D72591GC14

Implementing Oracle Database
Firewall
Student Guide
D72591GC10
Edition 1.0
August 2011 August 2011
D73925
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Copyright 2011, Oracle and/or it affiliates. All rights reserved.
Disclaimer
This document contains proprietary information and is protected by copyright and
Authors
James Spiller
Donna Keesling
y y y g
other intellectual property laws. You may copy and print this document solely for your
own use in an Oracle training course. The document may not be modified or altered
in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce,
publish, license, post, transmit, or distribute this document in whole or in part without
the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you
find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
t d t b f
Technical Contributors and
Reviewers
Tammy Bednar
Adam Bentley
Barbara Gingrande
Joel Goodman
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using
the documentation on behalf of the United States Government, the following notice is
applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or
disclose these training materials are restricted by the terms of the applicable Oracle
Joel Goodman
Wolfgang Klinger
Wilson Lopez
Robert Mackowiak
James Orr
Narayanan T. Ramaswamy
Stuart Sharp
disclose these training materials are restricted by the terms of the applicable Oracle
license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names
may be trademarks of their respective owners.
Editors
Anwesha Ray
Raj Kumar
Vijayalakshmi Narasimhan
Graphic Designer
Rajiv Chandrabhanu
Publishers
Syed Ali
Veena Narasimhan
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
iii
Contents

1 Introduction to Oracle Database Firewall
Objectives 1-2
Understanding How Data is Compromised: 2010 Data Breach Investigations
Report 1-3
Understanding Oracles Defense-in-Depth Security Approach 1-4
Oracle Database Security Solutions 1-5
Oracle Database Firewall 1-9
Positive Security Model-Based Enforcement 1-10
Negative Security Model-Based Enforcement 1-11
Oracle Database Firewall Architecture 1-12
Protected Databases 1-14
Enforcement Point Architecture 1-15
Basic Data Center Environment 1-17
Oracle Database Firewall In-Line Deployment 1-18
Oracle Database Firewall Out-of-Band Monitoring 1-19
Database Firewall Resilient Pairs 1-20
Management Server Resilient Pairs 1-21
Oracle Database Firewall Applications 1-22
Using the Oracle Database Firewall Administration Console 1-23
Using the Oracle Database Firewall Analyzer 1-24
Summary 1-25
Practice 1-1 Overview: Exploring the Practice Environment 1-26
Understanding the Classroom Configuration 1-27
Quiz 1-28

2 Deploying Oracle Database Firewall
Objectives 2-2
Installation Overview 2-3
Deploying an Oracle Database Firewall System 2-4
Deploying a Stand-Alone System 2-5
Oracle Database Firewall Managed Deployment 2-6
Deploying a Local Monitor 2-7
Deploying a Remote Monitor 2-8
Oracle Database Firewall Ports 2-9
Supported Database Management Systems 2-10
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
iv
Installing Oracle Database Firewall and Oracle Database Firewall Management
Server 2-11
Invoking the Installer 2-12
Creating a Password for the support User 2-13
Creating a Password for the sys User 2-14
Modifying a Network Device Connection 2-15
Configuring Network Settings 2-16
Setting the Management Link IP Address 2-17
Logging in to the Oracle Database Firewall Administration Console 2-18
Changing the admin User Account Password 2-19
Installing Oracle Database Firewall Analyzer 2-20
Oracle Database Firewall Sizing 2-21
Oracle Database Firewall Management Server Sizing 2-23
Summary 2-24
Practice 2-1 Overview: Installing Oracle Database Firewall 2-25
Practice 2-2 Overview: Changing the admin User Password 2-26
Practice 2-3 Overview: Installing the Oracle Database Firewall Analyzer 2-27
Quiz 2-28

3 Configuring Oracle Database Firewall
Objectives 3-2
Configuring a Stand-Alone Oracle Database Firewall 3-3
Configuring an Oracle Database Firewall Management Server System 3-4
Creating an Enforcement Point 3-6
Enable Network Bridge 3-8
Oracle Database Firewall Operational Modes 3-9
Oracle Database Firewall Logging 3-10
Oracle Database Firewall Logs 3-11
Creating System Administrator Users 3-13
Understanding System Administrator Capabilities 3-14
Creating a New User 3-15
Creating Password Policies 3-16
Configure Email Server 3-17
Configuring Email Alerts for Third-Party Connectors 3-18
Summary 3-19
Practice 3-1 Overview: Setting the Date and Time 3-20
Practice 3-2 Overview: Configuring Enforcement Points 3-21
Practice 3-3 Overview: Creating a New System Administrator User 3-22
Practice 3-4: Configuring Email Alerts 3-23
Quiz 3-24
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
v

4 Configuring Policies
Objectives 4-2
Oracle Database Firewall Policy Enforcement 4-3
Policy Enforcement Flow 4-4
Configuring Policies 4-5
Oracle Database Firewall Preconfigured Policies 4-6
Creating Policy Files 4-7
Custom Policy Development Overview 4-8
Enabling the Firewall Analyzer to Understand Database Usage 4-9
Creating a New Model 4-10
Creating a Model from Training 4-11
Setting Properties for Clusters 4-12
Setting Cluster Properties 4-14
Saving the Policy 4-15
Uploading the Policy 4-16
Specifying the Policy for the Enforcement Point 4-17
Refining the Policy 4-18
Baseline Anomalies 4-20
Sensitive Data Masking 4-21
Adding Login/Logout Policy 4-23
Summary 4-24
Practice 4-1 Overview: Starting the Collection Workload 4-25
Practice 4-2 Overview: Creating a Policy 4-26
Practice 4-3 Overview: Creating a Basic White List 4-27
Practice 4-4 Overview: Uploading and Applying the Policy 4-28
Practice 4-5 Overview: Executing Commands and Analyzing Results 4-29
Practice 4-6 Overview: Adding an Exceptions Policy 4-30
Quiz 4-31

5 Creating Advanced Configuration Policies
Objectives 5-2
Using Profiles 5-3
Defining Sets 5-4
Creating a Profile 5-5
Selecting a Profile in the Analysis Tab 5-6
Selecting a Profile in the Details Tab 5-7
Using a Novelty Policy 5-8
Novelty Policy Example 5-9
Creating a Novelty Policy 5-10
Summary 5-11
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
vi
Practice 5-1 Overview: Creating a Policy for a New Application 5-12
Practice 5-2 Overview: Updating the Policy 5-13
Practice 5-3 Overview: Creating a Profile 5-14
Practice 5-4 Overview: Creating a Novelty Policy 5-15
Quiz 5-16

6 Reporting
Objectives 6-2
Oracle Database Firewall Reporting System Overview 6-3
Oracle Database Firewall Reporting System Architecture 6-4
Oracle Database Firewall Reporting 6-5
Using the Summary Reports 6-6
Using the Summary Compliance Reports 6-7
Using the Search Log Function 6-8
Using the Search Log Results 6-9
Viewing Log Search Results 6-10
Creating Audit Reports 6-11
Using the Search Log Results in Audit Reports 6-12
Generating the Audit Report 6-13
Reporting with Other Tools 6-14
Example: Reporting with SQL*Plus 6-15
Summary 6-16
Practice 6-1 Overview: Creating Summary Reports 6-17
Practice 6-2 Overview: Creating Audit Reports 6-18
Quiz 6-19

7 Stored Procedure Auditing
Objectives 7-2
Stored Procedure Auditing Overview 7-3
Stored Procedure Auditing Architecture 7-4
Creating Users and Setting Permissions 7-5
Enabling Stored Procedure Auditing 7-7
Auditing Changes to Stored Procedures 7-8
Viewing the Stored Procedure Audit Report 7-9
Viewing SPA Audit Reports 7-10
Viewing Pending Approvals and Taking Action 7-11
Summary 7-12
Practice 7-1 Overview: Creating a User for Stored Procedure Auditing 7-13
Practice 7-2 Overview: Enabling Stored Procedure Auditing 7-14
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
vii
Practice 7-3 Overview: Running a Manual Audit and Approving Changes to Stored
Procedures 7-15
Quiz 7-16

8 User Role Auditing
Objectives 8-2
User Role Auditing Overview 8-3
User Role Auditing Architecture 8-4
Creating Users and Setting Permissions 8-5
Enabling User Role Auditing 8-7
Auditing Changes to User Roles 8-8
Viewing the User Role Audit Report 8-9
Viewing URA Audit Reports 8-10
Viewing Pending Approvals and Taking Action 8-11
Summary 8-12
Practice 8-1 Overview: Creating a User for User Role Auditing 8-13
Practice 8-2 Overview: Enabling User Role Auditing 8-14
Practice 8-3 Overview: Running a Manual Audit and Approving Changes to User
Roles 8-15
Quiz 8-16

9 Configuring and Using Local Monitoring
Objectives 9-2
Local Monitoring Overview 9-3
Oracle Database Firewall Architecture: Local Monitoring 9-4
Installing Oracle Database Firewall Monitoring Software 9-5
Installing Local Monitoring in an Oracle Database 9-6
Installing Local Monitoring in a Microsoft SQL Server Database 9-7
Installing Local Monitoring in a Sybase ASE Database 9-8
Enabling Local Monitoring 9-9
Summary 9-10
Practice 9-1 Overview: Installing the Local Monitoring Software in the Oracle
Database 9-11
Practice 9-2 Overview: Enabling Local Monitoring 9-12
Practice 9-3 Overview: Viewing Local Monitored Traffic 9-13
Quiz 9-14

10 Configuring and Using Remote Monitoring
Objectives 10-2
Remote Monitoring Overview 10-3
Oracle Database Firewall Architecture: Remote Monitoring 10-4
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
viii
Prerequisites for Remote Monitoring 10-5
Configuring the Remote Monitor in the Administration Console 10-6
Download Configuration File 10-7
Contents of the remote-agent.conf file 10-8
Executing the Remote Monitoring Script 10-9
Verifying that the Remote Monitor is Active 10-10
Summary 10-11
Practice 10-1 Overview: Configuring the Remote Monitor 10-12
Practice 10-2 Overview: Executing the Remote Monitor Script 10-13
Practice 10-3 Overview: Viewing Remote Traffic 10-14
Quiz 10-15

11 Additional System Management Tasks
Objectives 11-2
Understanding Processed Traffic Log File Space Management 11-3
Archiving Data 11-4
Configuring a Destination 11-5
Manually Archive 11-6
Scheduling an Archive Job 11-7
Restoring from an Archive 11-8
Configuring syslog Logging 11-9
Deleting Logs and History 11-10
Summary 11-11
Practice 11-1: Defining the Archive Destination 11-12
Practice 11-2: Performing a Manual Archive 11-13
Quiz 11-14

O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Copyright 2011, Oracle and/or its affiliates. All rights reserved.
