4 Configuring the Database Firewall

This chapter explains how to configure the Database Firewall on the network and how to configure traffic sources, bridges, and proxies.

Topics

About Configuring the Database Firewall

Configuring each Database Firewall's system and network settings depends on your overall plan for deploying Oracle Audit Vault and Database Firewall. See "Planning the System Configuration" for an overview of the planning steps.

When you configure each firewall, you identify the Audit Vault Server that will manage that firewall. Depending on your plan for the overall Oracle AVDF system configuration, you also configure the firewall's traffic sources, and determine whether it will be inline or out of band with network traffic, and whether you will use it as a proxy.

CAUTION:

The Audit Vault Server and the Database Firewall server are software appliances. You must not make any changes to the Linux operating system through the command line on these servers unless following official Oracle documentation or under guidance from Oracle Support.

Basic firewall configuration consists of these four steps:

  1. Configuring the Database Firewall's Network and Services Configuration

  2. Setting the Date and Time in the Database Firewall

  3. Specifying the Audit Vault Server Certificate and IP Address

  4. Configuring Database Firewalls on Your Network

After you have configured the Database Firewalls, you configure enforcement points for each database secured target that the firewall is protecting. See "Configuring Enforcement Points" for details on these procedures.

You can optionally set up resilient pairs of Database Firewalls for a high availability environment. See "Configuring High Availability" for details.

To understand the high-level workflow for configuring the Oracle AVDF system, see "Summary of Configuration Steps".

Logging in to the Database Firewall

For information on how to log in, see "Logging in to the Database Firewall Console UI". When you first log in, you are required to set up a password.

Configuring the Database Firewall's Network and Services Configuration

This section contains:

Configuring a Database Firewall's Network Settings

The installer configures initial network settings for the Database Firewall during installation. You can change the network settings after installation.

To change the Database Firewall network settings:

  1. Log in to the Database Firewall administration console.

  2. In the System menu, select Network.

  3. In the Network Configuration page, click the Change button.

  4. In the Management Interface section, complete the following fields as necessary, then click Save.

    • IP Address: The IP address of the currently accessed Database Firewall. An IP address was set during installation. If you want to use a different address, then you can change it here. The IP address is static and must be obtained from the network administrator.

    • Network Mask: The subnet mask of the Database Firewall.

    • Gateway: The IP address of the default gateway (for example, for internet access). The default gateway must be on the same subnet as the host.

    • Name: Enter a descriptive name for this Database Firewall. The name must be alphanumeric with no spaces.

    • Link properties: Do not change the default setting unless your network has been configured not to use auto negotiation.

Configuring a Database Firewall's Network Services

The network services configuration determines how users can access the Database Firewall. See the guidelines in "Protecting Your Data" to ensure that you take the appropriate security measures when configuring network services.

To configure a Database Firewall's network services:

  1. Log in to the Database Firewall administration console.

  2. In the System menu, select Services.

  3. Click the Change button, and in the Configure Network Services page, edit the following as necessary:

    • DNS Servers 1, 2, and 3: If you require hostnames to be translated, you must enter the IP address of at least one DNS server on the network. You can enter IP addresses for up to three DNS servers. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

    • Web Access: If you want to allow selected computers to have Web access to the Database Firewall administration console, enter their IP addresses separated by spaces. Entering all allows access from any computer in your site.

    • SSH Access: If you want to allow selected computers to have secure shell access to the Database Firewall, enter their IP addresses separated by spaces. Enter disabled to block all SSH access. Enter all to allow unrestricted access.

    • SNMP Access: If you want to allow access to the network configuration of the Database Firewall through SNMP, enter a list of IP addresses that are allowed to do so, separated by spaces. Enter disabled to restrict all SNMP access. Enter all to allow unrestricted access. The SNMP community string is gT8@fq+E.

  4. Click Save.

Setting the Date and Time in the Database Firewall

To set the Database Firewall date and time:

  1. Log in to the Database Firewall administration console.

  2. Click Date and Time from the System menu on the left, and then scroll down and click the Change button.

  3. Enter the correct date and time in Coordinated Universal Time (UTC).

  4. (Optional) Select Enable NTP Synchronization.

