3 Configuring a Database Firewall Management Server

This chapter contains:

About Configuring an Oracle Database Firewall Management Server-Based System

This chapter explains how to configure a Management Server for one or more Database Firewalls in your system.

Before you start, make sure that each device has been installed, as described in Oracle Database Firewall Installation Guide.

There are five main steps involved in the configuration process:

  1. Perform the initial configuration tasks at the Oracle Database Firewall Management Server, for example, to confirm the Database Firewall Management Server IP address and set the date and time.

  2. Configure each managed Database Firewall (for example, install the certificate from the Management Server).

  3. Add each Oracle Database Firewall at the Oracle Database Firewall Management Server.

  4. Run the Enforcement Point Wizard at the Oracle Database Firewall Management Server.

  5. Check that the system is functioning correctly.

Each of these steps is described next. If resilient pairs of Oracle Database Firewall Management Servers or Oracle Database Firewalls are required, some of the above steps must be completed for each device.

Note:

Your browser should have JavaScript enabled to allow any error messages to be displayed. In Internet Explorer, select Tools, Internet Options, click Custom Level in the Security tab, and choose Enable for Active scripting. In Mozilla Firefox, select Tools, Options, and select Enable JavaScript in the Content tab.

Step 1: Perform Initial Tasks for Each Database Firewall Management Server

If you plan to use two Management Servers as a resilient pair for a high-availability environment, then perform the following steps for each Management Server.

Step 1A: Specify the Management Server System Settings

  1. Log in to the Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

    The Management Server Administration Console appears:

    Description of mgmt_adm_con.gif follows
    Description of the illustration mgmt_adm_con.gif

  2. Select the System tab.

  3. In the System menu, click Settings, and then click the Change button.

  4. Complete the fields as necessary.

    • IP Address: The IP address of the Oracle Database Firewall Management Server for use by Oracle Database Firewall applications such as the Analyzer, or to connect to the Administration Console. An IP address was set during the installation of the Oracle Database Firewall Management Server; if you want to use a different address, you can change it now. The IP address is static and must be obtained from the network administrator.

      The specified IP Address may need to be added to routing tables to enable traffic to go between the Database Firewall Management Server and Oracle Database Firewall applications.

    • User Interface Port: The port number used to connect to the Administration Console. The default port numbers are listed in Oracle Database Firewall Installation Guide. If you change this port number, then you must specify the new one in the URL when you log in to the Database Firewall Administration Console. Use the following syntax:

      https://ip_address:port/user/login

    • Network Mask: The network subnet mask of the Oracle Database Firewall Management Server.

    • Name: Enter the host name for the Management Server. The host name must start with a letter, can contain a maximum number of 24 characters, and cannot contain spaces in the name.

    • Default Gateway: (optional) The IP address of the default gateway (for example, for internet access). The default gateway should be on the same subnet as the host.

    • DNS Server 1/2/3: (optional) The IP addresses of up to three DNS servers on the network. These are used to resolve any network names that may be used at the Oracle Database Firewall Management Server. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

    • Web Access: If you want to allow only selected computers to access the Oracle Database Firewall Management Server Administration Console, enter their IP addresses in the box. Using the default of all allows access from any computer on your site.

    • Terminal Access: You can specify a list of IP addresses that are allowed to access the Oracle Database Firewall Management Server from a remote console. Entering all allows access from any computer on your site. The default of disabled prevents console access from any computer.

    • SNMP Access: Specifies a list of IP addresses that are allowed to access the Oracle Database Firewall Management Server's network configuration through SNMP (settings as per Terminal Access). The SNMP community string is gT8@fq+E.

    • Secure Log Access (Reporting): Specifies a list of IP addresses that are allowed to access the log data held on the Oracle Database Firewall Management Server, for example, to report using external reporting systems (settings as per Terminal Access). If you complete this setting, then ensure that you complete "Step 1B: Enable Secure Log Access".

    • Traffic Log Access (Analyzer): Specifies a list of IP addresses of computers running the Analyzer software that are allowed to access the traffic log on the Oracle Database Firewall Management Server (settings as per Terminal Access).