Introduction to Oracle Database Firewall
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Implementing Oracle Database Firewall 1 - 2
Objectives
After completing this lesson, you should be able to do the
following:
Describe Oracle Database security solutions
Describe Oracle Database Firewall architecture
Describe Oracle Database Firewall deployment options
Describe Oracle Database Firewall applications
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The 2010 Data Breach Investigations Report published by the Verizon Risk Team showed
that 98% of data breached came from servers. Launching successful attacks on larger
repositories can result in a more lucrative payday for the perpetrator. Application
environments, data warehouses, and databases in general are becoming larger and more
critical to business operations and thus pose a tempting target. Although organized crime has
become a major player in data breaches, insiders still account for a substantial number of
data breaches. The 2010 Data Breach Investigations Report also noted that privilege misuse
and hacking were the most common ways breaches occurred, and frequently leveraged lost
or stolen credentials and application SQL injection vulnerabilities to gain unauthorized access.
Securing data on servers requires multiple layers of protection spanning both technical and
administrative functions. Simple preventive measures such as disabling unused accounts and
prohibiting shared administrative accounts go a long way toward raising the security bar. In
addition, solutions such as encryption and privileged user controls inside the database play
an important part in securing applications. Those solutions, however, do not monitor the SQL
sent to the database over the trusted connection path. Oracle Database Firewall enables
perimeter security controls, providing a first line of defense around Oracle and non-Oracle
databases.
Understanding How Data is Compromised:
2010 Data Breach Investigations Report
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Defense-in-depth data security means looking at data security holistically. To do that, one
needs to look at the entire life cycle of the data, where the data resides, what applications
access the data, who is accessing the data and under what conditions, and ensuring that the
systems have been properly configured.
Oracle Corporation provides a comprehensive and transparent defense-in-depth security
architecture to help address the complex security and regulatory challenges found in todays
global economy. Oracle Advanced Security and Oracle Data Masking provide encryption and
de-identification solutions for sensitive data, protecting data at rest from unauthorized access
and reducing risk of data exposure in non-production environments. Oracle Database Vault
enforces strong operational controls in the Oracle database, providing a highly secure
environment for applications and helping address security issues associated with data
consolidation and outsourcing. Oracle Audit Vault securely consolidates and monitors
database audit data from Oracle and non-Oracle databases. Oracle Database Firewall
monitors inbound SQL traffic to Oracle and non-Oracle databases, helping prevent
unauthorized SQL and SQL injection attacks.
Understanding Oracles Defense-in-Depth
Security Approach
Monitor and block threats before they reach the database
Track changes and audit database activity
Control access to data within the database
Prevent access by non-database users
Implement with:
Transparency: No changes to existing applications
High performance: No measurable impact on applications
Accuracy: Minimal false positives and negatives
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall is the first line of defense for databases, providing real-time
monitoring of database activity on the network. Highly accurate SQL grammar-based
technology blocks unauthorized transactions, helping prevent internal and external attacks
from reaching the database.
Oracle Database provides robust audit support. Audit records include information about the
operation that was audited, the user performing the operation, and the date and time of the
operation. Audit records can be stored in the database audit trail or in operating system files.
Standard auditing includes operations on privileges, schemas, objects, and statements.
Oracle Audit Vault automates the audit collection, monitoring and reporting process, turning
audit data into a key security resource for detecting unauthorized activity.
Transparent Data Encryption is one of the three components of the Oracle Advanced Security
option, providing transparent encryption of stored data to support your compliance efforts.
Oracle provides robust support for encrypting entire database backups. Encryption is the only
defense when it comes to protecting business data when it is transported on tape or disk to
offsite storage for safekeeping. Oracle Corporation provides two solutions for encrypting
database backups: Oracle RMAN and Oracle Secure Backup.
Oracle Database Security Solutions
Applications
Network SQL
Monitoring
and Blocking
Audit
Consolidation
Encrypted Backups Encrypted Traffic Data Masking
Sensitive
Confidential
Public
Multi-factor
Authorization
DB Consolidation
Security
Unauthorized
DBA Activity
Encrypted Database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Enterprises run the risk of breaching sensitive information when copying production data into
non-production environments for the purposes of application development, testing or data
analysis. Oracle Data Masking Pack helps reduce this risk by irreversibly replacing the original
sensitive data with fictitious data so that production data can be shared safely with IT
developers or offshore business partners. Accessible via Oracle Enterprise Manager, this
Management Pack provides end-to-end secure automation for provisioning test databases from
production in compliance with regulations.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Monitoring and Blocking
Oracle Database Firewall: Monitors network SQL traffic before it reaches Oracle and non-
Oracle databases, helping to provide a first line of defense against SQL*Injection and other
unauthorized SQL.
Access Control
Oracle Database Vault: Enforces strong operational security controls inside the Oracle
database, preventing ad-hoc access to application data, changes to application structures,
and access to application data by privileged users
Oracle Label Security: Enforces data classification based access control at the row level and
multi-level security for government and defense organizations
Oracle Identity Management: Allows enterprises to manage end-to-end lifecycle of user
identities across all enterprise resources both within and beyond the firewall
Auditing and Tracking
Oracle Audit Vault: Reports and alerts on audit data from Oracle and non-Oracle databases,
enforcing the trust-but-verify principle and helping organizations simplify and reduce the cost
of compliance reporting
Oracle Database Security Solutions
Oracle Database security solutions:
Monitor and block threats before they reach the database
Track changes and audit database activity
Control access to data within the database
Prevent access by non-database users
Provide transparency, superior performance, and accuracy
Database Vault
Label Security
Identity
Management
Advanced Security
Secure Backup
Data Masking
Audit Vault
Configuration
Management
Total Recall
Encryption
& Masking
Access
Control
Database Firewall
Monitoring
& Blocking
Auditing &
Tracking
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Enterprise Manager Configuration Management Pack: Maintains a secure configuration
for Oracle software installations, periodically scanning for security related configuration settings
Oracle Total Recall: Provides a history of changes to sensitive data for forensic analysis
Encryption and Masking
Oracle Advanced Security Transparent Data Encryption (TDE): Transparently encrypts Oracle
database data before writing it to disk, protecting sensitive application data from direct access at
the operating system level and on backup media
Oracle Secure Backup: Transparently encrypts data during the backup process to tape media,
protecting the data in the event the tapes are lost or stolen
Oracle Data Masking: Offline data de-identification solution that substitutes production data with
anonymous data values, protecting sensitive data from unnecessary exposure in development
and test environments
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall is an active, real-time database firewall solution that provides white
list, black list and exception list policies, intelligent and accurate alerts, and monitoring with
very low management and administrative costs. Oracle Database Firewall is independent of
the database configuration and operation.
