Oracle releases database firewall
Oracle's first database firewall has its origins in work done by Senerco, a company taken over by Oracle in mid-2010. The company says the firewall protects not only Oracle's own database, but also IBM's DB2 (LUW), Microsoft's SQL Server (2000, 2005 and 2008), and Sybase's ASE (12.5.4 and 15) or SQL Anywhere V10.
The product uses white lists and black lists containing permitted and prohibited SQL commands. Statements that are not included in the white list can be blocked, substituted or simply logged by the firewall. In a white paper, Oracle suggests using substitutions as the default operation as this will provide attackers with as little information as possible. For example, instead of
SELECT * FROM table the firewall could execute
SELECT * FROM table WHERE 'a'='b' which doesn't return any records. Similarly, instead of
DROP TABLE table, if the command
SELECT * FROM xxx was used it would make the database attempt to access a non-existent table and trigger an error message. All policies can be configured to allow specific statements based on factors such as IP address or time of day.
Reports about illegal SQL statements can be generated in various formats to comply with the SOX (Sarbanes-Oxley) or the credit card industry's PCI DSS regulations. The firewall can also detect database user privilege changes and analyse stored procedures.