Skip Headers
Oracle® Database Firewall Administration Guide
Release 5.0

Part Number E18695-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

13 System Administration

This chapter describes routine tasks that may need to be carried out from time to time. It does not attempt to explain all options available from the Administration Console.

This chapter contains:

Using the Dashboard

The Dashboard page of the Administration Console provides a high-level view of important information about the databases being protected, such as the threat status, throughput and top ten threats. Key indicators are shown in charts, which are intended to be used by IT and security managers who are responsible for the day-to-day monitoring of the system.

See the Oracle Database Firewall Security Management Guide for more information on using the Dashboard.

Figure 13-1 shows an example of the Dashboard page of the Administration Console for a Management Server.

Figure 13-1 Dashboard Page of the Management Server Administration Console

Description of Figure 13-1 follows
Description of "Figure 13-1 Dashboard Page of the Management Server Administration Console"

Note:

The Dashboard can include statistics from BIG-IP Application Security Manager, a Web application firewall product from F5 Networks, Inc. See Chapter 11 for more information.

Configuring Oracle Database Firewalls

You can configure the Oracle Database Firewalls managed by a Database Firewall Management Server by using the Appliances tab. The Appliances tab is available only in the Oracle Database Firewall Management Server Administration Console.

Figure 13-2 shows the Appliances tab of the Management Server Administration Console.

Figure 13-2 Appliances Tab for Configuring Oracle Database Firewalls

Description of Figure 13-2 follows
Description of "Figure 13-2 Appliances Tab for Configuring Oracle Database Firewalls"

Use the Add button to add an Oracle Database Firewall. See "Step 3B: Add Each Oracle Database Firewall to the Management Server".

Use the Create Resilient Pair button to create a resilient pair of Oracle Database Firewalls. See "Step 3C: Define Resilient Pairs of Oracle Database Firewalls". After creating a resilient pair, Unpair and Swap buttons are displayed. You can use Swap to force the primary to become the secondary, and vice versa.

The following buttons are provided for each Oracle Database Firewall:

Configuring Protected Databases

This section contains:

About Configuring Protected Databases

You can set up the details of the protected databases using the options in the Protected Databases menu of the Monitoring tab.

Figure 13-3 shows the Protected Databases page in the Administration Console.

Figure 13-3 Configuring a Protected Database

Description of Figure 13-3 follows
Description of "Figure 13-3 Configuring a Protected Database"

Clicking List in the Protected Databases menu lists all the protected databases that have already been configured. The picture shown above shows an example.

Clicking Create in the Protected Databases menu lets you create a new protected database.

Clicking a database name enables you to change the protected database settings. Figure 13-4 shows the settings that are available.

Figure 13-4 Protected Database Settings

Description of Figure 13-4 follows
Description of "Figure 13-4 Protected Database Settings"

Checkboxes let you select the types of compliance reports that can be produced. (Oracle Database Firewall Security Management Guide provides more information about these report types.) If you need to produce Sarbanes-Oxley (SOX), Payment Card Industry (PCI), Data Protection Act (DPA), Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA) reports for the database, then select the appropriate checkboxes.

Click Save Settings when finished.

Configuring User Settings for Protected Databases

To configure user settings for a protected database:

  1. Select the Monitoring tab.

  2. Under Protected Databases, select List.

  3. In the Protected Databases page, select the users link.

    Clicking users in the protected database list allows you to view the names of the users who have accessed the database (this is determined from database traffic). You can click the name of a user to configure the user's "profile", such as the IP addresses that the user is expected to connect from; and whether the user should no longer be accessing the database (Access terminated since).

  4. In the Users for protected database page, select the user name that you want to configure.

  5. In the Edit Database User page, enter the appropriate user settings.

    Description of image107.gif follows
    Description of the illustration image107.gif

  6. Click the Save Settings button.

These settings are used in reports to show deviations from expected database usage.

Listing, Creating, and Configuring Enforcement Points

This section contains:

About Working with Enforcement Points

An Enforcement Point is a logical configuration in Database Firewall that lets you associate a policy with a specific protected database and network traffic sources.

The Enforcement Points menu in the Monitoring page enables you to list existing enforcement points, create new enforcement points (using the Enforcement Point Wizard), and view outstanding tasks for enforcement points. You can configure settings that are not available in the Enforcement Point Wizard. See "Step 6: Configure the Standalone Database Firewall Enforcement Points" for more information.

Figure 13-5 shows the Enforcement Points page of the Administration Console.