Unlike traditional SQL firewalls that relied on identifying out-of-policy SQL using strategies
such as regular expressions, string matching, and schema comparison, Oracle Database
Firewall delivers intelligent database firewall security, enabling policies to be set and adapted
quickly and accurately. Organizations can choose to deploy Oracle Database Firewall in
blocking mode as a database policy enforcement system to protect their database assets, or
to just monitor database activity for supplemental auditing and compliance purposes.
Oracle Database Firewall monitors data access, enforces access policies, highlights
anomalies, and helps protect against network based attacks originating from outside or inside.
Attacks based on SQL injection can be blocked by comparing SQL against the approved
white list of application SQL. Oracle Database Firewall is unique and offers organizations a
first line of defense, protecting databases from threats and helping meet regulatory
compliance requirement.
Oracle Database Firewall
Oracle Database Firewall provides the first line of defense by:
Monitoring database activity to help prevent unauthorized
activity, application bypass, and SQL injections
Providing highly accurate SQL grammar based analysis
Enforcing white list, blacklist, and exception-list based
security policies
Generating built-in and custom compliance reports
Policies
Built-in
Reports
Alerts
Custom
Reports
Block
Log
Allow
Alert
Substitute
Applications
Microsoft Sybase Oracle IBM
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall enforces zero-defect database security policies using a white list
security model. The white list policy is a set of approved SQL statements that can be sent to
the database. Oracle Database Firewall compares SQL traffic with the approved white list and
then based upon the policy, it chooses to block, substitute or alert on the SQL statement.
The positive security model is the preferred method for Oracle Database Firewall policy
enforcement.
Positive Security Model-Based Enforcement
White-list based policies:
Enforce normal or expected behavior
Evaluate factors such as time, day, network, and application
Applications can self-generate white lists
Out of policy SQL statements can be logged, alerted,
blocked or substituted with a harmless SQL statement
Applications
Block
Allow
White List
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In addition to the white list, positive security enforcement model, Oracle Database Firewall
also supports a black list model that enables policies to specify blocking of specific SQL
statements. As with white list policies, black list policies can be configured to allow specific
statements based on factors such as IP address, time of day, and program.
The negative security model tends to incur more overhead, and therefore is not the
recommended policy enforcement model when using Oracle Database Firewall.
Negative Security Model-Based Enforcement
Stop specific unwanted SQL commands, user, or table
access
Prevent privilege or role escalation and unauthorized
access to sensitive data
Black list policies can evaluate factors such as day, time,
network, and application
Applications
Block
Allow
Black List
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
An Oracle Database Firewall system can consist of the following components:
Database clients and applications: Generate the SQL statements to be monitored
Database Firewall: The server that runs the Oracle Database Firewall software. Each
Database Firewall collects SQL data from SQL databases, and then sends this SQL
data to the Database Firewall Management Server to be analyzed through reports.
Database Firewall Management Server: Aggregates and reports on logs from multiple
Oracle Database Firewalls, and provides centralized policy management
Oracle Database Firewall Analyzer: Enables user to develop baselines (policies) and
log SQL statements to be analyzed.
Oracle Database Firewall Administration Console: Web browser-based application
that you use to configure, manage, and monitor Oracle Database Firewall. It is available
on each Database Firewall (either stand-alone or managed) and Management Server.
Protected database: Database that is being monitored by Oracle Database Firewall. A
protected database can be an Oracle, Sybase ASE, Sybase SQL Anywhere, IBM DB2
UDB or Microsoft SQL Server database.
Database Clients
and Applications
Oracle Database Firewall Architecture
Database Firewall Database Firewall (HA Mode)
Remote/Local Monitor
Database Firewall
Management Server
Database Firewall
Analyzer
Protected Databases Protected Databases Protected Databases
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Remote monitor: Captures network traffic on the database host and sends it to the
Local monitor: Captures non-network traffic on the database host and sends it to the
You can configure pairs of Database Firewalls or pairs of Database Firewall Management
Servers, or both, to provide a high-availability system architecture. These pairs are known as
resilient pairs.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
A protected database is defined by the combination of IP address and port number.
A protected database is
defined by the:
IP address
TCP port number
Database Clients
and Applications
Protected Databases
Database Firewall
Database Firewall
Management Server
Database Firewall
Analyzer
Protected Databases
Defined by the IP
address and TCP
port combination
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
An enforcement point is an Oracle Database Firewall container that stores the settings that
enforce the Database Firewall policies that you create. The enforcement point takes the SQL
statements collected from the network traffic and decides how to handle them. In effect, the
enforcement point defines the relationship between the database and the policy.
Enforcement Point Architecture
Database
Firewall
Protocol
SQL
Analysis
Settings and Policy
Statement
substitution
Operating
System
Enforcement
Point
Protected Databases
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Each Database Firewall can have multiple enforcement points. Each enforcement point will
apply to one or more databases. You can configure multiple databases to use one
enforcement point. All the databases protected by the same enforcement point must be of the
same database server type.
Note: A protected database is defined by the combination of IP address and port number.
The term database in the context of this page is used in the way that it is defined for Microsoft
SQL Server and Sybase. With Microsoft SQL Server and Sybase, there is one database
engine instance per enforcement point because there can be multiple databases per instance.
With Oracle Database, there is only one database per enforcement point because there is
only one database per database engine instance. But if multiple Oracle instances are using
one listener, all on the same port, the Database Firewall cannot distinguish to which instance
the traffic is being sent.
Oracle Database Firewall also enables you to pair two enforcement points. This configuration
would be appropriate in a high-availability architecture that employs two data centers in
different locations, each with a local database viewed from the client applications as a single
database.
Enforcement Point Architecture
Database
Firewall
Enforcement Point 1
Protected Database 1
Database Address (IP:Port)
Enforcement Point 2
Protected Database 2
Enforcement Point 3
Protected Databases
Policy 1
Policy 2
Policy 3
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The diagram on the slide is a very simplified version of the data center showing an external
firewall separating the Internet from the Intranet, a set of core network switches or routers, a
set of distribution network switches, and a set of databases.
The following network definitions aid in understanding the placement of Oracle Database
Firewall in the diagrams on the next few pages:
A bridge is a device that transmits network packets from one network segment to
another. A bridge will pass all network traffic from one segment to the other.
A router is a more sophisticated device that has software or hardware that analyzes
each packet for source and destination addresses, and passes it only to the segment
where it is intended. Routers often include some type of firewall capability.
A span port is typically a port on a network router that can see all the network traffic that
passes through the device. This port is also called a mirror port because it gets a copy
of the packets. Traffic is segregated in a network router. The IP address of the incoming
packet determines which port it will go out on. Only the traffic intended for the segment
served by a particular port will be transmitted on that port. To monitor all the traffic
through a router, span ports or mirror ports can be created that can 'see' all the network
traffic or the traffic for particular segments.
Basic Data Center Environment
WAN
Syslog SEIM Management
Firewall
Core
Protected
Database
Distribution
Network
Switch
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this configuration Oracle Database Firewall is deployed in-line to protect all databases from
traffic entering and leaving the data center. The Database Firewall has one or more bridges.
For each bridge, two network interface cards are associated to be a bridge between two
segments. With an in-line deployment, the SQL traffic is passed through the Oracle Database
Firewall and inspected before it is forwarded to the database or blocked. This configuration is
required for protecting the database from SQL injection and similar attacks using malicious
SQL code.
There are two placements for the Database Firewall shown in this diagram. Typically you
would choose one. The first places the Database Firewall between the core network switches
and the distribution switches. This configuration may require multiple Database Firewall
installations to allow enough network interfaces and enforcement points. The second
configuration places the Database Firewall between the distribution network switch and each
of the protected databases.
In both cases, the subnet of the bridge in the Database Firewall is the same as the subnet of
the two devices to which the Database Firewall bridge is connected. The number of bridges
depend on the number of network segments to be protected, with two interfaces for each
bridge. The number of Database Firewalls needed will depend on the number of interfaces
and the total number of statements per second relative to the memory and processing power
available.
Oracle Database Firewall In-Line Deployment
WAN
Firewall
Core
Database Firewall
Enforcement Points
Firewall
Management
Server
Protected
Database
Distribution
Network
Switch
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this configuration Oracle Database Firewall is deployed out-of-band to provide real-time
monitoring, alerting, and reporting. With an out-of-band deployment, the SQL traffic is copied
to Oracle Database Firewall while at the same time the SQL is sent directly to the database
usually by means of a span port. Auditing can provided for all traffic within the data center.
Out-of-band monitoring cannot block SQL traffic. This configuration allows you to monitor SQL
traffic for compliance. The Database Firewall can warn and alert for out of policy SQL
statements, but cannot block SQL traffic in this configuration.
