3 Configuring a Database Firewall Management Server

This chapter contains:

• About Configuring an Oracle Database Firewall Management Server-Based System

• Step 1: Perform Initial Tasks for Each Database Firewall Management Server

• Step 2: Perform Tasks for Each Oracle Database Firewall

• Step 3: Complete the Final Database Firewall Management Server Tasks

• Step 4: Configure the Management Server Enforcement Points

• Step 5: Test the Management Server System Operation

• What's Next?

About Configuring an Oracle Database Firewall Management Server-Based System

This chapter explains how to configure a Management Server for one or more Database Firewalls in your system.

Before you start, make sure that each device has been installed, as described in Oracle Database Firewall Installation Guide.

There are five main steps involved in the configuration process:

1. Perform the initial configuration tasks at the Oracle Database Firewall Management Server, for example, to confirm the Database Firewall Management Server IP address and set the date and time.

2. Configure each managed Database Firewall (for example, install the certificate from the Management Server).

3. Add each Oracle Database Firewall at the Oracle Database Firewall Management Server.

4. Run the Enforcement Point Wizard at the Oracle Database Firewall Management Server.

5. Check that the system is functioning correctly.

Each of these steps is described next. If resilient pairs of Oracle Database Firewall Management Servers or Oracle Database Firewalls are required, some of the above steps must be completed for each device.

Note:

Some error messages that may occur during configuration require that your Web browser have JavaScript enabled.

Step 1: Perform Initial Tasks for Each Database Firewall Management Server

If you plan to use two Management Servers as a resilient pair for a high-availability environment, then perform the following steps for each Management Server.

• Step 1A: Specify the Management Server System Settings

• Step 1B: Enable Secure Log Access

• Step 1C: Set the Database Firewall Management Server Date and Time

• Step 1D: Configure the Management Server Syslog Destinations

Step 1A: Specify the Management Server System Settings

System settings consist of network and services configuration as shown in the following procedures.

To configure the Management Server network settings:

1. Log in to the Management Server Administration Console.

   See "Logging in to the Administration Console" for more information.

   The Management Server Administration Console appears:

   
   Description of the illustration mgmt_adm_con.gif
   
   

2. Select the System tab.

3. In the System menu, click Network.

4. In the Network Configuration page, click the Change button.

5. Complete the fields as necessary, then click Save.

   • IP Address: The IP address of the Oracle Database Firewall Management Server for use by Oracle Database Firewall applications such as the Analyzer, or to connect to the Administration Console. An IP address was set during the installation of the Oracle Database Firewall Management Server; if you want to use a different address, you can change it now. The IP address is static and must be obtained from the network administrator.

     The specified IP Address may need to be added to routing tables to enable traffic to go between the Database Firewall Management Server and Oracle Database Firewall applications.

   • Network Mask: The subnet mask of the Oracle Database Firewall Management Server.

   • Gateway: (optional) The IP address of the default gateway (for example, to access the management interface from another subnet). The default gateway should be on the same subnet as the host.

   • Name: Enter the host name for the Management Server. The host name must start with a letter, can contain a maximum number of 24 characters, and cannot contain spaces in the name.

   • Link properties: Leave the setting at the default, unless your network has been configured not to use autonegotiation.

To configure the Management Server services:

1. In the System tab, under the System menu, click Services.

2. Click the Change button.

   
   Description of the illustration services_edit.gif
   
   

3. Complete the following fields as necessary, then click Save.

   Caution:

   When allowing access to the Database Firewall you must be careful to take proper precautions to maintain security. See the Security Guidelines chapter in Oracle Database Firewall Security Guide for a list of recommendations before completing this step.

   • DNS Servers: (optional) The IP addresses of up to three DNS servers on the network. These are used to resolve any network names that may be used by Oracle Database Firewall Management Server. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

   • Web Access: If you want to allow only selected computers to access the Administration Console, enter their IP addresses in the box. Using the default of all allows access from any computer in your site.

   • Terminal Access: You can specify a list of IP addresses that are allowed to access Oracle Database Firewall Management Server from a remote console. Entering all allows access from any computer in your site. The default of disabled prevents console access from any computer.

   • SNMP Access: Specifies a list of IP addresses that are allowed to access the network configuration of Oracle Database Firewall Management Server through SNMP (settings as per Terminal Access). The SNMP community string is gT8@fq+E.