Figure 13-5 Finding Existing Enforcement Points

Description of Figure 13-5 follows
Description of "Figure 13-5 Finding Existing Enforcement Points"

Clicking List displays all existing enforcement points, as shown in the picture above. Four buttons are provided for each enforcement point listed: Manage, Status, Settings and Advanced, as described in the following sections.

Managing Enforcement Points

The Manage button enables you to:

  • Suspend, resume, or delete the enforcement point.

  • Run, suspend, or resume a stored procedure audit or user role audit for the selected enforcement point.

Finding the Status of an Enforcement Point

Click the Monitoring tab, then select List from the Enforcement Points menu. The Status button displays the details for an enforcement point, its status and the database it protects. If the enforcement point is in a managed Database Firewall, the Appliances tab in the Management Server shows the Oracle Database Firewall device that contains the enforcement point.

Changing the Settings of an Enforcement Point

The Settings button enables you to change the settings of the enforcement point, such as the database it protects, the policy that is used, and the protection mode.

Figure 13-6 shows an example of changing the settings of an enforcement point.

Figure 13-6 Changing Settings of an Enforcement Point

Description of Figure 13-6 follows
Description of "Figure 13-6 Changing Settings of an Enforcement Point"

The following options are available:

Configuring BIG-IP Application Security Manager Settings

Click the Advanced button to configure settings for BIG-IP Application Security Manager. See Chapter 11 for more information.

Configuring a Resilient Pair of Enforcement Points

The Resilience menu is available when you are using the Oracle Database Firewall Management Server Administration Console. You can use the Create Pair option to set up a pair of enforcement points. See "Pairing Enforcement Points" for more information.

Configuring Traffic Sources

You can set up Traffic Sources using the Administration Console for an Oracle Database Firewall. See "Step 7: Configure the Standalone Database Firewall Bridge IP Address" for more information.

Configuring the System

You can configure the Oracle Database Firewall system settings using the options in the System menu of the System page. These options are used during initial deployment of Oracle Database Firewall.

Figure 13-7 shows the System Settings page of the Administration Console for a Management Server.

Figure 13-7 System Settings for a Management Server

Description of Figure 13-7 follows
Description of "Figure 13-7 System Settings for a Management Server"

Except where noted, the following options are available from the System menu of a Management Server or Standalone Database Firewall. The options Manage and Email Configuration are not available on a managed Database Firewall.

Archiving Data

This section contains:

About Archiving Data

The Archiving page of the Administration Console provides options that enable important data to be archived to prevent loss of data in the unlikely event of a disk or other system error. It is recommended that archiving is carried out regularly in accordance with your corporate policy, for example, every day using Manage in the Tasks menu. If required, you can create different archives for each protected database.

Figure 13-8 shows the Archiving Jobs page of the Administration Console.

Figure 13-8 Archiving Data

Description of Figure 13-8 follows
Description of "Figure 13-8 Archiving Data"

Archive Data and Manage archive the traffic logs or audit history for stored procedure auditing and user role auditing. Archive Configuration archives system configuration data, including the baseline policies.

Note:

  • The amount of data in the traffic log depends on the logging settings in the Analyzer. Excessive logging leads to rapid use of large amounts of disk space.

    To prevent problems that might occur by the accumulation of processed traffic log files on the Oracle Database Firewall or Oracle Database Firewall Management Server, the system ensures that a target of 25% of the disk space remains free. You must take this into account when calculating the amount of disk space required for storage of traffic log files.

    Once the free disk space target is exceeded, logfiles may be deleted by the system and will no longer be available for archiving and ad-hoc searching.

  • All files used by the Analyzer must be archived separately by your company's normal backup/archive systems. It is recommended that the following Analyzer files are archived:

    Baseline Files: File extension .dna

    Model Files: File extensions .smdl and .smdl_data

    Training Files: File extension .train

Defining Archiving Destinations

Before an archive can be started, you must define one or more archive destinations as follows. An archiving destination specifies the archive storage locations and other configuration settings.

  1. Log in to the standalone Database Firewall or Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

  2. Click the Archiving tab.

  3. Click Create in the Destinations menu. The following is displayed:

    Description of image141.gif follows
    Description of the illustration image141.gif

  4. Complete the following fields:

    • Transfer Method: The method used to transfer data from the Oracle Database Firewall Management Server to the machine that archives the data. Normally, you should select Secure Copy (scp) if the data is archived by a Linux machine, and Windows File Sharing (smb) if the data is archived by a Windows machine.