There are two placements for the Database Firewall shown in this diagram. Typically you
would choose one. The first places the Database Firewall on a bridged or span port on the
core network switches. This configuration may require multiple Database Firewall installations
to allow enough network interfaces and enforcement points. The second configuration places
the Database Firewall on a span or bridged port of the distribution network switch for each of
the protected databases.
Oracle Database Firewall Out-of-Band Monitoring
Firewall
Management
Server
WAN
Firewall
Core
Database Firewall
Monitoring Points
Distribution
Network
Switch
Protected
Database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To provide a high-availability system architecture, you can configure pairs of Database
Firewalls. During system configuration, one device is designated as the primary device and
the other is the secondary device. The primary device carries out all normal operations. The
secondary device monitors traffic and provides alerts only when the primary device fails. This
is a monitoring-only configuration, both Database Firewall appliances are in an out-of band
configuration. Blocking of SQL traffic is not possible.
Database Firewall Resilient Pairs
Oracle Database
Firewall
Network
Switch
Protected Database Database Clients and Applications
Management Server
Resilient Pair
Oracle Database
Firewall
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You can configure a pair of Database Firewall Management Servers for an Oracle Database
Firewall system. The main benefit of a resilient pair of Oracle Database Firewall Management
Servers is that it provides continuous service to generate reports, monitor system status, and
change configuration settings in the event of a failure of the primary Oracle Database Firewall
Management Server.
The secondary Oracle Database Firewall Management Server obtains its configuration
settings automatically from the primary. To ensure that settings remain consistent between
the two devices, the Administration Console allows configuration settings to be saved only
from the primary Oracle Database Firewall Management Server.
Management Server Resilient Pairs
Management Server
Network Switch
Database Clients and Applications
Resilient Pair
Management Server
Protected Database
Protected Database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall Administration Console is a Web browser-based application
that you can use to configure, manage, and monitor Oracle Database Firewall. The
Administration Console is available on each Database Firewall and Management Server.
The Oracle Database Firewall Analyzer is a Microsoft Windowsbased application that you
can use to define policies.
Oracle Database Firewall Applications
Use the following applications to configure and administer the
Oracle Database Firewall system:
Oracle Database Firewall Administration Console:
Configure, manage, and monitor Oracle Database Firewall
Oracle Database Firewall Analyzer: Create policies that
Database Firewalls use
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall Administration Console is used to configure, manage, and
monitor an Oracle Database Firewall system. Reporting capabilities are also provided in the
Administration Console. Detailed information on the features and usage of the Oracle
Database Firewall Administration Console is provided in the lesson corresponding to the
feature.
Using the Oracle Database Firewall
Administration Console
The Oracle
Database Firewall
Administration
Console is a
browser-based
application used to
configure, manage,
and monitor Oracle
Database Firewall.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall Analyzer is used to create the policy that the Database
Firewalls use to block, alert, log or permit SQL statements for the database. Detailed
information on using the Oracle Database Firewall Analyzer to create policies is provided in
the lesson titled Configuring Policies.
Using the Oracle Database Firewall Analyzer
The Oracle
Database Firewall
Analyzer is used to
create policies that
Database Firewalls
use to block, alert,
log or permit SQL
statements.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
In this lesson, you should have learned how to:
Describe Oracle Database security solutions
Describe Oracle Database Firewall architecture
Describe Oracle Database Firewall deployment options
Describe Oracle Database Firewall applications
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will start the database instance and Oracle Database Firewall virtual
machines. You will also record the IP addresses that are being used by each machine and the
Microsoft Windows host.
Practice 1-1 Overview:
Exploring the Practice Environment
This practice covers the following topics:
Starting the Oracle VM VirtualBox virtual machines
Starting the Oracle Database instance and listener
Determining the IP addresses for
The database server virtual machine (VM)
The Oracle Database Firewall VM
Testing the connectivity between the client on the
Microsoft Windows host and the database server VM
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
There are two virtual machines in the classroom. One is for the Oracle Database Firewall
appliance and the other is a database server. The MS Windows host is acting as the source
of the client-generated SQL and also as the host for the Database Firewall Analyzer.
The database has a network connection that can only communicate on an internal network.
The only adapter it can connect to is the internal network adapter configured in the Database
Firewall virtual machine. The Database Firewall must be configured to be a bridge to allow
any communication between the client and the database in the classroom environment.
In the VirtualBox environment a host-only adapter can communicate with the host machine,
and any other host-only adapter that uses the same gateway. The gateway in the classroom
is the Windows host.
The Database Firewall management link is set in the network configuration as part of the
installation process. This is shown in the lesson titled "Deploying Oracle Database Firewall".
The bridge IP address is not set and is disabled by default when the enforcement point is
created, and must be changed in the Administration Console as shown in Activity Guide
"Configuring Enforcement Points".
Understanding the Classroom Configuration
Oracle
Database
Firewall
Management
Interface
Microsoft
Windows
client
Host-Only
Network
Adapter
Bridge 0
Internal
Network
Adapter
(intnet)
Client
IP Address:
192.168.36.1
DB01
IP Address:
192.168.36.203
IP Address:
192.168.36.220
IP Address:
10.228.10.200
Host-Only
Network
Adapter
DBDIRECT
IP Address:
10.228.10.103
Host-only
adapter
intnet
IP Address:
10.228.10.1
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: b
Even though A is true, it is not the major functional difference. C and D are not true because
the out-of-band deployment cannot block SQL traffic.
Quiz
The Oracle Database Firewall may be deployed in-line or out -
of-band. What is the major difference in functionality between
the two?
a. Out-of-band deployment can be configured with resilient
pairs of Database Firewalls, in-line deployment cannot.
b. In-line deployment can block SQL traffic, out-of-band
deployment cannot.
c. Out-of-band deployment can block, warn, and send alerts
on SQL traffic; in-line deployment cannot send alerts.
d. In-line deployment can monitor without blocking SQL
traffic; out-of-band can monitor and block traffic.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Deploying Oracle Database Firewall
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Install Oracle Database Firewall
Install Oracle Database Firewall Management Server
Install Oracle Database Firewall Analyzer
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall is an appliance. The Oracle Database Firewall software is
installed on a bare machine. The software includes the Oracle Enterprise Linux operating
system and the default configuration.
Once installed, the appliance is configured and maintained through the Oracle Database
Firewall Administration Console web interface.
The following are two basic installations:
The Database Firewall and Management Server in one system
The Database Firewall on system and the Management Server on another.
The Database Firewall Management Server is also an appliance.
When the Management Server is installed by itself, the Management Server on the
Database Firewall is disabled.
Installation Overview
Oracle Database Firewall is an appliance.
Installation software includes the Oracle Enterprise Linux
operating system.
There are two installation configurations:
Oracle Database Firewall and Management Server
combined
Oracle Database Firewall Management Server alone
Installation performs basic configuration.
Additional configuration and maintenance tasks are
performed through the Administration Console web
interface.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In the simplest configuration, a stand-alone deployment, you install the Database Firewall
onto one Linux server, which uses an Oracle Linux environment. Then, you install the
Firewall Analyzer onto a client Microsoft Windows computer.
A more common scenario is the managed deployment where you install one or more
Database Firewalls, each onto a separate server, and one Database Firewall Management
Server onto a separate server. In this scenario, all the Database Firewall servers
communicate with one central Database Firewall Management Server. In turn, one or more
protected databases connects through each Database Firewall. You can install as many
Database Firewalls as your site needs.
Deploying an Oracle Database Firewall System
and Oracle Database
Firewall Management
Server on one x86 host
Analyzer on a Microsoft
Windows client
Oracle Database Firewall Analyzer
on a Microsoft Windows client
Management Server on an
x86 host
Oracle Database
Firewalls on
x86 hosts
Stand-Alone Deployment
Managed Deployment
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In a stand-alone system, there is one server containing both the Database Firewall and the
Management Server. In this scenario, you can manage multiple enforcement points to
monitor or protect multiple databases.
Note: It is recommended that each enforcement point has only one database engine.
Deploying a Stand-Alone System
Database Clients
and Applications
Database
Firewall
Database Firewall
Management
Server
Database Firewall
Analyzer
Protected
Database
Protected
Database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
A more common deployment scenario is the managed deployment, where there are multiple
Database Firewalls and the Management Server is on a separate x86 host. Each Database
Firewall can monitor or block the SQL traffic to multiple databases.
Oracle Database Firewall Managed Deployment
Database Clients
and Applications
Database Firewall Database Firewall
Database Firewall
Management Server
Database Firewall
Analyzer
Protected
Database
Protected
Database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
If you want to monitor SQL data originating from a local connection to the database server
and not through the network, then you can install the local monitoring software into the
protected database. (Be aware that local monitoring does not block SQL statements.) Then,
configure this database to communicate directly with a Database Firewall, which in turn
sends this SQL data to a Management Server.
