring in a


Microsoft SQL Server Database
1. Uncompress the sqlserver compressed file located in
the database/localmonitor directory.
2. Log in to the database as a user with privileges to create

Oracle University and Counterhouse Consultants Ltd use only


users.
3. Execute the dcam_new_user.sql script to create the
DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users with default
passwords.
4. Change the passwords for the two accounts.
5. Execute the dcam_setup.sql script.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The scripts you use to create the DBFW_CONSOLE_ACCESS and


DBFW_CONSOLE_ACCESS_QRY users, set user permissions, and create tables and the event
notification framework used by the local monitoring system are located in the sqlserver
compressed file in the database/localmonitor directory of the Utilities disk.

Implementing Oracle Database Firewall 9 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing Local Monitoring in a Sybase ASE


Database
1. Uncompress the sybase compressed file located in the
database/localmonitor directory.
2. Execute the following scripts as a user with administrative

Oracle University and Counterhouse Consultants Ltd use only


privileges and privileges to create users:
dcam_sa_setup.sql
scam_sa_setup.sql
scam_sa_setup_global_trigger.sql
3. Log in to the database and change the passwords of the
DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The scripts you use to create the DBFW_CONSOLE_ACCESS and


DBFW_CONSOLE_ACCESS_QRY users, set user permissions, and create objects used by the
local monitoring system are located in the sybase compressed file in the
database/localmonitor directory of the Utilities disk.

Implementing Oracle Database Firewall 9 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enabling Local Monitoring

Enable local monitoring by on the enforcement point Settings


page of the Administration Console.
Specify the IP

Oracle University and Counterhouse Consultants Ltd use only


address for the
server, the TCP port,
and the database
name.

Specify the password of the


DBFW_CONSOLE_ACCESS_QRY
user.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To enable local monitoring, select Activate Local Monitor on the enforcement point Settings
page. The password required on this page is the password you specified for the
DBFW_CONSOLE_ACCESS_QRY user.

Implementing Oracle Database Firewall 9 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Describe the function of local monitoring
Install Oracle Database Firewall monitoring software

Oracle University and Counterhouse Consultants Ltd use only


Enable local monitoring

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 9 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 9-1 Overview: Installing the Local


Monitoring Software in the Oracle Database
This practice covers the following topics:
Executing the dcam_new_user.sql script to create the
users

Oracle University and Counterhouse Consultants Ltd use only


Executing the dcam_setup.sql script to create tables
and other objects required for local monitoring

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you install the Oracle Database Firewall local monitoring software in your
DB01 database. Use the dcam_new_user.sql script available on the Oracle Database
Firewall utilities disk, to create the DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users. Execute the dcam_setup.sql script to create tables
for local monitoring.

Implementing Oracle Database Firewall 9 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 9-2 Overview: Enabling Local Monitoring

This practice covers activating local monitoring for your DB01


database.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you enable local monitoring in your DB01 database.

Implementing Oracle Database Firewall 9 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 9-3 Overview:


Viewing Local Monitored Traffic
This practice covers the following topics:
Executing a script to generate a workload on your DB01
database

Oracle University and Counterhouse Consultants Ltd use only


Viewing the local monitored traffic in the Administration
Console

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you generate a workload on your DB01 database and view the local
monitored traffic.

Implementing Oracle Database Firewall 9 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

The purpose of local monitoring is to:


a. Block SQL traffic that originates on the database server
b. Capture network SQL traffic that bypasses the Database

Oracle University and Counterhouse Consultants Ltd use only


Firewall
c. Capture SQL traffic that originates on the database server
d. Block SQL statements issued by OS privileged users on
the database server

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: c

Implementing Oracle Database Firewall 9 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Configuring and Using Remote Monitoring

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Explain the function of remote monitoring

Oracle University and Counterhouse Consultants Ltd use only


Configure the remote monitor

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 10 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Remote Monitoring Overview

Remote monitoring enables an enforcement point to


directly monitor SQL traffic.
Execute the remote-agent script on the Linux server

Oracle University and Counterhouse Consultants Ltd use only


that you want to serve as the remote monitor to capture
SQL traffic and send it to an Oracle Database Firewall.
It is designed for environments where Oracle Database
Firewall will manage many small databases in a distributed
environment.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

A remote monitor is associated with an enforcement point. The remote monitor usually
resides on a database server and is used when the Database Firewall cannot be placed to
directly monitor the network traffic.
The remote-agent script on the Linux or Unix server captures the SQL traffic and sends the
traffic to an Oracle Database Firewall. This configuration works well in an environment where
there are multiple databases on several servers sharing a common switch, or network
segment.
The remote monitor allows monitoring and alerts, but cannot block SQL.