    • Name: The name of the archiving destination. This name is used to select the archiving destination when starting an archive.

    • Username: The user name for the machine to which the archive data will be transferred.

    • Address: The name or IP address of the machine that archives the data. If Windows File Sharing is selected, specify an IP address.

    • Port: This is the port number used by the secure copy or Windows fileshare service on the machine that archives the data. You can normally use the default port number.

      If you selected Windows File Sharing as the Transfer Method, it is recommended you use port 445.

    • Path: The path to the archive storage location. If a Linux machine is used to archive the data and there is no leading slash character; the path is relative to the user's home directory. If there is a leading slash, the path is relative to the root directory. For a Windows machine, enter the sharename, followed by a forward slash and the name of the folder (for example, /sharename/myfolder).

    • Authentication Method: If a Windows machine is used to archive the data, select Password and enter the login password. If a Linux machine is used, you can select Key Authentication. Follow the instructions that appear after selecting Key Authentication.

    • Password and Confirm Password: The password to log into the machine that archives the data.

  5. Click Save.

Creating an Archive Schedule

You can create a schedule to archive the traffic logs or audit files automatically at midnight on specified days. To do, this:

  1. Log in to the standalone Database Firewall or Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

  2. Click the Archiving tab.

  3. Under Jobs, select Schedule.

  4. In the Archiving page, click the Add button.

  5. Select Log Files to create a schedule to archive traffic logs, or Db Audit to create a schedule to archive the history for stored procedure auditing and user role auditing.

  6. Select Recurring if you want the archive to occur automatically at a specified interval.

    If the check box is not selected, the archive will occur only once.

  7. Use Date, Month and Weekday to specify the interval.

    For example, if you select only Mon, the archive will take place at midnight on every Monday. If you select 1 and Jan, the archive will take place only on the 1st January every year (not recommended; the archive should occur more frequently).

  8. Use Host to select the archive destination.

  9. Select the protected database, or All.

  10. Click Save.

Starting an Archive Job Manually

If you do not want to set up an archive schedule, use the following procedure to archive the traffic logs or audit files manually:

  1. Log in to the standalone Database Firewall or Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

  2. Click the Archiving tab.

    Any existing archive or restore jobs are listed on the Archiving Jobs page.

  3. Ensure that you have created an archiving destination first.

    In the Destinations menu, select Create to create the archiving destination.

  4. In the Jobs menu, select Archive Data.

    The following screen is displayed:

    Description of image145.gif follows
    Description of the illustration image145.gif

  5. Complete the following fields:

    • Job Name: Give each archive a name.

    • Archive Destination: Choose the archive destination.

    • Archive class: Choose whether to archive the Log Files (traffic logs), or the Audit Files (the archive history for stored procedure auditing and user role auditing. If you choose Log Files, the following options are also displayed:

    Include files that have already been archived: Select this check box to re-archive files that have already been archived.

    Protected Database: Choose All, or a specified database.

    Log Files: Choose the period to archive.

  6. Click Archive.

You can view the progress of an archive job from the Archiving Jobs page (click the Archiving tab).

Clicking the job number in the Archiving Jobs page displays a page in which you can choose to pause or delete the job.

Starting a Configuration Archive Job

Before archiving configuration data from the Oracle Database Firewall Management Server, display the Appliances page, click Manage for each Oracle Database Firewall device being controlled and select the Backup option.

Use the following procedure to archive configuration data, including baseline policies:

  1. Log in to the standalone Database Firewall or Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

  2. Click the Archiving tab.

  3. In the Jobs menu, select Archive Configuration.

  4. In the Create Archive Job page, complete the Job Name and Archive Destination fields.

  5. Click the Archive button.

    After you click Archive, the archive job appears in the Configuration Archive Jobs list in the Archiving Jobs page.

Restoring an Archive

If you want to restore data from an archive, click Restore Data or Restore Configuration in the Jobs menu. The page that is displayed enables you to choose the archive destination to restore. All data stored at the archive destination will be restored.

After restoring configuration data at an Oracle Database Firewall Management Server, display the Appliances page, click Manage for each Oracle Database Firewall device being controlled and select the Restore option.

Viewing the Logs

The Database Firewall log files capture only SQL statements. If a user modifies these log files, the change is recorded. You can view logged information using the options in the Logs menu of the System page.

Figure 13-9 shows the Manage Logs page of the Administration Console.