Deploying a Local Monitor
Microsoft Sybase
Oracle
Database Clients
and Applications
Database
Firewall
Database Firewall
Management
Server
Database Firewall
Analyzer
Microsoft Sybase
Oracle
Microsoft Sybase
Oracle
Local Monitor
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
If you have many small databases in a distributed environment and you want Oracle
Database Firewall to monitor all of these small databases centrally, then you can install a
remote monitor on a Linux, UNIX, or AIX database. Be aware that remote monitoring does
not block SQL statements. The remote monitor is an agent that runs as root on the
database server. The remote monitor collects and sends the observed database SQL traffic
over the network to a Database Firewall that manages the remote monitor installations.
Deploying a Remote Monitor
Microsoft Sybase
Oracle
Database
Firewall
Database Firewall
Management
Server
Microsoft Sybase
Oracle
Microsoft Sybase
Oracle
Remote Monitor
Database Clients
and Applications
Database Firewall
Analyzer
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall uses the ports as listed on the slide.
Each port has a specific use. The secure shell port is configured for only the support OS
user. The Oracle Database Administration Console connects through port 443 and https.
Syslog uses port 514 for UDP traffic. If you are using syslog with TCP, you will define your
own port.
Oracle Database Firewall Ports
Port Number Description
22 Secure shell (encryption enabled)
443 Oracle Database Administration Console
514 Syslog
1514 Oracle Database Firewall to Management Server
4560 Oracle Database Firewall Analyzer
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The database management systems listed on the slide are supported as protected
databases with Oracle Database Firewall version 5.0.
Supported Database Management Systems
Database Management System Versions
Oracle Database 8i, 9i, 10g, 11g
IBM DB2 9.x (Linux, UNIX, and Microsoft Windows)
Microsoft SQL Server 2000, 2005, 2008
Sybase Adaptive Server Enterprise
(ASE)
12.5.4 15.0.x
Sybase SQL Anywhere 10.1.1
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall and Oracle Database Firewall Management Server are two
separate components. They can be installed together on a single machine, or separately on
two distinct machines. In either case, the entire machine is taken by the installation. The
installation process overwrites the primary disk, installing Oracle Enterprise Linux as the
operating system on that machine. When the Database Firewall is installed, the
Management Server is also installed.
When the Management Server is installed separately, the first action of the Management
Server is to disable the Management Server that was installed on the machine with the
Database Firewall.
Installing Oracle Database Firewall and
Oracle Database Firewall Management Server
When the Database Firewall is installed:
Oracle Enterprise Linux is installed
Oracle Database Firewall is installed
Oracle Database Firewall Management Server is installed
On first boot, the database is installed
When the Management Server is installed separately:
Oracle Enterprise Linux is installed
Oracle Database Firewall Management Server is installed
On first boot, the database is installed
On configuration, the Management Server disables the
Management Server on the Database Firewall machine
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Because the Database Firewall and Management Server installations include the Oracle
Enterprise Linux OS installation, installation starts with a boot up of the server machine.
Insert the appropriate CD into the server, and if necessary, set the BIOS to boot from the
CD. Then initiate the boot sequence.
The first CD in both installations transfers control to the OS installation. That is when you
are asked to insert the CD for Oracle Enterprise Linux. Later in the install process, you will
be asked to reinsert Disk 1.
Invoking the Installer
Insert the first disk as appropriate for the component you are
installing:
Oracle Database Firewall:
Use the disk labeled Oracle Database Firewall 5.0 Disc 1.
This installation includes Oracle Database Firewall and
Oracle Database Firewall Management Server software.
Oracle Database Firewall Management Server:
Use the disk labeled Oracle Database Firewall Management
Server 5.0.
This installation is only required if the Oracle Database
Firewall Management Server is to be installed on a separate
server than Oracle Database Firewall.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The support OS user is only to be used as directed by Oracle Support. Make sure the
password is strong.
Creating a Password for the support User
The support user account is an OS user in that is
installed as part of Oracle Database Firewall
The support user account is to be used only when
requested to do so by Oracle Support
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The sys account is familiar to Oracle database administrators. It is the privileged account
that is used for database startup, shutdown, backup, and database patching. An OS user
account named oracle is created on the machine that has the appropriate privileges to
access the sys database account with OS authorization. The oracle user account has an
expired password so is disabled for login.
The administration of the database underlying the Database Firewall Server or Management
Server should be done only through the Management Server web interface.
Creating a Password for the sys User
The sys account is the privileged database account in the
Oracle Database.
The sys password is set during installation.
The sys user account is used for startup, shutdown, and
other administrative actions in the database.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Network device connections are shown with the hardware MAC addresses and basic
configuration information. The first device in the list is assumed to be the device hardware
Network Interface Card (NIC) that will be used by the Management Server.
The Management Server will use one of the network interfaces for the Administration
Console server and communication with the Management Server if it is installed on a
separate machine.
The brx devices link two devices as a bridge. Make sure that the client side device is linked
to the database side device by the same brx device. In a normal Database Firewall
configuration, the clients for a database or set of databases will use the same subnet as the
databases. There is no physical connection between the clients and the database except
through the Database Firewall bridge. This physical configuration allows the Database
Firewall to be configured to monitor the SQL statements as they pass through or to monitor
and block the statements.
Oracle Database Firewall can be configured to have several bridges, but there must two
NICs for each bridge. The IP addresses are configured later.
If you select a particular device such as eth1, you can change configuration details as
shown in the next slide.
Modifying a Network Device Connection
Network Devices window displays network device
connections.
Select the network device connection to be used as the
Management Link.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
At this stage of the installation, you can identify which physical device is configured to which
ethx device by using the identifying the function that will cause the light on the interface to
blink. This is very important in the case of a Database Firewall where there are many
interfaces. You can change the following settings:
Up: Moves the device up in the list
Down: Moves the device down in the list
Identify: Identifies the device for 10 seconds
Refresh: Refreshes device details in the list of links
Moving the interface up or down changes the ethx that is mapped to the interface, and the
bridge that is mapped to the interface.
Refresh checks the physical link again and will change the Link: field in the header if the
cable is connected or disconnect.
Note: In the screenshot shown in the slide, the Link field at the top shows no, indicating
the cable is disconnected.
Configuring Network Settings
Settings enable you to map physical ports to the Oracle
Database Firewall interfaces and bridges.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When the Database Firewall machine completes the boot up, the Network Settings Console
window appears. In this window, you can change the IP address, network mask and default
gateway address for the management link. Use the arrow keys to select which item to
change, then press return to go to a window that allows you to edit the value. The tab key
moves you out of the edit field, and escape saves and returns to the Network Settings
Console window. This window is available any time in the Administration Console of the
Database Firewall machine. Enter Alt-F1 to display the Network Settings Console.
Note: If you change these settings after configuring the firewall management server, several
other settings will need to be changed as well.
Alt-F2 through Alt-F8 provide access to additional terminal screens. Alt-F9 provides the
messages displayed during start up.
Setting the Management Link IP Address
Installation process creates an Administration Console on
each Oracle Database Firewall and Oracle Database
Firewall Management Server.
Administration Console IP address defaults and can be
changed after boot up.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To connect to the Administration Console, enter the following URL in a browser from any
machine that can ping the Database Firewall server:
https://<IP_Address_of_DBFW_Server>/user/login
The name of the Database Firewall server can be used instead of the IP address if the
name is resolved properly.
Logging in to the Oracle Database Firewall
You can log in to the Administration Console from any browser
on a machine that can ping the Management link IP address.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
On the first login to the Administration Console as the admin user, you will be required to
change the password. The default password is admin. The Change Password page gives
you an indication of whether the password is considered strong or weak. A strong password
uses upper and lower case characters, numerals, and special characters, and is at least 8
characters long.
Note: Do not lose the admin user password. This password cannot be reset. The best
practice is to create additional users with administrator privileges and reserve the admin
user account to access the Firewall server as a contingency.
Changing the admin User Account Password
You are prompted to change the default password of the
admin user the first time you launch the Administration
Console.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall Analyzer is available only on Windows-based systems. To
install the Analyzer, insert the CD labeled Oracle Database Firewall Utilities 5.0 into the
machine, and execute the OracleDatabaseFirewallAnalyzerInstaller.exe
program file.
Installing Oracle Database Firewall Analyzer
Install Oracle Database Firewall Analyzer on a Microsoft
Windowsbased machine.
Use the disk labeled Oracle Database Firewall Utilities 5.0.
Install the Firewall Analyzer by double-clicking the
OracleDatabaseFirewallAnalyzerInstaller.exe
file.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When sizing the server to be used for Oracle Database Firewall, the primary considerations
are:
Number of enforcement points
Number of transactions per second
Level of logging required
The Database Firewall itself uses one core, and each enforcement point uses one core.