Implementing Oracle Database Firewall 10 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Database Firewall Architecture:


Remote Monitoring
Database Clients
and Applications

Oracle University and Counterhouse Consultants Ltd use only


Database Firewall
Database Firewall
Management Server

Remote Monitor
remote-agent
Protected Databases Protected Databases
script

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Remote monitoring enables an enforcement point to monitor SQL traffic to a database when
the Database Firewall cannot be placed to directly monitor the SQL traffic to that database. To
use remote monitoring, you run a script from the operating system of the server that you want
to use for the remote monitor. The remote monitoring software is not installed into the
database, but on the database server. The script captures the network SQL traffic coming into
the database server and sends a copy of it over the network to an Oracle Database Firewall.
This SQL data is then available for reports generated by this Database Firewall. You can
configure one Database Firewall to manage multiple remote monitoring configurations on your
network.
The remote monitor works like a network sniffer. It will collect network SQL traffic on the IP
address and port you configure.

Implementing Oracle Database Firewall 10 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Prerequisites for Remote Monitoring

The remote-agent script requires:


1. A Linux or UNIX operating system
2. tcpdump utility available from http://www.tcpdump.org/

Oracle University and Counterhouse Consultants Ltd use only


3. netcat (nc) utility available from
http://netcat.sourceforge.net/

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The remote-agent script requires the tcpdump and netcat utilities. You can download them
from the following locations:
tcpdump packet analyzer: http://www.tcpdump.org
GNU netcat networking utility: http://netcat.sourceforge.net
You can test for the presence of these utilities by logging in as root and executing the
following commands:
# which tcpdump
# which nc

Implementing Oracle Database Firewall 10 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring the Remote Monitor in the


Administration Console
1. Select the enforcement point that
you want to use for the remote
monitor.

Oracle University and Counterhouse Consultants Ltd use only


2. On the Monitor Settings page,
select Activate Remote Monitor.
3. Enter the IP address of the server
where the remote monitor software
will be installed.
4. On the Download Monitor
Configure File page, click
Download Configuration File and
save the remote-agent.conf
file.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

1. On the Monitor tab, select List Enforcement Points. Click Settings for the enforcement
point you wish to use for remote monitoring.
2. Select Activate Remote Monitor. The Enabled Monitor Address field appears.
3. Enter the IP address of the server that will be used as the remote monitor.
4. Click Add, and then Save.
5. Return to the Monitor and Settings page and click Configure for the IP address you wish
to configure.

Implementing Oracle Database Firewall 10 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Download Configuration File

Click Download Configuration File to save the file to the


local machine.
As the root user on the remote monitor:

Oracle University and Counterhouse Consultants Ltd use only


Transfer the file to the remote monitor machine
Place the remote-agent.conf file in the /etc directory

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

If the server you are using to run the remote monitor can run a browser, use it to connect to
the Database Firewall Administration Console and use the browser to download the
configuration file.
If there is no graphical user interface, you will have to transfer the file to the target server
some other way. For example, you may use a USB Flash Drive.

Implementing Oracle Database Firewall 10 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Contents of the remote-agent.conf file

# Remote Agent Configuration File


RA_TCPDUMP_FILTER="(tcp and ((ip[2:2] > 40) or
(tcp[tcpflags] & (tcp-rst|tcp-fin|tcp-syn) !=

Oracle University and Counterhouse Consultants Ltd use only


0)) and (dst host 10.228.10.103 and tcp dst
port 1521)) or (vlan and (tcp and ((ip[2:2] >
40) or (tcp[tcpflags] & (tcp-rst|tcp-fin|tcp-
syn) != 0)) and (dst host 10.228.10.103 and
tcp dst port 1521)))"
RA_TARGET_IP=10.228.10.200
RA_TARGET_PORT=5502

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The remote-agent.conf file provides the configuration information required by the


remote-agent script. The RA_TCPDUM_FILTER is a filter that is used by tcpdump to
capture the SQL arriving at the specified port on the server hosting the protected database.
RA_TARGET_IP and RA_TARGET_PORT provide destination address and ports for the SQL
traffic that is captured. This is the management link IP address of a Database Firewall
appliance.

Implementing Oracle Database Firewall 10 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Executing the Remote Monitoring Script

1. Log in as the root user on the Linux server that will serve
as the remote monitor.
2. Copy the remote-agent script from the extras directory

Oracle University and Counterhouse Consultants Ltd use only


of the Utilities disk to the Linux server.
3. Change permissions so that the remote-agent script can
be executed.
4. Execute the remote-agent script to enable the remote
monitor to begin collecting SQL traffic and sending it the
Oracle Database Firewall.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The remote agent script can be found in the extras directory of the Oracle Database
Firewall Utilities 5.0 disk, which contains the dbfw.iso CD image. Copy the remote-agent
script to the /bin directory on the remote monitor machine and change the permissions with
the chmod command as follows:
# chmod +x remote-agent
Execute the remote-agent script as follows. Use the configuration file option if you are
monitoring multiple databases.
# remote-agent --config=/etc/db_sales_remote-agent.conf &
In this case, you can have multiple configuration files with different names.
Note: By default the remote-agent script monitors the eth0 device on the machine where
it is installed. If the traffic is using a different device, you can change the default to eth1 with;
# remote-agent --interface=eth1