    • Link properties: Leave the setting at the default, unless your network has been configured not to use autonegotiation.

  5. Click Apply.

Step 1B: Enable Secure Log Access

If you completed the settings in the Secure Log Access (Reporting) field in "Step 1A: Specify the Management Server System Settings", then you must enable the access in the Database Firewall server.

  1. Log in to the Database Firewall server as user root.

  2. Change to the oracle user.

    su - oracle

  3. Set the following environment variables:

    export ORACLE_HOME=/var/lib/oracle/dbfw
export ORACLE_SID=dbfwdb
export PATH=$PATH:$ORACLE_HOME/bin/

  4. Log in to the database on this server using SQL*Plus.

    sqlplus sys/as sysdba
Enter password: password

  5. Enable the dbfw_report account and grant this user a password.

    ALTER USER dbfw_report ACCOUNT UNLOCK IDENTIFIED BY password;

  6. Exit SQL*Plus.

Step 1C: Set the Database Firewall Management Server Date and Time

It is important to ensure that the date and time set for the Management Server are correct, because events performed by the Management Server are logged with the date and time at which they occur. In addition, archiving occurs and specified intervals based on the time settings.

To set the Management Server date and time:

  1. In the Management Server Administration Console, select the System tab.

    The System Settings page appears.

  2. Scroll down and click Change in the Time Settings area.

  3. Enter the correct date and time, then click Apply.

    If a Database Firewall and Management Server are in different time zones, then the audit reports and summary reports will use the time zone of the Database Firewall that created the log file.

  4. Restart the Management Server.

    In System menu, select Management, and then under Reboot and power off, click the Reboot button.

Step 1D: Specify the Management Server NTP Time Server

You can use a Network Time Protocol (NTP) time server to update the time at the Oracle Database Firewall Management Server automatically. To enable time synchronization, you must also specify the IP address of the default gateway and a DNS server, as described in the next section.

To specify the NTP time server settings:

  1. In the Management Server Administration Console, select the System tab.

  2. In the System menu, click Time Synchronization.

  3. In the Time and Date Settings page, click the Change button.

    The following page is displayed.

    Description of image013.gif follows
    Description of the illustration image013.gif

  4. Use the Time Offset list to select your local time with respect to Coordinated Universal Time (UTC).

    For example, UTC-5 is five hours behind UTC. It is essential to select the correct setting to ensure that the time is set accurately during synchronization.

  5. Select the Enabled check box after NTP Time Synchronization.

  6. Under System Time, use the default server addresses, or enter the addresses of your preferred time servers.

    "Configuring the System" for more information about the options on this page.

  7. Optionally, click the Test Server button to test each server.

  8. To apply the server time after you will click Save, select the Enabled check box.

  9. Click Save.

Step 1E: Configure the Management Server Syslog Destinations

Use the following procedure to configure the types of syslog messages to send from the Oracle Database Firewall Management Server (for example, to signal blocked statements).

  1. In the Management Server Administration Console, click the System tab.

  2. In the Connectors menu, select Syslog.

    The following page is displayed.

    Description of image017.gif follows
    Description of the illustration image017.gif

  3. Complete the fields, as necessary:

    • Syslog Destinations (UDP): Use this box if you are using a User Datagram Protocol (UDP) to communicate syslog messages (for example, disk full) from the Oracle Database Firewall Management Server. Enter the IP address of each machine that is permitted to receive the syslog messages.

    • Syslog Destinations (TCP): Use this box if you are using Transmission Control Protocol (TCP) to communicate syslog messages from the Oracle Database Firewall Management Server. Enter the IP address and port number of each server that is permitted to receive the syslog messages.

    • Syslog Categories: You can select the types of syslog messages to generate. The categories have the following meanings:

      • System: System messages generated by Oracle Database Firewall or other software, which have a syslog priority level of at least "INFO".

      • Alerts: Oracle Database Firewall and F5 alerts (Oracle Database Firewall syslog message IDs 9, 10, 11 and 12).

