Skip Headers
Oracle® Database Firewall Administration Guide
Release 5.0

Part Number E18695-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

Glossary

action

A set of rules used by the baseline to evaluate statements for a cluster. These rules include four action levels: unassigned, block, warn, and pass.

action level

A standard policy rule that describes the actions to take when evaluating statements that match the cluster.

A standard baseline rule that describes of the type of data the baseline collects about statements, how often to collect the data, and how many statements to include in the log.

Administration Console

A browser-based application for configuring, managing, and monitoring the system. The Administration Console is displayed by logging into the Management Console or the standalone or managed Database Firewall from a Web browser, such as Internet Explorer. See "Which Administration Console Should I Use?" for more information.

administration log

The log type that stores system actions such as logins, shutdowns, restarts, and baseline uploads. To ensure full traceability of system changes, the administration log stores the login ID of any person who makes a change from the Administration Console.

Analysis tab

A component of the user interface that is used to analyze the SQL statements that the Analyzer has read.

Analyzer

See Oracle Database Firewall Analyzer.

Background View

One of two View menu options. The first option in the View menu toggles between Background and Profile. The Background option is available only when Profile mode is displayed. The effect of the selection depends on whether you are using the Analysis, Clusters, or Details tab.

baseline

A configuration file that Oracle Database Firewall uses to determine the threat severity, action level, and logging level to use for each SQL statement it encounters. You create baselines in the Oracle Database Firewall Analyzer. A baseline can attach separate action and logging level settings to each cluster in a model. A baseline also specifies a default action and logging level for clusters that have not been previously logged, and therefore do not appear in the model. Baseline files have a.dna file extension.

bridge mode

Configuration that enables Oracle Database Firewall to block attacks made by SQL statements.

profile

Any combination of an IP address set, DB user set, client program set, OS user set, and a timeslice. Profiles are used to analyze statements and set up baseline rules for statements occurring at specified times from selected database users, IP addresses, client programs, and operating system users. You can create profiles using the Profiles option in the Tools menu.

client program set

A set of one or more database client program names. Client program sets are used in profiles to analyze data originating from selected programs, or to set up baseline rules for selected programs. A client program can belong to only one set. You can create client program sets using the Client Program Sets option in the Tools menu.

The Baseline Options dialog enables you to specify whether the baseline should use case matching when checking client program names.

cluster

A set of semantically similar SQL statements that is created when the Analyzer reads logged SQL statements, either to create the model or when testing against new logged SQL data. The Analyzer uses its built-in knowledge of the SQL syntax to categorize the SQL statements into semantic clusters. When designing the baseline, you can specify the action and logging level for each cluster.

cluster group

A set of clusters grouped by the Analyzer according to the meaning of each statement.

Clusters tab

A component of the user interface that enables you to develop the baseline by specifying an action, logging level, and threat severity for each cluster. The Clusters tab provides a tabular view of the clusters the Analyzer has generated, and is an alternative to using the Details tab.

Common Event Format (CEF)

An open log management standard that ArcSight uses when collecting data from different sources. This common event log format enables the Database Firewall and ArcSight integration to easily collect and aggregate data for analysis.

Create Policy option

A File menu option used to create a baseline file for the model. The option prompts you to specify the name of the baseline file to create. Baseline files have a .dna extension.

Database Activity Monitoring Mode

One of the monitoring modes for an Oracle Database Firewall. In Database Activity Monitoring (DAM) mode, the system logs statements and provides warnings of potential attacks. It does not block potential attacks.

See also Database Policy Enforcement Mode

Database Firewall

See Oracle Database Firewall.

Database Firewall Administration Console

See Oracle Database Firewall Administration Console.

Database Firewall Management Server

See Oracle Database Firewall Management Server.

Database Firewall Network

See Oracle Database Firewall network.

database network

The database network contains the database server and database clients.

Database Policy Enforcement Mode

One of the modes in which Oracle Database Firewall can operate. In this mode, the system performs all the actions of database activity monitoring, and blocks SQL statements that appear to be potential attacks.

See also Database Activity Monitoring Mode

Database Response Monitoring

Database Response Monitoring records database responses for all SQL statements, logins and logouts that are logged by the baseline. This Administration Console feature allows you to determine whether the database executed logins, logouts and statements successfully, and can provide useful information for audit and forensic purposes.

database user set

A set of one or more database user login names. Database user sets are used in profiles to analyze data originating from selected login names, or to set up baseline rules for selected database users. You can create database user sets using the DB User Sets option in the Tools menu.

The Baseline Options dialog enables you to specify whether the baseline should use case matching when checking database user names.

