|Oracle® Database Firewall Administration Guide
Part Number E18695-08
|PDF · Mobi · ePub|
A set of rules used by the baseline to evaluate statements for a cluster. These rules include four action levels: unassigned, block, warn, and pass.
A standard policy rule that describes the actions to take when evaluating statements that match the cluster.
A standard baseline rule that describes of the type of data the baseline collects about statements, how often to collect the data, and how many statements to include in the log.
A browser-based application for configuring, managing, and monitoring the system. The Administration Console is displayed by logging into the Management Console or the standalone or managed Database Firewall from a Web browser, such as Internet Explorer. See "Which Administration Console Should I Use?" for more information.
The log type that stores system actions such as logins, shutdowns, restarts, and baseline uploads. To ensure full traceability of system changes, the administration log stores the login ID of any person who makes a change from the Administration Console.
A component of the user interface that is used to analyze the SQL statements that the Analyzer has read.
One of two View menu options. The first option in the View menu toggles between Background and Profile. The Background option is available only when Profile mode is displayed. The effect of the selection depends on whether you are using the Analysis, Clusters, or Details tab.
A configuration file that Oracle Database Firewall uses to determine the threat severity, action level, and logging level to use for each SQL statement it encounters. You create baselines in the Oracle Database Firewall Analyzer. A baseline can attach separate action and logging level settings to each cluster in a model. A baseline also specifies a default action and logging level for clusters that have not been previously logged, and therefore do not appear in the model. Baseline files have a
.dna file extension.
Configuration that enables Oracle Database Firewall to block attacks made by SQL statements.
Any combination of an IP address set, DB user set, client program set, OS user set, and a timeslice. Profiles are used to analyze statements and set up baseline rules for statements occurring at specified times from selected database users, IP addresses, client programs, and operating system users. You can create profiles using the Profiles option in the Tools menu.
A set of one or more database client program names. Client program sets are used in profiles to analyze data originating from selected programs, or to set up baseline rules for selected programs. A client program can belong to only one set. You can create client program sets using the Client Program Sets option in the Tools menu.
The Baseline Options dialog enables you to specify whether the baseline should use case matching when checking client program names.
A set of semantically similar SQL statements that is created when the Analyzer reads logged SQL statements, either to create the model or when testing against new logged SQL data. The Analyzer uses its built-in knowledge of the SQL syntax to categorize the SQL statements into semantic clusters. When designing the baseline, you can specify the action and logging level for each cluster.
A component of the user interface that enables you to develop the baseline by specifying an action, logging level, and threat severity for each cluster. The Clusters tab provides a tabular view of the clusters the Analyzer has generated, and is an alternative to using the Details tab.
An open log management standard that ArcSight uses when collecting data from different sources. This common event log format enables the Database Firewall and ArcSight integration to easily collect and aggregate data for analysis.
A File menu option used to create a baseline file for the model. The option prompts you to specify the name of the baseline file to create. Baseline files have a .dna extension.
One of the monitoring modes for an Oracle Database Firewall. In Database Activity Monitoring (DAM) mode, the system logs statements and provides warnings of potential attacks. It does not block potential attacks.
See also Database Policy Enforcement Mode
One of the modes in which Oracle Database Firewall can operate. In this mode, the system performs all the actions of database activity monitoring, and blocks SQL statements that appear to be potential attacks.
See also Database Activity Monitoring Mode
Database Response Monitoring records database responses for all SQL statements, logins and logouts that are logged by the baseline. This Administration Console feature allows you to determine whether the database executed logins, logouts and statements successfully, and can provide useful information for audit and forensic purposes.
A set of one or more database user login names. Database user sets are used in profiles to analyze data originating from selected login names, or to set up baseline rules for selected database users. You can create database user sets using the DB User Sets option in the Tools menu.
The Baseline Options dialog enables you to specify whether the baseline should use case matching when checking database user names.
A component of the user interface that enables you to develop the baseline by specifying an action, logging level, and threat severity for each cluster. The Details tab organizes the clusters into cluster groups, and is an alternative to using the Clusters tab.
The ability to interrogate the monitored database to obtain the name of the database user, operating system, and client program that originated an SQL statement, if this information is not available from the statement itself.
An Oracle Database Firewall logical configuration that associates a Database Firewall policy that you create with a specific protected database and network traffic source(s). In other words, the enforcement point defines the relationship between the protected database and the policy.
You can have multiple databases configured to use one enforcement point. The policy associated with an enforcement point is platform-specific, which means that the databases associated with it must be from the same database product line (for example, all Oracle databases).
