Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Audit Vault and Database Firewall

Similar presentations

Presentation on theme: "Oracle Audit Vault and Database Firewall"— Presentation transcript:


2 Oracle Audit Vault and Database Firewall
What’s New and Best Practices Andrey Brozhko Melody Liu Oracle Database Security Product Management September 30, 2014


4 Session Agenda Oracle Audit Vault and Database Firewall Overview
1 Oracle Audit Vault and Database Firewall Overview What’s New Best Practices Q&A 2 3 4

5 Oracle Audit Vault and Database Firewall
Heterogeneous Audit Data Consolidation and Database Activity Monitoring

6 Oracle Audit Vault and Database Firewall
High-level architecture Users Apps Database Firewall Events Audit Vault Alerts OS & Storage Directories Databases Custom Audit Data & Event Logs Reports Policies

7 Audit Vault Trust but verify Consolidate and secure event data
Extensive and customizable reporting Powerful, threshold based alerting Enterprise-scale deployment Alerts OS & Storage Directories Databases Custom Audit Data & Event Logs Reports Policies Audit Vault

8 Databases, Operating Systems, Directories

9 Extensive and Customizable Reporting
Predefined reports Interactive browsing Build custom reports Report scheduling and notification Report attestation

10 Powerful Alerting

11 Database Firewall Monitor user activity from network
Detect and block unauthorized activity Detect and block SQL injection attacks Advanced grammatical SQL analysis Positive and negative security model Scalable software appliance Users Apps Database Firewall Events Audit Vault Alerts Reports Policies

12 Database Firewall Anomaly detection and threat blocking with positive security model SELECT * from stock where catalog-no='PHE8131' White List Allow Apps Block SELECT * from stock where catalog-no=' ' union select cardNo,0,0 from Orders --' Databases Block out-of-policy SQL statements from reaching the database Automated white list generation for any application Define permitted SQL behavior per user or application

13 Database Firewall Enforcing behavior with negative security model
Black List Allow Log Legitimate data access SELECT * from stock Block Unauthorized workstation or application SELECT * from stock Databases Block specific unauthorized SQL statements, users or object access Blacklist on session factors: IP address, application, DB user, OS user

14 What’s New in Enhanced Scalability, Security and Deployment Simplicity

15 iSCSI SAN support for Audit Repository

16 NFS Storage for Audit Data Archives

17 Forwarding Policy Alerts to Syslog
Simple to setup Alerts contain link to detailed description in Auditor Dashboard <10>Jan  7 13:59:40 avs00161eb81587 logger: name="Alert_FailLogOn" severity="Critical" url="https:// /console/f?p=7700:33:::NO::P33_ALERT_ID:1" time=" T13:59: Z" target="avsource" user="INVALID" desc=" "]

18 Security and Usability Enhancements
Database Vault protection of audit repository Simplified deployment of Audit Vault Agents Auto-upgrade capability in Audit Vault Agents Improved administration dashboard Enhanced diagnostic tools

19 Extended Target Platform Support
Oracle Big Data Appliance (BDA) support Database Firewall support for MYSQL 5.6 Database Firewall support for Oracle 9i Windows & Linux 32-bit host OS support for Audit Vault Agents XSL transformation capability in XML file collection plugins

20 Oracle Audit Vault and Database Firewall Best Practices

21 Deployment Best Practices
Understand your database security needs Estimate aggregate volume of logged audit and event data Roll out audit logs consolidation, or activity monitoring, or both Auditing? Monitoring? Blocking?

22 Rolling Out Audit Log Consolidation
Making your audit data safe, secure and accessible with Oracle Audit Vault Install and configure Audit Vault Server Register Secured Targets Configure Audit Vault Install and activate Audit Vault Agents on target hosts Configure native audit policies Configure Targets Configure archive locations Configure data retention policies Data Lifecycle Settings Start collecting and consolidating audit data from trails Create baseline set of alerts Alerts & Reports

23 Rolling Out Monitoring
Monitoring all relevant SQL activity on the network Deploy Database Firewalls Architect and configure Database Firewall networking Setup Database Firewalls Configure Enforcement Points Switch on Database Activity Monitoring Configure Monitoring Assign ‘Unique’ policy to Enforcement Points Fine-tune policy based on logged SQL Configure Policy

24 Rolling Out Blocking Protecting your databases with Database Firewall
Review SQL activity for the period Identify sets of users with common behavior Learn from Logged Data Define permitted session profiles and privileged users Specify what activity is to be logged Create Whitelists Deploy against production traffic Tighten policy by rules on out of policy SQL Refine Policy Set-up alerts on all out of policy activity Switch to Database Policy Enforcement Mode Enable Blocking

25 Database Firewall Policy
SQL Statements Exceptions are applied first Session factors determine profile Profile defines the range of permitted SQL activity Novelty rules look at what is accessed and how Default rule is applied to everything else Exceptions List Session Profile If YES (Match), then PASS/ALERT/BLOCK SQL Baseline If YES (Match), then PASS/ALERT/BLOCK Novelty Policy If YES (Match), then PASS/ALERT/BLOCK Default Rule 25

26 Database Firewall Policy Best Practices
Choose the right tools for the job Be selective in what you log Use Exceptions to log all activity for users with elevated privileges White list (ie ‘Pass’) all regular application activity in a Profile, only set ‘Log’ action for sensitive SQL Configure Novelty Policies to identify and log access to sensitive objects Set Default Rule to capture out-of-policy SQL Periodically review and update policies

27 Database Firewall For passive monitoring (DAM) deploy out-of-band
Network deployment best practices For passive monitoring (DAM) deploy out-of-band Use Proxy mode for no impact on network infrastructure Deploy in-line DAM if planning to turn on DPE (blocking) in the future Proxy Users Inline blocking and monitoring Apps Database Firewall Events Alerts Reports Policies

28 Custom Collection Plug-ins
When built-in audit collection plugins are not enough XML-file and database table audit trail types are supported No need to write code, package configuration using avpack tool Create custom reports to address specific presentation needs Once deployed new plug-in and reports become integral part of the product installation Oracle Confidential – Internal

29 Custom Collection Plug-ins
Annotated Example for custom database table audit trail ‘Source’ to Audit Vault field mapping Value ‘mapping’ (optional)

30 Custom Collection Plug-ins
Best practices and recommendations Separate individual Secured Target trails Make sure that XML trail files are standard-conformant Correctly identify unique record field (or fields) in the trail Check filesystem and database permissions Verify time stamp functions properly Break audit data into multiple trails for increased performance Oracle Confidential – Internal

31 Q&A

32 Connect With Us
/OracleDatabase /OracleSecurity SecurityInsideOut KeyManagement Oracle Database Insider /Oracle/database /OracleLearning



Download ppt "Oracle Audit Vault and Database Firewall"

Similar presentations

Ads by Google