Figure 13-9 Managing Logs

Description of Figure 13-9 follows
Description of "Figure 13-9 Managing Logs"

The Logs menu contains the following options:

Configuring Connectors to Third-Party Systems

You can configure connections to third-party systems by selecting Syslog from the Connectors menu in the System tab.

Figure 13-10 shows the Syslog Settings page of the Administration Console.

Figure 13-10 Syslog Settings

Description of Figure 13-10 follows
Description of "Figure 13-10 Syslog Settings"

The Connectors menu contains the following options:

Configuring E-Mail Alerts for Third Party Connectors

You can configure e-mail alert notification for users. This section contains:

Configuring the SMTP Server

The SMTP protocol is widely used and recognized by internet mail servers.

To configure the SMTP server:

  1. From the System tab, in the Connectors menu, select Email Alerts.

  2. In the Email Alerts page, select the Email configuration link.

    The Email Configuration page appears.

  3. Enter the following settings:

    • SMTP Server Address: Enter the SMTP server address, using either an IP address or the host name. Examples are as follows:

      auth.smtp.example.com
      mail.example.com
      192.0.2.20
      
    • Port: Enter the port number, which is typically 25.

    • Username: (Optional) Enter the user name for the ISP login credential.

    • Password and Password Confirmation: (Optional) Enter the password for the ISP login credential.

    • From Address: Enter the appropriate e-mail address, which will be displayed as the sender in e-mails.

    • Reply-to Address: Enter the appropriate e-mail address, which will be used as the reply address.

  4. Click the Save button.

  5. To test the email configuration, enter a valid e-mail address in the Email Address field and then click Test. In a moment, an e-mail should appear in the e-mail tool used by the e-mail address.

Configuring E-Mail Recipients

After you have configured an SMTP server, you can configure one or more e-mail addresses of users who want to receive e-mail alerts.

Ton configure e-mail alert forwarding:

  1. From the System tab, in the Connectors menu, select Email Alerts.

    The Email Alerts page appears.

  2. Select the Enable email alert forwarding check box.

  3. Enter one or more e-mail recipient addresses, separated by a space, tab, or new line.

    Description of email_alerts.gif follows
    Description of the illustration email_alerts.gif

  4. Click the Apply button.

Example E-Mail Alert Notification

Example 13-1 shows an example of a an e-mail notification. The subject header is Oracle Database Firewall: Alert from device 192.0.2.82 for database 192.0.2.81 - Statement Alert.

Example 13-1 Contents of an E-Mail Alert Notification

Details of the alert:
     Alert name:                Statement Alert
     Device:                    192.0.2.82
     Alert severity:            Undefined
     Action:                    Warn
     Action Type:               Unknown Alerted
     Message timestamp:         2010-11-12 13:45:05.746
     Cluster ID:                2362095612
     Logging level:             Always
     Client address:            192.0.2.237:4743
     Server address:            192.0.2.81:1433
     Database username:         unknown_username
     SQL statement ID:          4cdd44e129500000
     Database response:         Not collected
         Response code          0
         Response text          
         Response detail        
     SQL:                       select * from creditcard where 0=0

Configuring Users

This section contains:

About Configuring Users

You can use the Users menu of the System page to create, list, and edit Administration Console user accounts. A valid user name and password must be provided when the Administration Console is started, or when a user of the Analyzer software connects using Train on Log Data or Test with Log Data.

You can create users in both standalone and managed Database Firewalls, and in the Management Server. These user accounts are local to each system, even after you have configured a Database Firewall to connect to a Management Server. For a standalone Database Firewall, in which both the Database Firewall and the Management Server are on the same Linux server, the system administrator user can perform all functions. However, if the Database Firewall is on a separate server from the Management Server, after you connect the Management Server to this Database Firewall, the system administrator functions change. For example:

  • Database Firewall administrator: Can now only change network settings, view network traffic, remove the Database Firewall from the Management Server, and similar tasks specific to the current Database Firewall.

  • Management Server administrator: Can create and manage enforcement points, configure policies, run reports, archive, and so on.

See "Which Administration Console Should I Use?" for a full list of the privileges associated with these two accounts.

The default administrator user name is admin (lower case only). For better security and separation of duty, Oracle recommends that you reserve the admin user account as a back-up user account, and then create a separate administrative account for one or more existing users for day-to-day operations. This way, if the administrative user is unavailable or leaves the company, you have a back-up administrative user account to take this user's place. For all of the user account options, you can create as many users as your site requires.

To ensure full traceability of system changes, the administration log stores the login ID of any person who makes a change from the Administration Console. Another reason for having separate Administration Console accounts is that this log enables you to easily track users who make changes to the Database Firewall system.