A feature that enables you to override standard baseline rules for specific cases. For example, you may want to set up an exception that overrides standard baseline rules (action level, logging level, and threat severity) for SQL statements originating from administrators.
A File menu option that enables you create an HTML file in which to export the properties and baseline information contained in the model displayed in the currently selected window. Use this option for reporting purposes, or to use the model data in other applications.
Stores system events that are not directly related to the Oracle Database Firewall software, such as operating system warnings.
A Tools menu option used to manage which clusters to display in the Analysis and Details tabs.
The Base 16 representation used by the Inspect option on the Analysis tab to enable you to examine the characters in a selected statement. Displaying a statement in hexadecimal format may be useful if the statement includes unprintable characters.
A component of the user interface that displays any SQL statements that the Analyzer did not recognize (for example: statements that do not conform with the SQL syntax).
A Tools menu option used to define the action, logging level, and threat severity for invalid SQL statements. The Invalid Statement policy allows you to specify the policies the baseline must apply when Oracle Database Firewall encounters invalid SQL statements.
A set of one or more IP addresses of database clients. IP address sets are used in profiles to analyze data originating from selected IP addresses, or to set up baseline rules for selected IP addresses. An IP address can belong to only one set. You can create IP address sets using the IP Address Sets option in the Tools menu.
A File menu option used to create a model from a baseline that was created using the Create Policy option. The option prompts you to specify the name of the baseline file to load. This option is provided to enable recovery of a model from a baseline in the unlikely event that the original model data has been lost.
An Oracle Database Firewall component that monitors SQL traffic that originates from sources that have direct access to the protected database, such as console users or batch jobs that run on a database server. The local monitor is a passive logging device. That is, you cannot use it to block SQL statements."
A standard baseline rule that describes the type of data the baseline collects about statements, how often to collect the data, and how many statements to include in the log.
A Tools menu option that enables you to specify the policies the baseline must apply when a database client logs into or logs out of the database. Use login policy to specify the login action level and threat severity of successful or unsuccessful database user logins, and whether to log logins. Use a logout policy to specify the logout action level and threat severity of database user logouts, and whether to log logouts.
A component that stores all the data used to develop a baseline, including the properties and analysis data, and all the baseline information. Each model is stored in a pair of files with .smdl and .smdl_data file extensions.
A set of rules that operate on the baseline. Novelty policies are used to loosen or tighten the default unseen statement policies for specific classes of statements, tables, or both. They specify the action level, logging level, and threat severity to use for unseen statements that operate on the specified classes of statements or tables.
For example, if the default action level is Warn, the user may want to set up novelty policies that apply a Pass action level to unseen statements that operate on tables containing public information, and a Block action to all unseen statements that operate on tables containing sensitive information.
The Oracle Database Firewall component that performs these tasks:
Handles real-time recording and analysis of SQL transaction requests and responses from one or more Oracle, Microsoft SQL Server, Sybase, Sybase SQL Anywhere, and IBM DB2 SQL databases
Categorizes SQL transactions
Enforces data policies
Enables real-time alerting and event propagation
You can have multiple Database Firewalls connecting to one Management Server.
The administrative console used to configure Oracle Database Firewall. This console is available on each Database Firewall and Management Server.
The Oracle Database Firewall component that enables users to develop baselines and log SQL statements to be analyzed for security vulnerabilities and usage patterns. Users who have little knowledge of SQL can use the Analyzer to develop baselines, and users who have detailed knowledge of SQL can use Analyzer to customize baselines.
See also baseline.
The Oracle Database Firewall component that performs these tasks:
Aggregates SQL data from one or more Database Firewalls
Serves as a reporting platform for business reports
Centralizes the distribution of data control policies (but different policies can be applied to specific databases)
Stores and manages log files, including archiving and restoring the log files
Remotely manages all Database Firewalls to which it connects
Integrates with third-party applications, such as ArcSight SIEM
A system for securing and protecting data in SQL databases. Oracle Database Firewall blocks and produces warnings of attempted attacks, logs activity, and provides intelligent tools to assess vulnerabilities. Oracle Database Firewall enhances existing database security features, such as field encryption and user authentication.
A set of one or more operating system user names. OS user sets are used in profiles to analyze data originating from selected OS users, or to set up baseline rules for selected OS users. You can create OS user sets using the OS User Sets option in the Tools menu.
The Baseline Options dialog enables you to specify whether the baseline should use case matching when checking operating system user names.