   • Secure Log Access (Reporting): Specifies a list of IP addresses that are allowed to access the log data held on the Oracle Database Firewall Management Server, for example, to report using external reporting systems (settings as per Terminal Access). If you complete this setting, then ensure that you complete "Step 1B: Enable Secure Log Access".

   • Traffic Log Access (Analyzer): Specifies a list of IP addresses of computers running the Analyzer software that are allowed to access the traffic log on the Oracle Database Firewall Management Server (settings as per Terminal Access).

Step 1B: Enable Secure Log Access

If you changed the default settings in the Secure Log Access (Reporting) field in "Step 1A: Specify the Management Server System Settings", then you must enable the access in the Database Firewall server.

1. Log in to the Database Firewall server as user root.

2. Change to the oracle user.

   su - oracle
   

3. Execute the following command:

   . oraenv
   

4. When prompted, enter dbfwdb for the Oracle SID.

5. Log in to the database on this server using SQL*Plus.

   sqlplus / as sysdba
   Enter password: password
   

6. Enable the dbfw_report account and grant this user a password.

   ALTER USER dbfw_report ACCOUNT UNLOCK IDENTIFIED BY password;
   

7. Exit SQL*Plus.

Step 1C: Set the Database Firewall Management Server Date and Time

It is important to ensure that the date and time set for the Management Server are correct, because events performed by the Management Server are logged with the date and time at which they occur. In addition, archiving occurs and specified intervals based on the time settings. Correct time settings are also needed so that Database Firewall Analyzer uses the correct time ranges when training on log data.

To set the Database Firewall Management Server date and time:

1. In the Management Server Administration Console, select the System tab.

2. Click Date and Time under the System menu on the left, and then scroll down and click the Change button.

   
   Description of the illustration date_time.gif
   
   

3. Enter the correct date and time.

   If a managed Database Firewall and Management Server are in different time zones, then the audit reports and summary reports will use the time zone of the Database Firewall that created the log file.

4. Use the Time Offset menu to select your local time with respect to Coordinated Universal Time (UTC).

   For example, UTC-5 is five hours behind UTC. It is essential to select the correct setting to ensure that the time is set accurately during synchronization.

   If you do not select the correct setting, the time will be set incorrectly when time synchronization occurs.

5. (Optional) Select Enable NTP Synchronization.

   Selecting Enable NTP Synchronization keeps the time synchronized with the average of the time recovered from the time servers specified in the Server 1/2/3 fields, which can contain an IP address or name. If a name is specified, the DNS server specified in the System Settings page is used for name resolution.

6. Use the default server addresses, or enter the addresses of your preferred time servers.

   Test Server displays the time from the server, but does not update the time at the Oracle Database Firewall Management Server or Oracle Database Firewall.

   Selecting Synchronize Time After Save causes the time to be synchronized when you click Save.

   WARNING:

   In DPE (blocking) mode, Synchronize Time After Save causes all enforcement points to restart, thereby dropping existing connections to protected databases. This would cause a temporary traffic disruption.

7. Click Save.

To enable time synchronization, you also must specify the IP address of the default gateway and a DNS server, as described in "Set or Change Network Configuration or Services".

Step 1D: Configure the Management Server Syslog Destinations

Use the following procedure to configure the types of syslog messages to send from the Oracle Database Firewall Management Server (for example, to signal blocked statements).

1. In the Management Server Administration Console, click the System tab.

2. In the Connectors menu, select Syslog.

   The following page is displayed.

   
   Description of the illustration image017.gif
   
   

3. Complete the fields, as necessary:

   • Syslog Destinations (UDP): Use this box if you are using User Datagram Protocol (UDP) to communicate syslog messages from the Oracle Database Firewall Management Server. Enter the IP address of each machine that is permitted to receive the syslog messages.

   • Syslog Destinations (TCP): Use this box if you are using Transmission Control Protocol (TCP) to communicate syslog messages from the Oracle Database Firewall Management Server. Enter the IP address and port number of each server that is permitted to receive the syslog messages.

   • Syslog Categories: You can select the types of syslog messages to generate. The categories have the following meanings:

     • System: System messages generated by Oracle Database Firewall or other software, which have a syslog priority level of at least "INFO".

     • Alerts: Oracle Database Firewall and F5 alerts (Oracle Database Firewall syslog message IDs 9, 10, 11 and 12).

       This category is not present on the Management Server.