Implementing Oracle Database Firewall 10 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Verifying that the Remote Monitor is Active

The Remote Monitor area of the enforcement point Status page


provides confirmation that the remote monitor is active.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The enabled and connected icons indicate the remote monitor is working. If the remote
monitor is not communicating with Database Firewall, the Connected icon is a red warning.

Implementing Oracle Database Firewall 10 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Describe the function of remote monitoring
Configure the remote monitor

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 10 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 10-1 Overview:


Configuring the Remote Monitor
This practice covers the following topics:
Creating the remote-agent.conf script
Placing the remote-agent.conf script in the proper

Oracle University and Counterhouse Consultants Ltd use only


location

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you configure the remote monitor on your database server. The database
server has two network interfaces. The EP_DB01 enforcement point is watching the traffic on
IP address 192.168.56.203. The SQL generated using the connect string DB01 uses this IP
address. The SQL traffic that uses the connect string DBDIRECT uses the second network
interface at IP address 192.168.56.103. The enforcement point EP_DB01 does not monitor or
block traffic using the DBDIRECT connect string.
In this practice, you configure an additional enforcement point EP_DIRECT to monitor the
SQL traffic using the DBDIRECT connect string. Then create a remote monitor running at the
first IP address, 192.168.56.203, simulating a remote monitor running on a separate machine.

Implementing Oracle Database Firewall 10 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 10-2 Overview:


Executing the Remote Monitor Script
This practice covers the following topics:
Placing the remote-agent script in the proper location
Setting the permissions on the remote-agent script

Oracle University and Counterhouse Consultants Ltd use only


Executing the remote-agent script

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you execute the remote-agent script on the server you plan to use as the
remote monitor.

Implementing Oracle Database Firewall 10 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 10-3 Overview:


Viewing Remote Traffic
This practice covers viewing traffic that bypasses the Database
Firewall.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you log in to your DB01 database by using the SQL*Plus client, execute a
query, and view the log traffic.

Implementing Oracle Database Firewall 10 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

The remote monitor performs the following functions:


a. Monitors SQL traffic generated on the database server
b. Monitors all SQL traffic passing over the network

Oracle University and Counterhouse Consultants Ltd use only


c. Blocks inappropriate SQL traffic
d. Blocks SQL traffic that bypasses the firewall
e. Monitors SQL traffic for a specific protected database

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: e

Implementing Oracle Database Firewall 10 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Copyright 2011, Oracle and/or its affiliates. All rights reserved.


Additional System Management Tasks

Oracle University and Counterhouse Consultants Ltd use only


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Objectives

After completing this lesson, you should be able to do the


following:
Define archive destinations and create an archive

Oracle University and Counterhouse Consultants Ltd use only


schedule
Manually archive data
Restore data from an archive
Configure Syslog logging
Delete logs and history

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 11 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Understanding Processed Traffic Log File Space


Management
Free disk space target of 25% is automatically enforced by
the Database Firewall system.
Log files may be deleted by the Database Firewall system

Oracle University and Counterhouse Consultants Ltd use only


once the free disk space target is exceeded.
Be sure to archive traffic log files in a timely fashion.

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

To prevent problems that might occur by the accumulation of processed traffic log files on the
Oracle Database Firewall or Oracle Database Firewall Management Server, the system ensures a
target of 25% of the disk space remains free for the reliable operation of the system. This 25% free
disk space value cannot be changed.
When calculating the amount of disk space required for storage of traffic log files, the 25% free
disk space target should be taken into account.
Processed traffic log files are retained on disk to allow time for archiving, and to permit ad-hoc
searches of data for forensic purposes. It is recommended that data be archived in a timely way,
soon after collection. Once the free disk space target is exceeded, log files may be deleted by the
system and will no longer be available for archiving and ad-hoc searching.