In a resilient pair, this is the main Database Firewall or Management Server that carries out normal operations.
One of two options in the View menu. The first option in the View menu toggles between Background and Profile. The Profile option is available only when background mode is displayed. The effect of the selection depends on whether you are using the Analysis, Clusters, or Details tab.
A component of the user interface that contains general information about the selected model, such as the original source of the data for the model, statistics, change control information, and notes.
Software that you install on a Linux server that has access to a database that you want to protect. Remote monitoring enables an enforcement point to directly monitor SQL traffic in a database. The remote monitor captures the SQL traffic and sends it over the network to an Oracle Database Firewall. This SQL data is then available for reports generated by this Database Firewall.
A feature of Oracle Database Firewall that enables the paired configuration of Oracle Database Firewall and Oracle Database Firewall Server to provide high-availability system architecture. During system configuration, one device is nominated as the primary device and the other as the secondary device. The primary device carries out all normal operations, while the secondary device monitors traffic. The secondary device alerts only when the primary device fails.
In a resilient pair, this is the other Database Firewall or Management Server that monitors traffic and alerts when the primary fails.
A measure of threat, expressed as a percentage. The higher the security index, the greater the threat. The security index is calculated as the sum of the product of the threat severity level of the cluster ID times the frequency of that cluster ID, where:
Threat severity is the threat severity of the cluster ID, as set in the Analyzer (range 0 to 5).
cid is the cluster ID. All clusters that occur over the specified time period are included in the calculation.
Frequency is the percentage of all statements recorded over the specified period that match the cluster.
Use this formula to calculate the security index:
Security Index = Σ (Threat severity (cid) x Frequency (cid) ) / 5
A process used in the baseline that automatically replaces all user data (such as string constants, integer constants, hexadecimal constants, and float constants) in a statement with alternative characters. The replacement characters that are used depend on the data type. The masking process prevents sensitive data from appearing in log files.
A Tools menu option that enables you to set up rules for automatic masking of sensitive data in log files, such as credit card numbers.
A feature of Analyzer version 1.2 and earlier. A session (file extension .sshn) can contain multiple models. You can open session files from the Welcome dialog or using Open in the File menu. Each model in the session is displayed in a separate window. You cannot create sessions in Analyzer version 2.0 or later.
A special port in a managed switch that can mirror the traffic of other ports in the same switch. Spanning ports are often used for network traffic monitoring. Spanning ports do not enable SQL statement blocking.
A policy that has had filtering added. A baseline displays the statement types, threat severities, and action levels currently in the baseline. From the Baseline tab, you can generate a baseline automatically, set up novelty and unseen statement policies, and filter the contents of the Details tab. The Baseline tab is the primary means of interacting with the baseline.
The iterative process of developing the baseline. While the system is operational, a new set of SQL statements can be logged, and then imported into the Analyzer for analysis against the statements previously used to build the current baseline. This process (called "testing the model") enables possible security vulnerabilities to be identified and the baseline to be improved further. The process can be repeated as many times as required.
You can test the model using data in the traffic log, trace file, train file, or by entering single statements available from the Test menu.
The Analyzer reads each statement in the test data and assigns it to a cluster for analysis in the Analysis tab. Some statements in the test data may cause additional clusters to be generated.
The measure of security risk for the policy item (be it cluster, novelty policy, and so on). Each cluster can have an optionally-assigned threat severity. There are six threat severity levels, ranging from Unassigned to Catastrophic (threat severity 5). When Oracle Database Firewall logs a statement, the threat severity of the statement is also logged. You can use third-party reports and syslog to display statements based on the logged threat severity.
A set of one or more hours in a week (for example: 9 am to 5 pm, Monday to Friday). A timeslice can be used in a profile to define the hours of the week that the profile applies. You can create timeslices using the Timeslices option in the Tools menu. The same timeslice can be used in any number of profiles.
A binary log file obtained from a Microsoft SQL Server system, which contains a list of SQL statements. Trace files have a
.trc file extension.
A file that contains SQL statements that have been logged and stored on the Oracle Database Firewall Server or Oracle Database Firewall. If known, the traffic log stores the following information about the originator of each statement, which enables the creation of IP address sets:
IP address of the client
Database user login name
Database client program name
Operating system user name
A text file containing a list of SQL statements. Train files can contain blank lines or a combination of SQL statements on each line. However, statements must not be split across lines. Train files have a .train file extension.
One of the four modes in which Oracle Database Firewall can operate. In this mode, the system logs traffic for the purposes of automated baseline generation.