Oracle Beefs Up Database Firewall Product

Fahmida Y Rashid eWEEK USA 2012. Ziff Davis Enterprise Inc. All Rights Reserved,

Oracle has beefed up its Database Firewall to help system administrators combat SQL injection attacks

Enterprise software giant Oracle has updated its Database Firewall product to help companies block both malicious insiders and SQL injection attacks from accessing sensitive data.

The new release of Oracle Database Firewall introduces support for MySQL Enterprise Edition and other reporting capabilities, Oracle said 9 January.

Breach Protection

The database firewall protects MySQL databases from data breaches without requiring the administrator to make any changes to the database infrastructure or to the underlying operating system running the database, Vipin Samar, vice president of database security at Oracle, told eWEEK. Developers also won’t have to modify existing applications to take advantage of the SQL injection defence capabilities, he said.

With MySQL support, the database firewall now supports Oracle’s own flagship product, Database 11g and earlier versions, as well as IBM DB2, Linux, Unix, Windows, Microsoft SQL Server, Sybase Adaptive Server Enterprise and Sybase SQL Anywhere. Many enterprises use MySQL extensively for their database operations and Oracle added support for the open-source database due to customer demand, Samar said.

“With new MySQL support, Oracle Database Firewall extends the combination of databases that organizations can secure across their enterprise,” said Samar.

The Oracle Database Firewall establishes a “defensive perimeter” around databases, which would help administrators address threats such as SQL injection attacks, according to Samar. SQL injection attacks are commonly used by attackers exploiting a vulnerability in Web applications to access and extract data from a database. It is often used by submitting a malicious query in a form in the application, such as a comment box, which tricks the database into executing the query.

The grammar-based analytical engine compares the SQL queries being submitted with the queries it knows are within the parameters of “normal application behaviour” to identify any anomalies, Samar said. When the application sends a suspicious SQL query to the database, the firewall can block the query entirely, substitute it with a harmless query for the database to execute or just log it, depending on the severity, said Samar. The firewall can also issue alerts to administrators when necessary.

Poor Readiness

If the application is designed to obtain records from the customer table in the database, any query trying to get data from another table is automatically suspicious and can be stopped, Roxana Bradescu, senior director of security product management at Oracle, told eWEEK. Malicious queries, such as one that orders the elimination of entire data tables can be automatically blocked, Bradescu said.

In a recent Independent Oracle Users Group survey, only 36 percent of respondents said that they have taken steps to ensure their applications are not susceptible to SQL injection attacks, according to Bradescu.

The firewall monitors application behaviour in real time to help prevent both SQL injection attacks as well as unauthorized attempts internally to access data, Samar said.

Oracle Database Firewall is also integrated with Oracle Advanced Security, which allows administrators to monitor all encrypted traffic going to the database for any potential threats.

The new reporting infrastructure in the firewall will help organisations address various regulatory compliance requirements, according to Samar. The new version has 10 new out-of-the-box reports specifically addressing privacy and regulatory mandates such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) Data Security Standard (DSS) and Sarbanes Oxley. Oracle Business Intelligence Publisher customers can take advantage of all capabilities for authoring, managing and delivering highly formatted reports, the company said.

MySQL joined Oracle’s product portfolio when the database giant closed on its $7.4 billion (£4.8bn) deal for Sun Microsystems in January 2010. Sun originally acquired MySQL AB, the development team behind the open-source database, for approximately $1 billion (£645m) in 2008.