Figure 13-11 shows the Users page of the Administration Console.

Figure 13-11 Configuring Users

Description of Figure 13-11 follows
Description of "Figure 13-11 Configuring Users"

Creating a New User Account

To create a new user account:

  1. Log in to the Administration Console.

    You can log in to a standalone or managed Database Firewall, or a Management Server. See "Logging in to the Administration Console" for more information about logging in.

  2. Select the System tab.

    The System Settings page appears.

  3. In the Users menu, select Add New.

    The Add User page appears.

  4. Complete the following information:

    • User name: Enter the login user name for the account (for example, psmith or lbernstein). Remember that this name is case sensitive. For example, if you create lbernstein, trying to log in as LBERNSTEIN will fail.

    • First Name: Enter the user's first name.

    • Last Name: Enter the user's last name.

    • Email: Enter the user's e-mail address.

    • Role: Select from the following roles:

      • System Administrator: Gives the user full access to all options in the Administration Console, and to connect from the Analyzer.

      • View-only User: Enables the user to view log data, change his or her password, and connect from the Analyzer. This role enables the user to see statement details in the Analyzer. This user can create a policy file, but cannot upload it.

      • Log Administrator: Enables a user of the Administration Console to view log data, change his or her password, configure logging, run archive or restore jobs, and connect from the Analyzer.

    • Suspended: Select this check box to suspend the user account.

    • Force Password Change on Next Login: Select this check box to enable the user to create a private password the first time that the user logs in. By default, this check box is selected.

    • Password: Enter a secure password. Follow these guidelines:

      • Make the password between 8 and 30 characters and numbers.

      • Include in the password at least one digit, one upper-case character, and one lower-case character.

      • Do not use an actual word for the entire password.

      • Combine two weaker passwords, such as welcome and binky1 into WelBinky1Come.

    • Confirm Password: Re-enter the password.

  5. Click the Signup button.

Later on, if you must change the user account, select List from the Users menu, and then click the name of the user account that you want to change. The Edit User page appears.

Creating Password Policies

For better security, you can create password policies to force users to use strong passwords. The password policy applies to all users managed by the Database Firewall.

To create a password policy:

  1. Log in to the Administration Console.

    You can log in to a standalone or managed Database Firewall, or a Management Server. See "Logging in to the Administration Console" for more information about logging in.

  2. Select the System tab.

    The System Settings page appears.

  3. In the Users menu, select Security.

    The User Security Settings page appears.

  4. Specify the following settings:

    • Enforce Strong Passwords: Select this check box to enforce the following criteria:

      • Must contain lowercase and uppercase characters

      • Must contain at least one non alphabetical character

      • Must not be systematic or simple (for example, abcde or 12345)

      • Must not be made up of mostly the same characters (for example, aaaaaa11111)

      If you disable this option, Oracle Database Firewall will give users advice about the strength of their passwords but will not enforce these guidelines.

    • Minimum Password Length: Enter a numeric value. The default is 6.

    • Enforce Novel Passwords: Select this check box to prevent users from specifying a password that they have used in the past.

    • Expire Passwords: Enter a numeric value to force users to change their passwords after a specified number of days. To disable password expiration, enter 0.

  5. Click the Save button.

Viewing and Capturing Network Traffic in an Individual Database Firewall

This section contains:

Viewing Network Traffic

You can view network traffic for standalone or managed Database Firewalls. You can display network traffic in real time on the screen by clicking Show in the Network Traffic menu of the System tab. This option is not available for the Management Server.

Figure 13-12 shows the Network Traffic page of the Administration Console of a Database Firewall.

Figure 13-12 Viewing Network Traffic from a Database Firewall

Description of Figure 13-12 follows
Description of "Figure 13-12 Viewing Network Traffic from a Database Firewall"

Capturing Network Traffic

You can capture the network traffic to a file (.pcap file type) that you can later download and analyze.

To capture the network traffic to a file:

  1. Log in to the standalone or managed Database Firewall Administration Console.

    See "Logging in to the Administration Console" for more information about logging in.

  2. Select the System tab.

  3. Under the Network Traffic menu, select Capture to File.

    In a moment, the Network Traffic page lists the traffic file:

    Description of network_traffic.gif follows
    Description of the illustration network_traffic.gif

  4. In the Network traffic files area, click the download button.

  5. In the File Download dialog box, click Save.

  6. In the Save As dialog box, navigate to the directory where you want to save the file, and then click the Save button.