Adding more core beyond 1+the number of enforcement points does not help.
Disk sizing is very dependent on the logging policy chosen. The logall policy can consume
large amounts of disk space. Typically logall is used only for an initial proof of concept or
testing phase. Log unique uses much less disk space. The amount of space needed will
depend on the ratio of unique to repeated statements.
Oracle Database Firewall Sizing
Sizing core and memory:
Database Firewall requires 1 core and 2 GB of memory.
Each enforcement point uses 1 core and 1-2 GB of memory.
Enforcement points can share a core.
Sizing disk:
80 GB is the minimum space required by the installer.
Depends on policy:
logall: 650 bytes/statement at 1,000 tps 55 GB/day
log unique: Uses less
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When sizing the server to be used for Oracle Database Firewall, the primary considerations
are the number of transactions per second (TPS). The number of cores required can be
estimated by allocating one core for overhead, and adding another core for every 5,000
transactions per second monitored by Database Firewall. This number is an estimate for a
mixed database type environment. The TPS varies in an homogeneous environment.
The recommended amount of memory is at least 2 GB, with an additional 1 to 2 GB per
protected database, depending on the level of use, 1 GB for light use, 1.5 GB for medium,
and 2.GB for heavy use. The system will function with less than the recommended memory,
but a larger memory size will improve performance during periods of high throughput.
Disk space is used for temporary storage of log files containing the captured SQL traffic and
associated data. Available disk space should be large enough to retain several days of log
files in case communication between the Database Firewall and the Management Server is
interrupted (for example, link failure between data centers). Normally the log files are
transferred within minutes of creation to the Management server. Log files are deleted
immediately after the transfer is confirmed.
For more details see the Oracle Database Firewall Size Best Practices technical white
paper at http://www.oracle.com/technetwork/database/focus-areas/security/wp-database-
firewall-sizing-416962.pdf
Oracle Database Firewall Sizing
Sizing CPU:
Allow one core for overhead
Allow one core per 5,000 TPS in general
Sizing memory:
2 GB of memory (minimum)
1 -2 GB per protected database based on use level
Sizing disk:
80 GB is the minimum space required by the installer.
Depends on logging level:
100 GB minimum
300 GB recommended
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The volume of transactions logged will be the primary influence on the specification of the
Management Server.
The Management Server can operate on one core. It is recommended that two to eight
cores be available, depending primarily on the amount of data being logged and the number
and size of reports being generated. The number of databases being protected should be
considered as a secondary factor.
The minimum recommendation for memory is 2 GB. Memory should be increased up to 8
GB for systems with heavy loads.
Disk sizing is very dependent on the logging policy chosen. With an assumption that one
statement requires 1000 bytes of storage after binary logging, summarization, reporting and
compression, a load of 1000 tps with the log all policy requires 85 GB per day of storage.
That is approximately 1 TB every 12 days. The log all policy can consume large amounts of
disk space. Typically the log all policy is used only for an initial proof of concept or during
the testing phase. Log unique uses much less disk space. The amount of space needed will
depend on the ratio of unique to repeated statements. Log unique only logs one sample of a
statement with the same source IP address, database username, operating system
username, and client program name per hour.
Management Server Sizing
Sizing CPU:
2 cores (recommended minimum)
Sizing memory:
2 GB of memory (recommended minimum)
Sizing disk:
Depends on policy
logall: 1000 bytes/statement at 1,000 tps 85GB/day
log unique: Much better
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Install and deploy Oracle Database Firewall
Install and deploy Oracle Database Firewall Management
Server
Install Oracle Database Firewall Analyzer
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will review a viewlet showing the installation of Oracle Database
Firewall in a stand-alone configuration.
The installation of Oracle Database Firewall is shown in a viewlet, as the actual time to
install can take 1-2 hours depending on the hardware.
Installing Oracle Database Firewall
This practice covers installing Oracle Database Firewall in a
stand-alone configuration.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will perform the first login to the Database Firewall Management
Console and change the admin user password.
Changing the admin User Password
This practice covers changing the admin user password.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you perform an installation of the Oracle Database Firewall Analyzer on the
Windows host system.
Installing the Oracle Database Firewall Analyzer
This practice covers installing Oracle Database Firewall
Analyzer.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: e
All except E are required. The recommended size of disk space for logs is 300 GB. This is
not required for installation. 80 GB of disk space is required for installation.
Quiz
Which of the following is not true when the Oracle Database
Firewall is installed ?
a. The existing disks are reformatted.
b. The Oracle Linux operating system is installed first.
c. A Oracle database is installed on first boot.
d. A minimum of three network interfaces is required.
e. 500 GB of disk space is required for logs.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Configuring Oracle Database Firewall
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Configure settings for a stand-alone Oracle Database
Firewall
Configure enforcement points
Configure settings for an Oracle Database Firewall
Management Server
Create an Oracle Database Firewall user
Configure email alerts for third-party connectors
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall is configured through a web interface. The tasks listed on the
slide can all be performed in the Administration Console when the Oracle Database Firewall
is installed with the Management Server on a single server. Access the Administration
Console using the https://ip_address/user/login URL where ip_address is the IP address of
the Database Firewall server. This is the same IP address that is set for the management link
as shown in the lesson titled Deploying Oracle Database Firewall.
To verify the configuration there must be some SQL traffic.
Configuring a Stand-Alone Oracle Database
Firewall
1. Set the date and time.
2. Specify the Network Time Protocol (NTP) time server.
3. Specify the network settings.
4. Enable securelog access for using other reporting tools.
5. Configure syslog destinations and forwarding of syslog
messages.
6. Configure enforcement points.
7. Configure the bridge IP address for blocking and local
monitoring.
8. Verify your configuration.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When the Management Server is on a physically separate server, the tasks are divided
between the Management Server and the Database Firewall. The first set of tasks is
performed on the Management Server and the second set is performed on each Database
Firewall server. The access to both are through a web interface using the
https://ip_address/user/login URL where the ip_address is the IP address of either
Management Server or the Database Firewall server.
It is important that the time setting be the same on all the servers, to allow the correlation of
events in the log file. The simplest method is to use a network time protocol server.
Configuring an Oracle Database Firewall
Management Server System
1. Perform the following initial tasks on each Management
Server:
A. Specify system settings.
B. Enable secure log access.
C. Set the date and time.
D. Specify the NTP time server.
E. Configure syslog destinations and syslog forwarding.
2. Perform the following tasks on each Oracle Database
Firewall:
A. Configure time settings.
B. Change the IP address or specify IP address of the
gateway and DNS servers.
C. Specify the Management Server certificate and IP address.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Step 3 is optional. Perform these tasks if you are configuring a high availability (HA) set of
servers. Configure the primary and secondary Management Servers. Add the Database
Firewall servers. Define which Database Firewall servers are paired.
In the system where the Management Server is separate from the Database Firewall, the
enforcement points are configured in the Management Server. In an HA configuration, the
enforcement points are configured on the primary Management Server.
Configuring an Oracle Database Firewall
Management Server System
3. Perform the following final tasks on each Management
Server:
A. For a resilient pair of Management Servers , specify partner
settings.
B. Add each Database Firewall.
C. Optionally, define a resilient pair of Database Firewalls.
4. Configure enforcement points.
5. Verify the configuration.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
An enforcement point is an Oracle Database Firewall container that stores the settings that
enforce the Database Firewall policies that you create. The enforcement point takes the SQL
statements collected from the network traffic and decides how to handle it. In other words, the
enforcement point defines the relationship between the database and the policy.
An enforcement point has a name and is applied to a database type (product line). Each
database is defined by its IP address and port number. A server name may be used instead
of an IP address if Domain Name Services (DNS) is enabled. You can have multiple
databases configured to use one enforcement point, but they must be of the same product
line, for example Oracle Database.
An enforcement point may have one or more compliance settings. The generated reports will
base their settings on the compliance settings. The compliance types are:
SOX: SarbanesOxley Act compliance
PCI: Payment Card Industry compliance
DPA: Data Protection Act compliance
GLBA: Gramm-Leach-Bliley Act compliance
HIPAA: Health Insurance Portability and Accountability Act compliance
Creating an Enforcement Point
An enforcement point is a container holding:
A list of protected databases
Compliance settings
Operational mode:
Database Activity Monitoring (DAM)
Database Policy Enforcement (DPE)
Policy information
Built-in policies for monitoring
Custom policies
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The operational mode determines the behavior of the enforcement point. If the enforcement
point is to be used only to log statements and provide warnings of potential attacks,
select Database Activity Monitoring (DAM). If the enforcement point is also required to block
potential attacks, use Database Policy Enforcement (DPE). DPE is available only if you set a
policy. Each policy is specific to a database product line. An enforcement point can only have
a single policy, but that policy can be applied to multiple databases from the same database
product line.