Implementing Oracle Database Firewall 11 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Archiving Data

Configure a destination
Manually archive
Schedule an archive job

Oracle University and Counterhouse Consultants Ltd use only


Restore an archive

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The Database Firewall administrator is required to archive data and configuration information.
Traffic logs and reports should be moved to long term storage to prevent the Database Firewall
disks from filling up.
First, configure an archive destination. Using the Administration console, specify the server,
directory, and owner of the archives. This can be routed to either a Windows Share (using SMB
protocol) or a Unix/Linux server using secure copy (scp).
Next schedule an archive job. There are two types of archives: configuration and data.
Configuration archives take the data from the Management Server. This data is the system
configuration data including baseline policies. The data archive job archives traffic logs or audit
history for stored procedure auditing and user role auditing. The configuration archives are useful
for recovery of the Database Firewall. The data archives are irreplaceable for forensic purposes.
Schedule an archive job by specifying the destination and when you wish the job to run. The
archive job can be started from the Archive tab in the Database Firewall Administration Console.
In the Management Server Administration Console, choose the Appliances tab and then the
Manage tab.
Database Firewall Analyzer files are archived separately using OS utilities and include:
Policy Files: File extension .dna
Model Files: File extensions .smdl and .smdl_data
Training Files: File extension .train

Implementing Oracle Database Firewall 11 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring a Destination

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Configure an archive destination. Click the Archive tab and then click Create under Archive
Destination. On the Create Archiving Destination page, specify the following:
Transfer method: Either Windows File Sharing (using SMB protocol) or secure copy (scp)
Name: Create a name for this destination
Username: Supply the user name for the OS account that will accept the file transfer
Address: Provide the IP Address of the destination server. If this is a secure copy and name
resolution is enabled, the machine name can the entered.
Port: The port defaults to the well known port for the transfer method selected.
Path: For secure copy the directory is relative to the home directory of the user. For
Windows File Sharing provide /sharename/directory_path
Authentication Method: You can choose either Key Authentication or Password when
using secure copy, but only Password for Windows File Sharing. If you wish to use Key
Authentication, click the Key Authentication link and follow the instruction for adding the
public key to the .ssh file on the destination.

Implementing Oracle Database Firewall 11 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Manually Archive

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Create a Manual Archive job on the Create Archive Job page. The manual job runs immediately,
with the options shown in the slide.
You must specify a Job Name and Destination, then you choose the Archive class either Log files
or Audit Files. You can choose whether to include file that have been previously archived, which
databases to archive, and the date range for the log files to archive.
The manual archive process allows more choices than the scheduled job does.

Implementing Oracle Database Firewall 11 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Scheduling an Archive Job

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

On the Database Firewall Administration Console, you have a choice of scheduling an archive job
for log files or audit files. To schedule the job choose a day or a date, a destination, and which
databases to include.

Implementing Oracle Database Firewall 11 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Restoring from an Archive

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

If you want to restore data from an archive, click Restore Data in the Jobs menu. You can use the
Restore from Archive page to restore a set of log or audit files from the destination in a specified
date range. Note the restore process restores all the files that meet the specification.
If you want to restore configuration from an archive, click Restore Configuration in the Jobs menu.
On the Restore from Archive page the only option is the archive destination from which you wish
to restore.
After restoring configuration data at an Oracle Database Firewall Management Server, display the
Appliances page, click Manage for each Oracle Database Firewall device being controlled and
select the Restore option.

Implementing Oracle Database Firewall 11 - 8


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring syslog Logging

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The syslog connector allows you to send alerts, statistics, and heartbeat messages to a syslog
server. Oracle Database Firewall updates the syslog messages in real time. The Syslog Settings
page allows you to configure TCP or UDP destinations and select the category of messages to be
forwarded to the syslog destination.
The syslog message has the following format:
message = date time hostname source num: DBFW:id message_text
An example message is:
Aug 15 11:02:57 DBFW DBFW1: DBFW:1 Configuration file reloaded
The maximum size of a DBFW syslog message is 1024 bytes.

Implementing Oracle Database Firewall 11 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deleting Logs and History

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

After you have archived the data, you can manually delete log files and history as shown in the
screenshot in the slide.
Access the Delete Logs page by clicking Manage in the Logs section of the System tab page.

Implementing Oracle Database Firewall 11 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Summary

In this lesson, you should have learned how to:


Define archive destinations and create an archive
schedule

Oracle University and Counterhouse Consultants Ltd use only


Manually archive data
Restore data from an archive
Configure syslog logging
Delete logs and history

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing Oracle Database Firewall 11 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 11-1: Defining the Archive Destination

This practice covers configuring the archive destination.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you will configure an archive destination.

Implementing Oracle Database Firewall 11 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Practice 11-2: Performing a Manual Archive

This practice covers initiating a manual archive.

Oracle University and Counterhouse Consultants Ltd use only


Copyright 2011, Oracle and/or its affiliates. All rights reserved.

In this practice, you initiate a manual archive.

Implementing Oracle Database Firewall 11 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Quiz

The Database Firewall must have room to store traffic logs. To


avoid problems, the Database Firewall and Management
Server reserves what % of free disk space for logs?

Oracle University and Counterhouse Consultants Ltd use only


a. 5%
b. 15%
c. 20%
d. 25%
e. 30%

Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Answer: d

Implementing Oracle Database Firewall 11 - 14