Details tab

A component of the user interface that enables you to develop the baseline by specifying an action, logging level, and threat severity for each cluster. The Details tab organizes the clusters into cluster groups, and is an alternative to using the Clusters tab.

direct database Interrogation

The ability to interrogate the monitored database to obtain the name of the database user, operating system, and client program that originated an SQL statement, if this information is not available from the statement itself.

enforcement point

An Oracle Database Firewall logical configuration that associates a Database Firewall policy that you create with a specific protected database and network traffic source(s). In other words, the enforcement point defines the relationship between the protected database and the policy.

You can have multiple databases configured to use one enforcement point. The policy associated with an enforcement point is platform-specific, which means that the databases associated with it must be from the same database product line (for example, all Oracle databases).

exception

A feature that enables you to override standard baseline rules for specific cases. For example, you may want to set up an exception that overrides standard baseline rules (action level, logging level, and threat severity) for SQL statements originating from administrators.

Export as HTML option

A File menu option that enables you create an HTML file in which to export the properties and baseline information contained in the model displayed in the currently selected window. Use this option for reporting purposes, or to use the model data in other applications.

event log

Stores system events that are not directly related to the Oracle Database Firewall software, such as operating system warnings.

Filters

A Tools menu option used to manage which clusters to display in the Analysis and Details tabs.

hexadecimal format

The Base 16 representation used by the Inspect option on the Analysis tab to enable you to examine the characters in a selected statement. Displaying a statement in hexadecimal format may be useful if the statement includes unprintable characters.

Invalid SQL tab

A component of the user interface that displays any SQL statements that the Analyzer did not recognize (for example: statements that do not conform with the SQL syntax).

Invalid Statement policy

A Tools menu option used to define the action, logging level, and threat severity for invalid SQL statements. The Invalid Statement policy allows you to specify the policies the baseline must apply when Oracle Database Firewall encounters invalid SQL statements.

IP address set

A set of one or more IP addresses of database clients. IP address sets are used in profiles to analyze data originating from selected IP addresses, or to set up baseline rules for selected IP addresses. An IP address can belong to only one set. You can create IP address sets using the IP Address Sets option in the Tools menu.

Load Policy option

A File menu option used to create a model from a baseline that was created using the Create Policy option. The option prompts you to specify the name of the baseline file to load. This option is provided to enable recovery of a model from a baseline in the unlikely event that the original model data has been lost.

local monitor

An Oracle Database Firewall component that monitors SQL traffic that originates from sources that have direct access to the protected database, such as console users or batch jobs that run on a database server. The local monitor is a passive logging device. That is, you cannot use it to block SQL statements."

log level

A standard baseline rule that describes the type of data the baseline collects about statements, how often to collect the data, and how many statements to include in the log.

login and logout policy

A Tools menu option that enables you to specify the policies the baseline must apply when a database client logs into or logs out of the database. Use login policy to specify the login action level and threat severity of successful or unsuccessful database user logins, and whether to log logins. Use a logout policy to specify the logout action level and threat severity of database user logouts, and whether to log logouts.

Management Server

See Oracle Database Firewall Management Server.

model

A component that stores all the data used to develop a baseline, including the properties and analysis data, and all the baseline information. Each model is stored in a pair of files with .smdl and .smdl_data file extensions.

novelty policy

A set of rules that operate on the baseline. Novelty policies are used to loosen or tighten the default unseen statement policies for specific classes of statements, tables, or both. They specify the action level, logging level, and threat severity to use for unseen statements that operate on the specified classes of statements or tables.

For example, if the default action level is Warn, the user may want to set up novelty policies that apply a Pass action level to unseen statements that operate on tables containing public information, and a Block action to all unseen statements that operate on tables containing sensitive information.

Oracle Database Firewall

The Oracle Database Firewall component that performs these tasks:

You can have multiple Database Firewalls connecting to one Management Server.

See also Oracle Database Firewall Analyzer, Oracle Database Firewall Management Server.

Oracle Database Firewall Administration Console

The administrative console used to configure Oracle Database Firewall. This console is available on each Database Firewall and Management Server.

Oracle Database Firewall Analyzer

The Oracle Database Firewall component that enables users to develop baselines and log SQL statements to be analyzed for security vulnerabilities and usage patterns. Users who have little knowledge of SQL can use the Analyzer to develop baselines, and users who have detailed knowledge of SQL can use Analyzer to customize baselines.

See also baseline.

Oracle Database Firewall Management Server

The Oracle Database Firewall component that performs these tasks:

See also Oracle Database Firewall Analyzer and Oracle Database Firewall.

Oracle Database Firewall network

A system for securing and protecting data in SQL databases. Oracle Database Firewall blocks and produces warnings of attempted attacks, logs activity, and provides intelligent tools to assess vulnerabilities. Oracle Database Firewall enhances existing database security features, such as field encryption and user authentication.

OS user set

A set of one or more operating system user names. OS user sets are used in profiles to analyze data originating from selected OS users, or to set up baseline rules for selected OS users. You can create OS user sets using the OS User Sets option in the Tools menu.