        This category is not present on the Management Server.

      • Info: General Oracle Database Firewall messages and property changes (Oracle Database Firewall syslog message IDs 1, 4 and 8).

      • Debug: Engineering debug messages (for Oracle Database Firewall use only).

      • Heartbeat: Oracle Database Firewall heartbeat message and current statistics (Oracle Database Firewall syslog message ID 3).

        This category is not present on the Management Server.

      For more information about the meaning of each syslog message, see Appendix C, "Syslog Message Format."

  4. Click Apply.

If you are using two Oracle Database Firewall Management Servers as a resilient pair, repeat "Step 1: Perform Initial Tasks for Each Database Firewall Management Server" for the second Database Firewall Management Server.

Step 2: Perform Tasks for Each Oracle Database Firewall

This section contains:

Step 2A: Configure the Database Firewall System and Time Settings

Perform the tasks described here for each Oracle Database Firewall that will be managed by the Oracle Database Firewall Management Server.

Set Date and Time

To configure the system and time settings, refer to "Step 1: Set the Standalone Database Firewall Date and Time", and "Step 2: Specify the Management Server NTP Time Server".

Specify Network and Services Settings

To change the IP address of Oracle Database Firewall, or to specify the IP address of the gateway and DNS servers:

  1. Click the System tab.

  2. Click Settings in the System menu.

  3. Click Change in the System Settings area.

  4. Make the required changes, then click Apply

Step 2B: Enter the Database Firewall Management Server Certificate and IP Address

Change each Oracle Database Firewall that will be managed by the Oracle Database Firewall Management Server from standalone to managed mode. To do so, copy the certificate details held on the Oracle Database Firewall Management Server and paste them into each Oracle Database Firewall. This enables Oracle Database Firewall to communicate with the Oracle Database Firewall Management Server.

  1. At the Oracle Database Firewall Management Server Administration Console:

    1. Click Certificate in the System menu.

    2. Copy all the text displayed in the large box.

  2. At Oracle Database Firewall Administration Console:

    1. Click Management Server in the System menu.

    2. Enter the IP address of the Management Server in the Oracle Database Firewall Management Server IP Address field.

    3. Paste the Oracle Database Firewall Management Server certificate text into the Certificate box.

    4. Click Apply.

      When you click Apply, Oracle Database Firewall changes from standalone to managed mode and links are removed. Removing the certificate or IP address reverts the Database Firewall to standalone mode.

  3. If you want to use a resilient pair of Management Servers for a high availability environment, then select the Add Second Oracle Database Firewall Management Server check box and repeat steps 1 and 2 to enter the details of the second Oracle Database Firewall Management Server.

Step 3: Complete the Final Database Firewall Management Server Tasks

This section contains:

Step 3A: Specify Management Server Partner Settings (Resilient Pair Only)

  1. Copy the certificate details from the Oracle Database Firewall Management Server that you are not currently configuring, as described in the previous section.

  2. At the Oracle Database Firewall Management Server you are configuring, select the System tab.

  3. In the System menu, select Settings.

  4. In the System Settings page, under the High Availability Pairing section, click Change.

    The following window is displayed:

    Description of high_av_set.gif follows
    Description of the illustration high_av_set.gif

  5. Select primary or secondary under Change Status.

  6. Enter the IP address and certificate of the partner Management Server and save the changes.

  7. Repeat the preceding steps for the second Management Server.

Synchronize Now is enabled when you enter the partner details. Selecting the Synchronize Now button forces an immediate synchronization of the two Oracle Database Firewall Management Servers. It is not normally necessary to use this button, since an auto-synchronization occurs 5 minutes after the last change.

Step 3B: Add Each Oracle Database Firewall to the Management Server

Add each Oracle Database Firewall as follows:

  1. Display the Oracle Database Firewall Management Server Administration Console.

    This must be the primary Oracle Database Firewall Management Server if a resilient pair of Oracle Database Firewall Management Servers is used.

