Monitoring/Blocking (Proxy) mode enables the Database Firewall to both monitor and block SQL traffic, as well as optionally substitute SQL statements.
You configure clients to connect to the Database Firewall instead of the database so that the firewall can intercept all SQL traffic and take the necessary actions, based on policies that you define. In all cases, the database server identifies the Database Firewall as the client.
Oracle recommends that you configure the database to reject all connections that do not come from the Database Firewall.
You can deploy the Monitoring/Blocking (Proxy) mode in the following ways:
- Proxy without network separation
- Proxy without network separation using a dedicated network interface card (NIC)
- Proxy with network separation
When you deploy the Database Firewall as a proxy without network separation, the Database Firewall has one NIC called the Database Firewall management interface, which handles all communication between the clients and databases, as well as between the Database Firewall and the Audit Vault Server. This NIC is deployed in the management subnet.
The example in this diagram has three subnets:
- The management subnet contains the Audit Vault Server, the Database Firewall, the Database Firewall management interface, and a switch.
- The client subnet contains three clients and a switch.
- The database subnet contains three databases, three clients, and a switch.
The following letter callouts describe how traffic flows to and from the Database Firewall in the diagram:
- A: In the client subnet, traffic travels from the clients through a switch to the network router. The router sends the traffic to the switch in the management subnet, which forwards the traffic to the Database Firewall traffic management interface. From there the traffic travels to the databases through the switch in the database subnet. The database responses return to the clients through the same path.
- B: In the database subnet, traffic travels from the clients through the switch in the database subnet to the Database Firewall traffic management interface in the management subnet. From there the traffic travels to the databases through the switch in the database subnet. The database responses return to the clients through the same path.
- C: The Database Firewall extracts and analyzes SQL data from the client traffic and sends it through the Database Firewall management interface to the switch in the management subnet and then to the Audit Vault Server, based on the Database Firewall policy.
When you deploy the Database Firewall as a proxy without network separation using a dedicated NIC, the Database Firewall has two NICs:
- The Database Firewall traffic proxy handles traffic from all clients to the databases. This NIC is deployed in the database subnet.
- The Database Firewall management interface handles communication between the Database Firewall and the Audit Vault Server. This NIC is deployed in the management subnet.
The example in this diagram has three subnets:
- The management subnet contains the Audit Vault Server, the Database Firewall, the Database Firewall management interface, and a switch.
- The client subnet contains three clients and a switch.
- The database subnet contains three databases, three clients, a switch, and the Database Firewall traffic proxy.
The following letter callouts describe how traffic flows to and from the Database Firewall in the diagram:
- A: In the client subnet, traffic travels from the clients through a switch to the network router. The router sends the traffic to the switch in the management subnet, which forwards the traffic to the Database Firewall traffic proxy in the database subnet. From there the traffic travels to the databases through the switch in the database subnet. The database responses return to the clients through the same path.
- B: In the database subnet, traffic travels from the clients through the switch in the database subnet to the Database Firewall traffic proxy in the database subnet. From there the traffic travels to the databases through the switch in the database subnet. The database responses return to the clients through the same path.
- C: The Database Firewall extracts and analyzes SQL data from the client traffic and sends it through the Database Firewall management interface to the switch in the management subnet and then to the Audit Vault Server, based on the Database Firewall policy.
When you deploy the Database Firewall as a proxy with network separation, the Database Firewall has a minumum of three NICs:
- Each client subnet has a Database Firewall NIC that handles all traffic to and from the clients in that subnet.
- The database subnet has a Database Firewall NIC that handles all traffic to the databases, as well as traffic from any clients in the database subnet.
- The Database Firewall management interface handles communication between the Database Firewall and the Audit Vault Server. This NIC is deployed in the management subnet.
The example in this diagram has three subnets:
- The management subnet contains the Audit Vault Server, the Database Firewall, the Database Firewall management interface, and a switch.
- The client subnet contains three clients, a switch, and a Database Firewall NIC.
- The database subnet contains three databases, three clients, a switch, and a Database Firewall NIC.
The following letter callouts describe how traffic flows to and from the Database Firewall in the diagram:
- A: In the client subnet, traffic travels from the clients through a switch to the Database Firewall NIC in the client subnet and then to the network router. The router sends the traffic to the switch in the management subnet, which forwards the traffic to the Database Firewall. From there the traffic travels to the databases through the NIC and switch in the database subnet. The database responses return to the clients through the same path.
- B: In the database subnet, traffic travels from the clients through the switch in the database subnet to the Database Firewall NIC in the database subnet. From there the traffic travels to the databases through the switch in the database subnet. The database responses return to the clients through the same path.
- C: The Database Firewall extracts and analyzes SQL data from the client traffic and sends it through the Database Firewall management interface to the switch in the management subnet and then to the Audit Vault Server, based on the Database Firewall policy.