The Baseline Options dialog enables you to specify whether the baseline should use case matching when checking operating system user names.

primary device

In a resilient pair, this is the main Database Firewall or Management Server that carries out normal operations.

Profile View

One of two options in the View menu. The first option in the View menu toggles between Background and Profile. The Profile option is available only when background mode is displayed. The effect of the selection depends on whether you are using the Analysis, Clusters, or Details tab.

Properties tab

A component of the user interface that contains general information about the selected model, such as the original source of the data for the model, statistics, change control information, and notes.

protected database

The database being monitored by Oracle Database Firewall. See also local monitor and remote monitor.

remote monitor

Software that you install on a Linux server that has access to a database that you want to protect. Remote monitoring enables an enforcement point to directly monitor SQL traffic in a database. The remote monitor captures the SQL traffic and sends it over the network to an Oracle Database Firewall. This SQL data is then available for reports generated by this Database Firewall.

resilient pair

A feature of Oracle Database Firewall that enables the paired configuration of Oracle Database Firewall and Oracle Database Firewall Server to provide high-availability system architecture. During system configuration, one device is nominated as the primary device and the other as the secondary device. The primary device carries out all normal operations, while the secondary device monitors traffic. The secondary device alerts only when the primary device fails.

secondary device

In a resilient pair, this is the other Database Firewall or Management Server that monitors traffic and alerts when the primary fails.

security index

A measure of threat, expressed as a percentage. The higher the security index, the greater the threat. The security index is calculated as the sum of the product of the threat severity level of the cluster ID times the frequency of that cluster ID, where:

Use this formula to calculate the security index:

Security Index = Σ (Threat severity (cid) x Frequency (cid) ) / 5

sensitive data masking

A process used in the baseline that automatically replaces all user data (such as string constants, integer constants, hexadecimal constants, and float constants) in a statement with alternative characters. The replacement characters that are used depend on the data type. The masking process prevents sensitive data from appearing in log files.

Sensitive data masking option

A Tools menu option that enables you to set up rules for automatic masking of sensitive data in log files, such as credit card numbers.

session

A feature of Analyzer version 1.2 and earlier. A session (file extension .sshn) can contain multiple models. You can open session files from the Welcome dialog or using Open in the File menu. Each model in the session is displayed in a separate window. You cannot create sessions in Analyzer version 2.0 or later.

spanning port

A special port in a managed switch that can mirror the traffic of other ports in the same switch. Spanning ports are often used for network traffic monitoring. Spanning ports do not enable SQL statement blocking.

Summary tab

A policy that has had filtering added. A baseline displays the statement types, threat severities, and action levels currently in the baseline. From the Baseline tab, you can generate a baseline automatically, set up novelty and unseen statement policies, and filter the contents of the Details tab. The Baseline tab is the primary means of interacting with the baseline.

testing

The iterative process of developing the baseline. While the system is operational, a new set of SQL statements can be logged, and then imported into the Analyzer for analysis against the statements previously used to build the current baseline. This process (called "testing the model") enables possible security vulnerabilities to be identified and the baseline to be improved further. The process can be repeated as many times as required.

You can test the model using data in the traffic log, trace file, train file, or by entering single statements available from the Test menu.

The Analyzer reads each statement in the test data and assigns it to a cluster for analysis in the Analysis tab. Some statements in the test data may cause additional clusters to be generated.

threat severity

The measure of security risk for the policy item (be it cluster, novelty policy, and so on). Each cluster can have an optionally-assigned threat severity. There are six threat severity levels, ranging from Unassigned to Catastrophic (threat severity 5). When Oracle Database Firewall logs a statement, the threat severity of the statement is also logged. You can use third-party reports and syslog to display statements based on the logged threat severity.

timeslice

A set of one or more hours in a week (for example: 9 am to 5 pm, Monday to Friday). A timeslice can be used in a profile to define the hours of the week that the profile applies. You can create timeslices using the Timeslices option in the Tools menu. The same timeslice can be used in any number of profiles.

trace file

A binary log file obtained from a Microsoft SQL Server system, which contains a list of SQL statements. Trace files have a .trc file extension.

traffic log

A file that contains SQL statements that have been logged and stored on the Oracle Database Firewall Server or Oracle Database Firewall. If known, the traffic log stores the following information about the originator of each statement, which enables the creation of IP address sets:

train file

A text file containing a list of SQL statements. Train files can contain blank lines or a combination of SQL statements on each line. However, statements must not be split across lines. Train files have a .train file extension.

Training Mode

One of the four modes in which Oracle Database Firewall can operate. In this mode, the system logs traffic for the purposes of automated baseline generation.

unseen statement

A statement that does not match any of the clusters in the baseline. You can set up policies for unseen statements from the Summary tab.