     • Info: General Oracle Database Firewall messages and property changes (Oracle Database Firewall syslog message IDs 1, 4 and 8).

     • Debug: Engineering debug messages (for Oracle Database Firewall use only).

     • Heartbeat: Oracle Database Firewall heartbeat message and current statistics (Oracle Database Firewall syslog message ID 3).

       This category is not present on the Management Server.

     For more information about the meaning of each syslog message, see Appendix B, "Syslog Message Format."

4. Click Apply.

If you are using two Oracle Database Firewall Management Servers as a resilient pair, repeat "Step 1: Perform Initial Tasks for Each Database Firewall Management Server" for the second Database Firewall Management Server.

Step 2: Perform Tasks for Each Oracle Database Firewall

This section contains:

• Step 2A: Configure the Database Firewall System and Time Settings

• Step 2B: Enter the Database Firewall Management Server Certificate and IP Address

Step 2A: Configure the Database Firewall System and Time Settings

Perform the tasks described here for each Oracle Database Firewall that will be managed by the Oracle Database Firewall Management Server.

Set Date and Time

To configure the time settings, refer to "Step 1: Set the Database Firewall Date and Time".

Set or Change Network Configuration or Services

To set or change network or services settings for a Database Firewall, refer to "Step 2: Specify the Database Firewall System Settings"

For more information on network configuration refer to steps in "Changing the Network Configuration".

Step 2B: Enter the Database Firewall Management Server Certificate and IP Address

Change each Oracle Database Firewall that will be managed by the Oracle Database Firewall Management Server from standalone to managed mode. To do so, copy the certificate details held on the Oracle Database Firewall Management Server and paste them into each Oracle Database Firewall. This enables Oracle Database Firewall to communicate with the Oracle Database Firewall Management Server.

1. At the Oracle Database Firewall Management Server Administration Console:

   1. Click Certificate in the System menu.

   2. Copy all the text displayed in the large box.

2. At Oracle Database Firewall Administration Console:

   1. Click Management Server in the System menu.

   2. Enter the IP address of the Management Server in the Oracle Database Firewall Management Server IP Address field.

   3. Paste the Oracle Database Firewall Management Server certificate text into the Certificate box.

   4. Click Apply.

      When you click Apply, Oracle Database Firewall changes from standalone to managed mode and all tabs at the top of the console interface, except System, are removed. Removing the certificate or IP address reverts the Database Firewall to standalone mode.

3. If you want to use a resilient pair of Management Servers for a high availability environment, then select the Add Second Oracle Database Firewall Management Server check box and repeat steps 1 and 2 to enter the details of the second Oracle Database Firewall Management Server.

Step 3: Complete the Final Database Firewall Management Server Tasks

This section contains:

• Step 3A: Specify Management Server Partner Settings (Resilient Pair Only)

• Step 3B: Add Each Oracle Database Firewall to the Management Server

• Step 3C: Define Resilient Pairs of Oracle Database Firewalls

Step 3A: Specify Management Server Partner Settings (Resilient Pair Only)

Follow this procedure if you are setting up the Management Server for high availability.

To specify the Management Server Partner Settings:

1. Copy the certificate details from the Management Server that will be used as the partner for the Management Server you are configuring, as described in the previous section.

2. At the Management Server you are configuring, select the System tab.

3. In the System menu, select High Availability.

   The following is displayed:

   
   Description of the illustration high_av_set.gif
   
   

4. Select primary or secondary under Status. (Only one of the pair will be primary.)

5. Enter the IP address and paste the certificate of the partner Management Server and save the changes.

6. Repeat the preceding steps for the second Management Server.

Synchronize Now is enabled when you enter the partner details. Selecting the Synchronize Now button forces an immediate synchronization of the two Oracle Database Firewall Management Servers. It is not normally necessary to use this button, since an auto-synchronization occurs 5 minutes after the last change.

Step 3B: Add Each Oracle Database Firewall to the Management Server

Add each Oracle Database Firewall as follows:

1. Display the Oracle Database Firewall Management Server Administration Console.

   This must be the primary Oracle Database Firewall Management Server if a resilient pair of Oracle Database Firewall Management Servers is used.

   Note:

   You can determine which Oracle Database Firewall Management Server is the primary from the Status field in the High Availability section of the System Status page.

   Also, the secondary Management Server has a red bar on its user interface, which identifies it as secondary.

