Oracle Releases Database Firewall

Top 10 Security Stories Of 2010

Oracle on Monday announced that it has released Oracle Database Firewall, which is designed to monitor databases in real time, enforce normal database behavior, and defend against unauthorized information access or SQL injection attacks.

To do that, the software uses what Oracle calls "SQL grammar analysis technology" to assess SQL queries, backed by SQL statement whitelists and blacklists, exception policies to support patching or custom jobs, and policy that can assess everything from time of day and IP address to user and SQL category. The firewall is based on technology Oracle acquired with database firewall vendor Secerno in May 2010.

Notably, Oracle Database Firewall requires no changes to existing databases, applications, or infrastructure, and can be deployed in-line with databases for active blocking, or out of band for monitoring only. It can be deployed on almost any type of Intel-based hardware, and works with all Oracle databases, including Oracle Database 11g, as well as IBM DB2 version 9.x (for Linux, Unix, and Windows), Microsoft SQL Server (2000, 2005, and 2008), Sybase Adaptive Server Enterprise versions 12.5.4 to 15, and Sybase SQL Anywhere v10.

Why use a database firewall? According to the Open Web Application Security Project, SQL injection attacks pose the biggest risk to Web application security.

Yet, too few organizations actively block SQL injection attacks. "Most customers don't use database security tools right now," said Martin Kuppinger, founder of market researcher KuppingerCole, in an email interview.

"Customers are not taking sufficient measures to prevent attacks from reaching their databases," said Vipin Samar, VP of database security for Oracle, in an email interview. "This is confirmed by industry reports like the 2010 (and 2009) Verizon Data Breach Investigations Report that found that compromised database servers were responsible for 89% of breached data. This isn't surprising since sensitive and regulated data in most organizations resides in their databases."

Oracle Database Firewall isn't the only database firewall in town. According to Kuppinger, it competes directly with IBM Guardium. But Oracle itself is no newcomer to database security, given that it has "the overall most advanced and complete portfolio of database security products," he said.

Why sell SQL injection attack prevention as an add-on, instead of building it directly into databases? "You could provide protection against SQL injection attacks built into databases, but that would be another approach than a database firewall," said Kuppinger. "Database firewalls are easy to set up, and they protect many instances of databases." Furthermore, while protecting the database itself might be theoretically superior, it could pose practical problems, especially from a policy and management point of view.

Adding security outside the database also helps future-proof -- and presumably, cost-control -- database investments, said Oracle's Samar. "Over time, there will be many advancements coming around to the databases, but customers do not want to have to upgrade their databases to take advantage of these new capabilities."