    Note:

    You can determine which Oracle Database Firewall Management Server is the primary from the Status field in the High Availability Pairing section of the System Settings page.

    Also, the secondary Management Server has a red bar, which clearly identifies it as secondary.

  2. Click the Appliances tab.

  3. Click Add in the Appliances menu.

  4. Enter a name for Oracle Database Firewall in the first field, and its IP address in the second.

  5. Click Save.

    If there is a message that indicates that there is a problem with the certificate, check that the date and time are set correctly in the Oracle Database Firewall.

  6. Click the Settings button for Oracle Database Firewall, and complete the fields displayed.

    • Set Time To: Set this time to the time that you want the traffic to be logged. Typically, you set it to the local time.

    • DNS Server 1/2/3: Optional. Contains the settings from Table 3-0, "Step 1A: Specify the Management Server System Settings" and enables you to modify them if necessary.

      For the DNS Server 1, DNS Server 2, and DNS Server 3 fields, enter the IP addresses of up to three DNS servers on the network. Oracle Database Firewall uses these addresses to resolve any network names that may be used at the Oracle Database Firewall Management Server. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

    • Syslog Destinations: Use this box if you are using a User Datagram Protocol (UDP) to communicate syslog messages (for example, disk full) from the Oracle Database Firewall Management Server. Enter the IP address of each machine that is permitted to receive the syslog messages.

    • Syslog TCP Destinations: Use this box if you are using Transmission Control Protocol (TCP) to communicate syslog messages from the Oracle Database Firewall Management Server. Enter the IP address and port number of each server that is permitted to receive the syslog messages.

    • Syslog Category: Select from the following types of syslog messages to generate:

      • System: System messages generated by Oracle Database Firewall or other software, which have a syslog priority level of at least "INFO".

      • Alerts: Oracle Database Firewall and F5 alerts (Oracle Database Firewall syslog message IDs 7, 9, 10, 11 and 12).

        This category is not present on the Management Server.

      • Info: General Oracle Database Firewall messages and property changes (Oracle Database Firewall syslog message IDs 1, 4 and 8).

      • Debug: Engineering debug messages (for Oracle Database Firewall use only).

      • Heartbeat: Oracle Database Firewall heartbeat message and current statistics (Oracle Database Firewall syslog message ID 3).

        This category is not present on the Management Server.

    • Maximum Syslog Message Length: Enter the maximum number of character bytes for each syslog message. The accepted range of values is 1024 to 1048576. The default is 1024.

    • Web Access: If you want to allow only selected computers to access the Oracle Database Firewall Management Server Administration Console, enter their IP addresses in the box. Using the default of all enables access from any computer on your site.

    • Terminal Access: You can specify a list of IP addresses that are allowed to access the Oracle Database Firewall Management Server from a remote console. Entering all allows access from any computer on your site. The default of disabled prevents console access from any computer.

    • SNMP Access: Specifies a list of IP addresses that are allowed to access the Oracle Database Firewall Management Server's network configuration through SNMP (settings as per Terminal Access). The SNMP community string is gT8@fq+E.

    • Traffic sources: Select the Enabled check box to enable network traffic to pass over the bridge for Database Policy Enforcement (DPE) mode.

      The Bridge IP address and the Bridge Mask address connect the Oracle Database Firewall in-line between the database and clients. It is used when Database Policy Enforcement mode is used.

      Caution: Do not connect both bridge ports to the same network segment. Doing so can cause network problems.

    • NTP Time Synchronization: Select the Enabled check box to synchronize the NTP time settings between the configured Database Firewalls.

    • Time Offset: Select your local time from this list with respect to Coordinated Universal Time (UTC).

    • Server 1/2/3: For the Server 1, Server 2, and Server 3 settings, enter the host names or IP addresses of the default server addresses of your preferred time servers. For example, UTC-5 is five hours behind UTC. It is essential to select the correct setting to ensure that the time is set accurately during synchronization.

    • Apply Server Time After Save: Select the Enabled check box to apply the server time after you save and exit this page.