    Selecting Enable NTP Synchronization keeps the time synchronized with the average of the time recovered from the time servers specified in the Server 1, Server 2, and Server 3 fields, which can contain an IP address or name. If a name is specified, the DNS server specified in the System Settings page is used for name resolution.

    To enable time synchronization, you also must specify the IP address of the default gateway and a DNS server, as described in "Configuring the Database Firewall's Network and Services Configuration".

  5. (Optional) Use the default NTP server addresses in the three Server fields, or enter the addresses of your preferred time servers.

    Note:

    If using host names instead of IP addresses, you must have DNS already configured, otherwise name resolution will not work. See "Configuring a Database Firewall's Network Services".

    Test Server displays the time from the server, but does not update the time.

    Selecting Synchronize Time After Save causes the time to be synchronized with the time servers when you click Save.

    WARNING:

    In DPE (blocking) mode, Synchronize Time After Save causes all enforcement points to restart, thereby dropping existing connections to protected databases. This would cause a temporary traffic disruption.

  6. Click Save.

Specifying the Audit Vault Server Certificate and IP Address

You must associate each Database Firewall with an Audit Vault Server by specifying the server's certificate and IP address, so that the Audit Vault Server can manage the firewall. If you are using a resilient pair of Audit Vault Servers for high availability, you must associate the firewall to both servers.

Note: You must specify the Audit Vault Server certificate and IP address to the Database Firewall before you register the firewall in the Audit Vault Server.

To specify the Audit Vault Server certificate and IP address:

  1. Log in to the Audit Vault Server as an administrator, and then click the Settings tab.

  2. In the Security menu, click Certificate.

    The server's certificate is displayed.

  3. Copy the server's certificate.

  4. Log in to the Database Firewall administration console.

  5. In the System menu, click Audit Vault Server.

  6. Enter the IP Address of the Audit Vault Server.

  7. Paste the Audit Vault Server's Certificate in the next field.

  8. If you are using a resilient pair of Audit Vault Servers, select the Add Second Audit Vault Server check box, and enter the IP address and certificate of the secondary Audit Vault Server.

    Tip:

    The secondary Audit Vault Server does not have a console UI. However, you can get the secondary server's certificate from the primary server: click the Settings tab, then High Availability from the System menu. The secondary server's certificate is in the Peer System Certificate field.
  9. Click Apply.

Configuring Database Firewalls on Your Network

This section contains:

About Configuring the Database Firewalls on Your Network

During your planning of the network configuration, you decide whether to place Database Firewalls inline with traffic to your secured target databases, or out of band (for example, using a spanning or mirror port). You may also decide to use a firewall as a traffic proxy. The network configuration is impacted by whether the Database Firewall will operate in DAM (monitoring only) or DPE (blocking) mode. See "The Database Firewall" for information on these modes.

Using the Database Firewall administration console, you configure each firewall's traffic sources, specifying whether the sources are inline with network traffic, and whether the firewall can act as a proxy.

You will use a firewall's traffic and proxy sources to configure enforcement points for each secured target database you are monitoring with that firewall. See "Configuring Enforcement Points" for details.

Configuring Traffic Sources

Traffic sources specify the IP address and network interface details for the traffic going through a Database Firewall. Traffic sources are automatically configured during the installation process, and you can change their configuration details later.

To change the configuration of traffic sources:

  1. Log in to the Database Firewall administration console.

  2. In the System menu, click Network.

    Current network settings are displayed including the Database Firewall's network settings, proxy ports, traffic sources, network interfaces, and any enabled bridges.

  3. Click the Change button.

  4. Scroll to the Traffic Sources section and change the following as necessary:

    • To remove the traffic source, click the Remove button next to the traffic source name.

    • Edit the IP address or Network Mask fields as necessary.

    • To enable or disable a bridge, check or uncheck the Bridge Enabled box. You can only enable a bridge if the traffic source has two network interfaces in the Devices area. See "Configuring a Bridge in the Database Firewall".

