Oracle Audit Vault and Database Firewall What’s New and Best Practices Andrey Brozhko Melody Liu Oracle Database Security Product Management September 30, 2014
Session Agenda Oracle Audit Vault and Database Firewall Overview 1 Oracle Audit Vault and Database Firewall Overview What’s New Best Practices Q&A 2 3 4
Oracle Audit Vault and Database Firewall Heterogeneous Audit Data Consolidation and Database Activity Monitoring
Oracle Audit Vault and Database Firewall High-level architecture Users Apps Database Firewall Events Audit Vault Alerts OS & Storage Directories Databases Custom Audit Data & Event Logs Reports Policies
Audit Vault Trust but verify Consolidate and secure event data Extensive and customizable reporting Powerful, threshold based alerting Enterprise-scale deployment Alerts OS & Storage Directories Databases Custom Audit Data & Event Logs Reports Policies Audit Vault
Databases, Operating Systems, Directories
Extensive and Customizable Reporting Predefined reports Interactive browsing Build custom reports Report scheduling and notification Report attestation
Powerful Alerting
Database Firewall Monitor user activity from network Detect and block unauthorized activity Detect and block SQL injection attacks Advanced grammatical SQL analysis Positive and negative security model Scalable software appliance Users Apps Database Firewall Events Audit Vault Alerts Reports Policies
Database Firewall Anomaly detection and threat blocking with positive security model SELECT * from stock where catalog-no='PHE8131' White List Allow Apps Block SELECT * from stock where catalog-no=' ' union select cardNo,0,0 from Orders --' Databases Block out-of-policy SQL statements from reaching the database Automated white list generation for any application Define permitted SQL behavior per user or application
Database Firewall Enforcing behavior with negative security model Black List Allow Log Legitimate data access SELECT * from stock Block Unauthorized workstation or application SELECT * from stock Databases Block specific unauthorized SQL statements, users or object access Blacklist on session factors: IP address, application, DB user, OS user
What’s New in 12.1.2 Enhanced Scalability, Security and Deployment Simplicity
iSCSI SAN support for Audit Repository
NFS Storage for Audit Data Archives
Forwarding Policy Alerts to Syslog Simple to setup Alerts contain link to detailed description in Auditor Dashboard <10>Jan 7 13:59:40 avs00161eb81587 logger: [AVDFAlert@111 name="Alert_FailLogOn" severity="Critical" url="https://10.244.163.91/console/f?p=7700:33:::NO::P33_ALERT_ID:1" time="2014-01-07T13:59:40.153746Z" target="avsource" user="INVALID" desc=" "]
Security and Usability Enhancements Database Vault protection of audit repository Simplified deployment of Audit Vault Agents Auto-upgrade capability in Audit Vault Agents Improved administration dashboard Enhanced diagnostic tools
Extended Target Platform Support Oracle Big Data Appliance (BDA) support Database Firewall support for MYSQL 5.6 Database Firewall support for Oracle 9i Windows & Linux 32-bit host OS support for Audit Vault Agents XSL transformation capability in XML file collection plugins
Oracle Audit Vault and Database Firewall Best Practices
Deployment Best Practices Understand your database security needs Estimate aggregate volume of logged audit and event data Roll out audit logs consolidation, or activity monitoring, or both Auditing? Monitoring? Blocking?
Rolling Out Audit Log Consolidation Making your audit data safe, secure and accessible with Oracle Audit Vault Install and configure Audit Vault Server Register Secured Targets Configure Audit Vault Install and activate Audit Vault Agents on target hosts Configure native audit policies Configure Targets Configure archive locations Configure data retention policies Data Lifecycle Settings Start collecting and consolidating audit data from trails Create baseline set of alerts Alerts & Reports
Rolling Out Monitoring Monitoring all relevant SQL activity on the network Deploy Database Firewalls Architect and configure Database Firewall networking Setup Database Firewalls Configure Enforcement Points Switch on Database Activity Monitoring Configure Monitoring Assign ‘Unique’ policy to Enforcement Points Fine-tune policy based on logged SQL Configure Policy
Rolling Out Blocking Protecting your databases with Database Firewall Review SQL activity for the period Identify sets of users with common behavior Learn from Logged Data Define permitted session profiles and privileged users Specify what activity is to be logged Create Whitelists Deploy against production traffic Tighten policy by rules on out of policy SQL Refine Policy Set-up alerts on all out of policy activity Switch to Database Policy Enforcement Mode Enable Blocking
Database Firewall Policy SQL Statements Exceptions are applied first Session factors determine profile Profile defines the range of permitted SQL activity Novelty rules look at what is accessed and how Default rule is applied to everything else Exceptions List Session Profile If YES (Match), then PASS/ALERT/BLOCK SQL Baseline If YES (Match), then PASS/ALERT/BLOCK Novelty Policy If YES (Match), then PASS/ALERT/BLOCK Default Rule 25
Database Firewall Policy Best Practices Choose the right tools for the job Be selective in what you log Use Exceptions to log all activity for users with elevated privileges White list (ie ‘Pass’) all regular application activity in a Profile, only set ‘Log’ action for sensitive SQL Configure Novelty Policies to identify and log access to sensitive objects Set Default Rule to capture out-of-policy SQL Periodically review and update policies
Database Firewall For passive monitoring (DAM) deploy out-of-band Network deployment best practices For passive monitoring (DAM) deploy out-of-band Use Proxy mode for no impact on network infrastructure Deploy in-line DAM if planning to turn on DPE (blocking) in the future Proxy Users Inline blocking and monitoring Apps Database Firewall Events Alerts Reports Policies
Custom Collection Plug-ins When built-in audit collection plugins are not enough XML-file and database table audit trail types are supported No need to write code, package configuration using avpack tool Create custom reports to address specific presentation needs Once deployed new plug-in and reports become integral part of the product installation Oracle Confidential – Internal
Custom Collection Plug-ins Annotated Example for custom database table audit trail ‘Source’ to Audit Vault field mapping Value ‘mapping’ (optional)
Custom Collection Plug-ins Best practices and recommendations Separate individual Secured Target trails Make sure that XML trail files are standard-conformant Correctly identify unique record field (or fields) in the trail Check filesystem and database permissions Verify time stamp functions properly Break audit data into multiple trails for increased performance Oracle Confidential – Internal
Q&A
Connect With Us oracle.com/database/security /OracleDatabase /OracleSecurity blogs.oracle.com/ SecurityInsideOut KeyManagement Oracle Database Insider /Oracle/database /OracleLearning oracle.com/database/security oracle.com/technetwork/database/security