By default, no policy is enforced, even if the DPE mode is specified.
The built-in policies provide several options for collecting SQL to be used to create a policy.
The default logging policy set in the Enforcement Point Wizard is passall.dna which does no
logging. If this is the first time you are creating a policy, then it is recommended that you
select the unique.dna policy.
Note: In this course, the logall policy is used to provide more log data with less workload.
Custom policies are created by using the Database Firewall Analyzer software and then they
are uploaded.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The network bridge is not enabled by default, and it is assigned a default IP address on
installation that may not be appropriate for the site configuration.
For each subnet that is being protected by the Database Firewall, there will be a bridge
connecting two network interfaces. The IP address of the bridge must be in the same subnet
as the two network segments that it connects.
In the practice environment, the client IP address is 192.168.36.1, the database IP address is
192.168.36.203, the subnet mask is 255.255.255.0, and the bridge address must be
192.168.36.x where x is a value between 1 and 255. The value we chose for the bridge
address is 192.168.36.220.
You can set this value and enable the bridge. Click the List button under the Traffic sources
section in the Monitoring tab to display the page shown in the slide.
Click the Name of the network to change the IP address or mask of the bridge.
Enable Network Bridge
To use DPE mode, the Network Bridge must:
Have the correct IP address
Be enabled
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
There are two operational modes for Oracle Database Firewall: Database activity monitoring
(DAM) and Database policy enforcement (DPE).
DAM mode only monitors the SQL activity and does not block any SQL statements. In DAM
mode, the Database Firewall makes a copy of the SQL statement then applies the policy.
Potential attack warnings can be generated in DAM mode. You will use the Firewall Analyzer
to develop a policy that specifies which statements to allow. Any statement that does not
match the policy will generate a warning, but will be passed through to the database. When a
new policy is put in place, it is recommended that the policy be used in DAM mode for a while
to be sure that all normal SQL activity will be allowed and then change the operational mode
to enforce the policy. This mode is also used to monitor for compliance.
DPE mode monitors the SQL activity and the Database Firewall will block SQL statements as
specified in the policy. In DPE mode, the Database Firewall examines each SQL statement
coming through the Database Firewall, applies the policy and then forwards it to the database.
Potential attack blocking can be enforced by developing a policy and setting the operational
mode to database policy enforcement (DPE). In this mode, SQL statements will be blocked.
Using the Firewall Analyzer to create the policy, you can categorize the statements into
groups, and then assign actions to these groups. The actions specify which groups of
statements should be passed through and which should be blocked.
For both modes, the level of logging is specified as part of the policy.
Oracle Database Firewall Operational Modes
Operational Mode Description
Database activity monitoring (DAM)
(Also known as monitoring mode)
The system detects and logs unusual
activity. It produces warnings, but does
not block potential threats.
Can be implemented in-line or out-of line
Database policy enforcement (DPE)
(Also known as blocking mode)
The system detects and logs unusual
activity. It produces warnings and blocks
potential attacks.
Must be in-line
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In the Database Firewall there is a set of built-in policies. These policies only contain rules for
logging. Each of these built-in policies specifies a different level of logging. The
passall.dna policy indicates that no logging is performed. The unique.dna policy
indicates all statements that have a unique combination of cluster, source IP address, and
user name within the last hour are logged. The logall.dna policy logs all SQL traffic.
Audit logging can be implemented by setting the operational mode to Database Activity
Monitoring (DAM) and choosing a built-in policy. In this mode, logging of SQL activity will
occur but no statements will be blocked. The log files can be reviewed and analyzed for
normal and abnormal activity.
Oracle Database Firewall Logging
Oracle Database Firewall can perform targeted logging to
minimize the use of storage for logs
Logging rules are stored in a policy
Use Oracle Database Firewall log information to:
Monitor the system and generate reports
Compare with the data used to create a policy
Perform forensic analysis for audit and compliance purposes
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Database Firewall creates three types of logs:
Traffic Log: Stores all SQL statements and database login and logout events that the policy
requires.
Each logged statement and event can include a set of attributes that provide additional
information about the originator, including:
The database user login name
The IP address of the database client
The user's operating system login name
The name of the client program
If the information about the originator is not available from the SQL traffic directly, a direct
database interrogation (DDI) feature enables a Database Firewall to query the database to
obtain the information. DDI can be enabled or disabled as required. DDI can only be used
with Microsoft SQL Server and Sybase SQL Anywhere.
Refer to the Oracle Database Firewall Administration Guide for further information.
Oracle Database Firewall Logs
Log Description
Traffic All SQL statements, database login, and logout events
required by the policy.
Event System events not directly related to the Oracle
Database Firewall software.
Administration Login ID of any user that changes configurations for
system actions in the Administration Console.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In addition, you can enable a database response monitoring feature, which stores all
responses that the protected database makes to SQL statements and login and logout
requests, in the traffic log.
Event Log: Stores system events that are not directly related to the Database Firewall
software, such as operating system warnings.
Administration Log: Stores the login ID of any user who changes configurations for system
actions such as shutdowns, restarts, and policy uploads, in the Administration Console.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The default administrator user name is admin (lower case). This user is defined in the
Administration Console, not on the operating system so it can only be used through the
Administration Console interface. For better security and separation of duties, it is
recommended that you reserve the admin user account as a back-up user account, and
create a separate administrative account for one or more existing users for day-to-day
operations. This provides you with a back-up administrative user account if the primary
administrator is not available.
You can use the Users menu of the System page to create, list, and edit Administration
Console user accounts. A valid user name and password must be provided when the
Administration Console is started, or when a user of the Firewall Analyzer software connects
using Train on Log Data or Test with Log Data.
You can create users in both stand-alone and managed Database Firewalls, and in the
Management Server. These user accounts are local to each system, even after you have
configured a Database Firewall to connect to a Management Server.
Creating System Administrator Users
The default system administrator user is admin.
Create new administrator users to improve security and
provide separation of duties.
Users can be created in stand-alone and managed
Database Firewalls.
Users can be created in Management Servers.
Users are local to each system.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
For a stand-alone Database Firewall, in which both the Database Firewall and the
Management Server are on the same server, the administrator user can perform all functions.
However, if the Database Firewall is on a server separate from the Management Server, after
you connect the Management Server to this Database Firewall, the administrator functions
change. Example:
Database Firewall administrator: Can only change network settings, view network traffic,
remove the Database Firewall from the Management Server, and similar tasks specific to the
current Database Firewall
Management Server administrator: Can create and manage enforcement points, configure
policies, run reports, archive, and so on
For all of the user account options, you can create as many users as your site requires.
To ensure full traceability of system changes, the administration log stores the login ID of any
person who makes a change from the Administration Console. Having separate
Administration Console accounts enables you to easily track users who make changes to the
Database Firewall system in this log.
Understanding System Administrator Capabilities
Capabilities of the system administrator vary based on the
deployment:
Stand-Alone Database Firewall: System administrator user
can perform all functions
Management Server System (Managed Database
Firewall):
Database Firewall: System administrator user can only
change network settings, view network traffic, remove the
Database Firewall from the Management Server, perform
tasks specific to the Database Firewall
Management Server: System administrator user can create
and manage enforcement points, configure policies, create
reports, archive data
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In the Administration Console, click the System tab, and then click Add User. On the Add
User page, you will enter the username, the name of the user, email address, role, and
password.
The user role provides a way to enforce separation of duties with three separate roles.
The system administrator has full privileges in the Administration Console.
View-only users have privileges to change their password, view log data, and connect from
the Firewall Analyzer.
Log administrators have all the view-only user privileges and can run archive and restore
jobs.
Creating a New User
Use the Administration Console to create a new user
Grant a user role:
System Administrator: Full access to all options in the
Administration Console and connect from the Firewall
Analyzer
View-only User: View log data, change his/her password,
and connect from the Firewall Analyzer
Log Administrator: View log data, change his/her password,
run archive and restore jobs, connect from the Firewall
Analyzer
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Setting a password policy is strongly recommended. The password policy is set on the User
Security Settings page. Access the Security menu item under Users to navigate to the User
Security Settings. On this page, you require the use of strong passwords. Set a password of
the required length, the password expiration time in days, and whether the user can ever use
a previously used password.
Creating Password Policies
Create password
policies to enforce
strong passwords.
Password policy
applies to all users
managed by the
Database Firewall.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To use email alerts, you must first configure a destination mail server where the alert will be
sent. A server using simple mail transport protocol (SMTP) Is required. This server is typically
on another machine. Go to the System tab and select Email Configuration as shown on the
slide.
The email configuration page allows you to configure the name and address of the mail
server, and the user that is sending the mail.