    • To remove a network interface (i.e., network card) from the traffic source, in the Devices area, click the Remove button for a device.

    • To add a network interface to a traffic source, scroll to the Unallocated Network Devices section, and from the Traffic Source drop-down list, select the name of the traffic source to which you want to add this device.

  5. Click Save.

Configuring a Bridge in the Database Firewall

The Database Firewall must be inline with network traffic if used in blocking mode to block potential SQL attacks. If the Database Firewall is not in proxy mode, then you must allocate an additional IP address that is unique to the database network, to enable a bridge. The bridge IP address is used to redirect traffic within the Database Firewall. When the Database Firewall is used as a proxy, you do not need to allocate this additional IP address. See "Configuring a Database Firewall as a Traffic Proxy" for details.

To enable a traffic source as a bridge, that traffic source must have two network interfaces. These network interface ports must connect the Database Firewall in-line between the database and its clients (whether Database Policy Enforcement or Database Activity Monitoring mode is used).

Note:

  • The IP address of the bridge must be on the same subnet as all protected databases deployed in DPE mode on that bridge. This restriction does not apply to protected databases deployed in DAM mode.

  • If the Database Firewall's management interface (specified in the console's Network page) and the bridge are connected to physically separate networks that are on the same subnet, the Database Firewall may route responses out of the wrong interface. If physically separate networks are required, use different subnets.

To configure the Database Firewall bridge IP address:

  1. Log in to the Database Firewall administration console.

  2. In the System menu, click Network, and then click the Change button.

  3. In the Traffic Sources section, find the traffic source that you want to configure as a bridge.

    This traffic source must have two network interfaces. You can add an interface if necessary from the Unallocated Network Interfaces section of the page. See "Configuring Traffic Sources".

  4. Select Bridge Enabled for this traffic source.

  5. If necessary, edit the IP address or Network Mask.

    The bridge IP address is used to redirect traffic within the Database Firewall.

  6. Click Save.

Configuring a Database Firewall as a Traffic Proxy

Depending on your network configuration, you may prefer to configure a traffic proxy in the Database Firewall instead of a bridge inline with network traffic. You can then associate the proxy with an enforcement point. You can also specify multiple ports for a proxy in order to use them for different enforcement points. See "Configuring Enforcement Points" for more information.

Once you set up the Database Firewall as a traffic proxy, your database clients connect to the database using the Database Firewall proxy IP and port.

To configure a traffic proxy:

  1. Ensure that the IP address of the proxy interface is on the same subnet as the secured target.

  2. Log in to the administration console of the Database Firewall that is acting as a proxy.

  3. In the System menu, click Network, then click the Change button.

  4. In the Unallocated Network Interfaces section of the page, find an available network interface, and select Traffic Proxy in Traffic Source drop-down list.

    To free up additional network interfaces, you can remove them from an existing traffic source or traffic proxy by clicking the Remove button for the network interface(s) you want to free up.

  5. Click Add.

    The new traffic proxy appears under the Traffic Proxies area of the page.

  6. Under the new proxy, select Enabled.

  7. In the Proxy Ports section for the new proxy, enter a Port number, and then click Add.

    You can specify more than one port per proxy by entering another port number and clicking Add.

  8. Check Enabled next to the port number(s).

  9. Click Save.

    The traffic proxy is now available to use in an Enforcement Point. See "Configuring Enforcement Points".

Viewing the Status and Diagnostics Report for a Database Firewall

To view the status and/or diagnostic report for a Database Firewall:

  1. Log in to the Database Firewall administration console.

    The Status page is displayed by default.

  2. If necessary, in the System menu, click Status.

    The Status page displays system status, component versions, grammar pack versions, free space, and diagnostic status.

    Text next to Diagnostic Status indicates OK or Errors.

  3. Next to the Diagnostic Status field, you can click:

    • Show Report to see an overview of diagnostic status.

    • Download Diagnostics to download all diagnostics files.