2. Click the Appliances tab.

3. Click Add in the Appliances menu.

4. Enter a name for Oracle Database Firewall in the first field, and its IP address in the second.

5. Click Save.

   If there is a message that indicates that there is a problem with the certificate, check that the date and time are set consistently across both the Oracle Database Firewall and the Management Server.

6. Click the link on the name of the appliance to go to the Administration Console for that managed Database Firewall, and specify the following settings for that appliance.

   • Click Date and Time in the System menu, then click the Change button:

     Set the time (to the time that you want the traffic to be logged. Typically, you set it to the local time. Set the Time Offset if you are using NTP time synchronization.

     Enable NTP Time Synchronization: Select the check box to synchronize this Database Firewall's time with the specified NTP servers.

     Synchronize Time After Save: Select the check box to apply the NTP server time after you save and exit this page.

     WARNING:

     In DPE (blocking) mode, Synchronize Time After Save causes all enforcement points to restart, thereby dropping existing connections to protected databases. This would cause a temporary traffic disruption.

     Click Save when finished with Date and Time.

   • Click Services in the System menu, and then click the Change button:

     For the DNS Server 1, DNS Server 2, and DNS Server 3 fields, enter the IP addresses of up to three DNS servers on the network. Oracle Database Firewall uses these addresses to resolve any network names that may be used at the Oracle Database Firewall Management Server. Keep the fields blank if there is no DNS server, otherwise system performance may be impaired.

     Web Access: If you want to allow only selected computers to access the Oracle Database Firewall Management Server Administration Console, enter their IP addresses in the box. Using the default of all enables access from any computer on your site.

     Terminal Access: You can specify a list of IP addresses that are allowed to access the Oracle Database Firewall Management Server from a remote console. Entering all allows access from any computer on your site. The default of disabled prevents console access from any computer.

     SNMP Access: Specifies a list of IP addresses that are allowed to access the Oracle Database Firewall Management Server's network configuration through SNMP (settings as per Terminal Access). The SNMP community string is gT8@fq+E.

     Secure Log Access (Reporting): Specifies a list of IP addresses that are allowed to access the log data held on the Oracle Database Firewall Management Server, for example, to report using external reporting systems (settings as per Terminal Access). If you complete this setting, then ensure that you complete "Step 3: Enable Secure Log Access in the Standalone Database Firewall".

     Traffic Log Access (Analyzer): Specifies a list of IP addresses of computers running the Analyzer software that are allowed to access the traffic log on the Oracle Database Firewall Management Server (settings as per Terminal Access).

     Click Save.

   • Click Syslog in the Connectors menu:

     Syslog Destinations (UDP): Use this box if you are using a User Datagram Protocol (UDP) to communicate syslog messages (for example, disk full) from the Oracle Database Firewall Management Server. Enter the IP address of each machine that is permitted to receive the syslog messages.

     Syslog Destinations (TCP): Use this box if you are using Transmission Control Protocol (TCP) to communicate syslog messages from the Oracle Database Firewall Management Server. Enter the IP address and port number of each server that is permitted to receive the syslog messages.

     Syslog Categories: Select from the following types of syslog messages to generate:

     • System: System messages generated by Oracle Database Firewall or other software, which have a syslog priority level of at least "INFO".

     • Alerts: Oracle Database Firewall and F5 alerts (Oracle Database Firewall syslog message IDs 7, 9, 10, 11 and 12).

       This category is not present on the Management Server.

     • Info: General Oracle Database Firewall messages and property changes (Oracle Database Firewall syslog message IDs 1, 4 and 8).

     • Debug: Engineering debug messages (for Oracle Database Firewall use only).

     • Heartbeat: Oracle Database Firewall heartbeat message and current statistics (Oracle Database Firewall syslog message ID 3).

       This category is not present on the Management Server.

     Maximum Syslog Message Length (bytes): Enter the maximum number of character bytes for each syslog message. The accepted range of values is 1024 to 1048576. The default is 1024.

     Click Apply when finished with the Syslog settings.

   • Click Network in the System menu, and configure the network settings as described in "Changing the Network Configuration".

7. Repeat the procedure for each Oracle Database Firewall that the Oracle Database Firewall Management Server manages, including the second Oracle Database Firewall of a resilient pair.