  7. Click the Apply button.

  8. Repeat the procedure for each Oracle Database Firewall that the Oracle Database Firewall Management Server manages, including the second Oracle Database Firewall of a resilient pair.

Step 3C: Define Resilient Pairs of Oracle Database Firewalls

Complete the following steps if you want to create a resilient pair of Oracle Database Firewalls:

  1. Display the Oracle Database Firewall Management Server Administration Console (this must be the primary Database Firewall Management Server if a resilient pair of Oracle Database Firewall Management Servers is used).

  2. Select the Appliances tab.

  3. In the Resilience menu, select Create Resilient Pair.

  4. To add a resilient pair, click the Add button, and then enter the name and IP address of the Database Firewall that you want to use. Then click Save.

Step 4: Configure the Management Server Enforcement Points

You must configure each Management Server enforcement point. Remember that this Database Firewall Management Server must be the primary server if you have configured a resilient pair of servers.

To configure the Management Server enforcement points:

  1. In Management Server Administration Console, select the Monitoring tab.

  2. In the Enforcement Points menu, select Create.

  3. Enter the following information:

    • Name: Enter a name for the enforcement point.

    • Use a builtin enforcement point (Monitor locally): The number of currently available enforcement points you can create is displayed.

  4. Click Next.

    The Enforcement Point Wizard: Step 2 page appears.

  5. Enter the following information:

    • Protected Database: Select from the list of available databases.

    • Name: Enter a name for the database to be monitored (this and the remaining options are not used if you have not selected an existing database).

    • Database Type: Select the database type.

    • Address and Port: Specify the IP address and port number of the database management system (i.e. the IP settings used by database clients to send traffic to the database), then click Add. If the protected database has more than one interface and/or port, enter the additional Address and Port details, then click Add again. If you are using a Domain Name Server (DNS), you can enter a hostname instead of an IP address.

  6. Click Next.

    The Enforcement Point Wizard: Step 3 page appears.

  7. Enter the following settings:

    • Monitoring Mode: Select Database Activity Monitoring (DAM) if the enforcement point is to be used only to log statements and provide warnings of potential attacks. Select Database Policy Enforcement (DPE) if the enforcement point is also required to block potential attacks. Database Policy Enforcement is available only if you upload a policy (as described next).

    • Policy: Select a baseline policy. You can select a custom policy developed using the Analyzer software by clicking Browse to select the file, then Upload. You can use the text box to add a description, which will be displayed in the Description column. If this is the first time you are creating a baseline policy, then Oracle recommends that you select the unique.dna policy.

  8. Click Next.

    The Enforcement Point Wizard: Step 4 page appears.

  9. Check your settings, and if you are satisfied, then click the Finish button.

Step 5: Test the Management Server System Operation

You should verify that the system is fully operational before commencing normal day-to-day operations.

To test the system operation:

  1. In the Firewall Management Server Administration Console, click the Monitoring tab.

  2. In the Enforcement Points menu, select List.

    The Enforcement Points page appears.

  3. Click the Status button.

    In the Appliances area, ensure that there is a green check-mark indicator in the Status column against the device that is performing the monitoring.

  4. Click the Dashboard tab, and check that Total Statements increases every minute. This indicates that statements are being recognized.

  5. Click the Reporting tab, then View in Traffic Log menu. Click Start to see the statements that are being saved to the traffic log (the latest information may take up to five minutes to display).

  6. Use the Analyzer software to verify that data can be obtained from the traffic log.

What's Next?

The tasks in chapter complete the initial configuration of Database Firewall Management Server. Your next step is to configure the connection between the protected databases and Database Firewalls. Depending on site requirements, you may need to configure other features, such as stored procedure auditing, user role auditing and local monitoring. These features are explained in later chapters of this guide.

After you have configured the installed Database Firewalls and the Management Server, users will be able to begin analyzing data. Once a policy has been developed, you must upload it. See Oracle Database Firewall Security Management Guide for information about listing and uploading policies.

Chapter 13, "System Administration," explains system administration tasks, including how to set up new users, monitor the system and produce reports.