Attacks/Breaches
2/15/2011
05:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Oracle Database Firewall To Replace DAM? Not So Fast, Competitors Say

AppSec, Guardium disagree with Oracle's assertion that database firewalls can act as a DAM substitute

SAN FRANCISCO, CA -- RSA Conference 2011 -- Oracle stirred the database security pot this week with the release of a new database firewall product and a partnership with F5 for Web application security, which together it claims will supersede the database activity monitoring (DAM) market. The assertion sparked controversy among competitors who say gaps in the database firewall's auditing capabilities and Oracle's vested interest in its own database platform will limit its play as a one-stop shop for database security.

Monday's release of Oracle Database Firewall is the culmination of the company's acquisition of database security vendor Secerno last year. The product creates a defensive perimeter around databases by looking at SQL statements sent to the database through the wire to determine whether to pass, log, alert, block, or substitute SQL statements based on an organization's policies. Users can set whitelist or blacklist policies to control the product, which is designed to work not only with Oracle databases, but also other major platforms, such as DB2, SQL Server and Sybase platforms.

According to Oracle executives, the company hopes to compete directly with DAM products offered by firms such as IBM, AppSec, and Imperva.

"This actually does provide database activity monitoring itself because it sees all of the traffic that is going through the wire," says Vipin Samar, vice president of database security for Oracle, who notes Oracle Database Firewall integrates with ArcSight security information and event management systems. "So it can itself report on what's happening."

Roxana Brodescu, director of product marketing for Oracle, says that database firewalls aren't seen necessarily as a replacement for DAM, but rather as an alternative because most companies have yet to implement DAM.

"The question is if you're going to deploy something, why deploy database activity monitoring when you can deploy database firewall?" she says. "It's not so much about [being] easier [to deploy], it's about [being] better, and it's about accuracy and security."

Unsurprisingly, competitors took issue with Oracle's claims, some more colorfully than others.

"Most companies aren't built on Oracle architectures alone, [so] this solution will prove extremely insufficient for most organizations that will also need support for other vendor technologies," says Rob Rachwald, director of security strategy at Imperva. "When Oracle's boast of 'unbreakable' databases backfired, they purchased the weakest database security vendor -- Secerno -- on the market to fill the gap. Two chihuahuas don't make a pit bull. And in today's threat-filled environment, enterprises need a pit bull."

In conjunction with the database firewall release, Oracle also unveiled a partnership with F5 to seamlessly integrate F5's Web application firewall (WAF) capabilities with Oracle Database Firewall -- a relationship that takes aim at Imperva in particular. Imperva has long touted its integrated WAF and DAM products. But while the partnership might seem good on paper, Rachwald questions the security chops of both companies.

"F5 is a networking company, and Oracle is a database vendor," he says. "Neither company is a true security firm, so understanding abuse cases coming from hackers and insiders takes a back seat to the needs of the DBA."

Perhaps the most controversial part of Oracle's announcement this week, however, is its assertion that database firewalls can act as a DAM substitute. Competitors contend that Oracle's new product lacks some big capabilities to do so.

"Database firewall is a subdiscipline of DAM, not a potential replacement. Database firewalls can provide external access controls, allowing the system to block specific queries from running against the database. However, the biggest value businesses are getting from DAM solutions today is a reliable, reviewable audit trail of the activities of privileged users -- which is not a capability of the database firewall," says Josh Shaul, vice president of product management at AppSec. "Privileged users generally can login to the database server OS directly and make local connections to the database from there. This common access method completely bypasses the database firewall, allowing the local user unfettered and unaudited access to the data and system. "

Phil Neray, VP of data security strategy for IBM InfoSphere Guardium, agrees that the database firewall's lack of visibility into privileged access is a critical gap.

"[The] announcement from Oracle doesn't address a key limitation of the Oracle Database Firewall, which is its inability to block unauthorized access by privileged users that connect directly to the database via local connections such as SSH rather than over the network," Neray says. "This is a key compliance requirement -- for example, to block unauthorized access by outsourced DBAs for SOX and PCI -- as well as a key security requirement, for example, to prevent hackers with stolen privileged credentials from accessing sensitive data."

Guardium was itself purchased by another database platform developer, IBM, in 2009, so Neray understands Oracle's drive to establish itself as a major player in the database security market. But he wonders about the company's commitment to servicing customers with heterogeneous environments.

"It's logical to buy database security products from database vendors, but only if they're firmly committed to heterogeneous DBMS support," Neray says. "Oracle's support for non-Oracle platforms is spotty at best, with some products, such as Oracle Database Vault, only supporting Oracle's proprietary platforms, while other products, like the Oracle Database Firewall and Oracle Audit Vault, don't even support other DBMS platforms, such as Teradata, Netezza, PostreSQL, and DB2 for z/OS. In addition, Oracle Audit Vault doesn't support older Oracle platforms, such as 8i."

The third-party vendors in the space go a step further, wondering whether any database vendor is the best source for effective cross-platform security and monitoring solutions when they have such an interest in seeing to the success of their in-house database management systems.

"Very few enterprise organizations have standardized on a single database vendor. Virtually all organizations have heterogeneous database environments and require support for a range of DBMS platforms," says Thom VanHorn, vice president of global marketing for AppSec. "As such, a customer is best served by a third-party vendor that does not have a vested interest in one specific platform. History has shown us that when it comes to vulnerability assessment and database security, the major DBMS vendors have lagged far behind the more agile third-party database security, risk, and compliance solutions.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.