Step 3C: Define Resilient Pairs of Oracle Database Firewalls

Complete the following steps if you want to create a resilient pair of Oracle Database Firewalls:

1. Display the Oracle Database Firewall Management Server Administration Console (this must be the primary Database Firewall Management Server if a resilient pair of Oracle Database Firewall Management Servers is used).

2. Select the Appliances tab.

3. In the Resilience menu, select Create Pair.

4. To add a resilient pair, click the Add button, and then enter the name and IP address of the Database Firewall that you want to use. Then click Save.

Step 4: Configure the Management Server Enforcement Points

You must configure each enforcement point at the Management Server. If you have configured a resilient pair of Management Servers, then you must configure the enforcement points on the primary server.

To configure the Management Server enforcement points:

1. In the standalone Database Firewall Administration Console, select the Monitoring tab.

2. In the Enforcement Points menu, select Create.

   The Enforcement Point Wizard: Step 1 page appears.

   
   Description of the illustration ep-wizard-step1-ms.gif
   
   

3. Enter the following information:

   • Name: Enter a name for the enforcement point.

   • Select the appliance(s) to use for monitoring: Select the Database Firewall(s) to use for monitoring this enforcement point. The number of currently available enforcement points is displayed (up to 80).

4. Click Next.

   The Enforcement Point Wizard: Step 2 page appears.

   
   Description of the illustration ep-wizard-step2.gif
   
   

5. Select one or more traffic sources you want this enforcement point to monitor. If you select a proxy traffic source, you cannot select any other traffic sources. If Management appears in the list, then the Management Interface has been configured as a proxy and can be used as such.

6. Enter the following information:

   • Protected Database: Select Create New or choose from the list of available databases.

   • Name: If creating a new protected database, enter a name for the database to be monitored.

   • Database Type: If creating a new protected database, select the database type.

   • Address and Port: If creating a new protected database, specify the IP address and port number of the database management system (i.e. the IP settings used by database clients to send traffic to the database), then click Add. If the protected database has more than one interface and/or port, enter the additional Address and Port details, then click Add again. If you are using a Domain Name Server (DNS), you can enter a hostname instead of an IP address.

7. Click Next.

   The Enforcement Point Wizard: Step 3 page appears.

8. Enter the following settings:

   • Monitoring Mode: Select Database Activity Monitoring (DAM) if the enforcement point is to be used only to log statements and provide warnings of potential attacks. Select Database Policy Enforcement (DPE) if the enforcement point is also required to block potential attacks.

     If you have selected a traffic proxy as a traffic source for this Enforcement Point, then DPE mode is required and you cannot select DAM mode.

     Note 1:

     When you use a Database Firewall in DPE mode, you must configure any IP or MAC address spoofing detection rules so that they ignore database IP or MAC address changes made by that Database Firewall.

   • Policy: Select a baseline policy. To upload a custom policy developed using the Analyzer software, click Browse to select the file, then Upload. Use the text box to add a description. If this is the first time you are creating a baseline policy, then Oracle recommends that you select the unique.dna policy.

9. Click Next.

   The Enforcement Point Wizard: Step 4 page appears.

10. Check your settings, and if you are satisfied, then click the Finish button.

Step 5: Test the Management Server System Operation

You should verify that the system is fully operational before commencing normal day-to-day operations.

To test the system operation:

1. In the Firewall Management Server Administration Console, click the Monitoring tab.

2. In the Enforcement Points menu, select List.

   The Enforcement Points page appears.

3. Click the Status button.

   In the Appliances area, ensure that there is a green check-mark indicator in the Status column against the device that is performing the monitoring.

4. Click the Dashboard tab, and check that Total Statements increases every minute. This indicates that statements are being recognized.

5. Click the Reporting tab, then View in Traffic Log menu. Click Start to see the statements that are being saved to the traffic log (the latest information may take up to five minutes to display).

6. Use the Analyzer software to verify that data can be obtained from the traffic log.

What's Next?

The tasks in chapter complete the initial configuration of Database Firewall Management Server. Your next step is to configure the connection between the protected databases and Database Firewalls. Depending on site requirements, you may need to configure other features, such as stored procedure auditing, user role auditing and local monitoring. These features are explained in later chapters of this guide.

After you have configured the installed Database Firewalls and the Management Server, users will be able to begin analyzing data. Once a policy has been developed, you must upload it. See Oracle Database Firewall Security Guide for information about listing and uploading policies.

Chapter 13, "System Administration," explains system administration tasks, including how to set up new users, monitor the system and produce reports.