Configure Email Server
Select Email Configuration in
the System menu.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The recipients of email alerts may be configured after the SMTP server has been configured.
Specify the email addresses of the recipients, separated by a space, tab, or each in a new
line.
Configuring Email Alerts for Third-Party
Connectors
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Configure settings for a stand-alone Oracle Database
Firewall
Configure enforcement points
Configure settings for an Oracle Database Firewall
Management Server
Create an Oracle Database Firewall user
Configure email alerts for third-party connectors
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will set the time for the management console. The time setting is used to
record the time of logged events. So the correct time is important to correctly interpret the
logs.
Setting the Date and Time
This practice covers setting the date and time.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will set an enforcement point for the DB01 database.
Configuring Enforcement Points
Configuring the EP_DB01 enforcement point
Setting the initial policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will add yourself as a new System Administrator user.
Creating a New System Administrator User
This practice covers creating a new system administrator user.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you configure a connector to send emails to a mail server.
Practice 3-4: Configuring Email Alerts
This practice covers configuring an email connector.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: c
With the unique.dna policy, there will be a minimum amount of logging. The operational mode
is not relevant as this is a monitoring-only policy.
Quiz
An enforcement point can have one of two operational modes
and a choice of several logging policies. Which mode and
policy would you initially choose so that you could get a list of
each type of SQL statement, but not interfere with the
application, with a minimum use of log space?
a. Database policy enforcement (DPE) with logall-
nomask.dna
b. Database activity monitoring (DAM) with passall.dna
c. Database policy enforcement (DPE) with unique.dna
d. Database activity monitoring (DAM) with logall.dna
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Configuring Policies
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Describe the security model and policy enforcement
Supply logged data to the Firewall Analyzer
Supply SQL statement files to the Firewall Analyzer
Create a new model
Create a policy
Deploy a policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
An Oracle Database Firewall cluster is a set of semantically similar SQL statements that is
created when the Oracle Database Firewall Analyzer reads logged SQL statements, either to
create a model or when testing against new logged SQL data. The Analyzer uses its built-in
knowledge of the SQL syntax to categorize the SQL statements into semantic clusters.
SQL statements are processed using a powerful grammar-based analysis engine that
decomposes and categorizes the SQL. In addition to looking at the SQL statement, policies
can evaluate factors such as IP address, time, and program name.
Oracle Database Firewall monitors data access, enforces access policies, highlights
anomalies, and helps protect against network-based attacks originating from outside or inside.
Oracle Database Firewall Policy Enforcement
Oracle Database Firewall policy enforcement architecture
provides:
Performance and scalability: Millions of statements can be
simplified into a small number of SQL characteristics or
clusters
High level of accuracy: SQL grammarbased analysis to
enforce normal activity
Flexible enforcement:
Statements can be blocked
Statements can be passed and an alert generated
Another SQL statement can be substituted for the statement
Statements can be logged only
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Policy enforcement flow is key to understanding which statements will be matched and which
will not. If a statement is matched, then an action can be taken. If it is not matched, then
default rules determine the action taken by the Database Firewall.
Note: You may want to bookmark this page for future reference.
Policy Enforcement Flow
Exception Factors
Session Profile 1 Session Profile 2 Background
Novelty Policies
Default Rule
If YES (match), then EXIT
Apply rule, then EXIT
If YES (match),
then EXIT
SQL Connection
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall supports white list and blacklist based policies.
A white list is a set of approved SQL statements. SQL traffic is compared with the white list.
Based upon the policy, Database Firewall alerts, blocks, or substitutes a statement for the
SQL statement.
A blacklist is used to block specific SQL statements.
Note: There is nothing in the Oracle Database Firewall product that refers to white list or
blacklist. Whether it is a white list or a blacklist depends upon how you configure the policy.
Configuring Policies
Policies are easily configured by using:
White list for positive security enforcement
Can be automatically generated for any application
Allowed behavior can be defined for any user or application
Transactions that do not match the policy are rejected
blacklist for negative security enforcement
Stop unwanted transactions, users or schema access
Prevent privilege or role escalation and illegal access to
sensitive data by using factors
Selectively block any part of transaction in context to your
business and security goals
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall includes the policies listed on the slide as part of the product
installation.
Note: You must select a policy when you define an enforcement point.
Oracle Database Firewall Preconfigured Policies
Policy Description
logall-nomask.dna Log all statements for offline analysis without masking data
logall.dna Log all statements for offline analysis
logsample.dna Log a sample of statements for offline analysis
passall.dna Pass all statements and log none
unique-nomask.dna Log examples of statements for offline analysis covering
each distinct source of traffic in the statements
unique.dna Log examples of statements for offline analysis covering
each distinct source of traffic
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
A policy file is a configuration file that is used by Oracle Database Firewall to determine the
threat severity, action level, and logging level it should use for each SQL statement
encountered.
You can use the Oracle Database Firewall Analyzer to create an initial policy file by
monitoring database traffic. This set of logged SQL statements provides a model of operation
and is input to the policy creation. There is the possibility that some of the traffic that is
collected is not normal or acceptable.
A policy may be generated from a train file or server trace file. A train file is a manually
generated text file for an Oracle Database. A server trace file is generated by a Microsoft SQL
Server database.
After the model is generated, your can customize the policy file for your site-specific
requirements.
Detailed information on this process is provided in this lesson.
Creating Policy Files
Policy file: A set of rules that the Database Firewall uses
when it monitors SQL traffic.
Use the Oracle Database Firewall Analyzer to create an
initial policy file from SQL statements logged while
monitoring database traffic.
A set of logged SQL statements provides a model of
expected operation.
A policy file can be generated from a train file or a server
trace file.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
For the Oracle Database Firewall to be effective, you can supply logged data or SQL
statement files via a model to enable the Database Firewall Analyzer to understand the typical
use of the database.
Once the model is supplied and a policy is defined, you use the Administration Console to
upload the policy to the Database Firewall Management Server. After the policy is uploaded,
you can enable the policy for a defined enforcement point.
Additional information on each of these steps is provided in this lesson.
Custom Policy Development Overview
1. Enable the Oracle Database Firewall Analyzer to
understand typical database usage by supplying logged
data or SQL statement files via a model.
2. Use the Oracle Database Firewall Analyzer to create and
save the policy.
3. Use the Administration Console to upload the policy to the
Database Firewall Management Server and enable the
policy for an enforcement point.
4. Refine the policy.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To develop an effective policy, Oracle Database Firewall must understand the typical or
normal SQL statements that are part of the applications. Prior to developing a policy, you
can provide data to the Oracle Database Firewall Analyzer from logged data or SQL
statement files. This data is supplied via a model. Additional information about models
follows.
The logged data can come from any level of logging. By using the unique.dna policy, the
Database Firewall captures only the statements that are different, thus reducing the size of
the log files.
Enabling the Firewall Analyzer to Understand
Database Usage
To enable the Oracle Database Firewall Analyzer to
understand the normal ways that client applications use the
database:
Supply logged data via a Train on Log Data model
Directly from the traffic log of Database Firewall
Place the Database Firewall in Log Unique Mode by
selecting unique.dna as the initial policy
Supply SQL statement files via a Train on File model
Via a text file
From a Microsoft SQL Server trace file
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
A model stores all the data used to develop a policy, including properties and analysis data.
The model is stored in two files as described on the slide.
When you create a model, you can specify that the model is created by training on logged
data or by training on a SQL statement file. Training on logged data means that the data is
obtained directly form the traffic log of Database Firewall. This is the recommended way to
supply data for the model. Training on a SQL statement file requires that a text file
containing a list of SQL statements be created and supplied to Database Firewall. For
Microsoft SQL Server only, you can also supply a binary log file containing a list of SQL
statements.
After you create the model, analyze the data to refine the policy.
Creating a New Model
Model:
File that stores logged data or SQL statement files used to
create a policy
Stores all data used to develop a policy, including properties
and analysis data
Create a model from:
Training on logged data
Training on a SQL statement file
Two files are created:
filename.smdl
filename.smdl_data
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To create a new model, launch the Oracle Database Firewall Analyzer and click Create a
New Model from Training. To create a model based on logged data, select Train on Log
Data and click Change. Specify the database where the statements were executed and the
time range for the logged data.
Creating a Model from Training
Use the Oracle Database Firewall Analyzer to create a new
model from training:
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
After determining which statements you want to include in your policy, use the Details or
Baseline tab to set the cluster properties:
Action
- Unassigned: No specific action has been set. The policy will pass any statements
that match an existing cluster that has an Unassigned action level. The
unassigned statements will then use any action that is provided by the default rule.
- Block: The policy will block all statements that match the cluster.
- Warn: The policy will generate a warning for all statements that match the cluster.
This status can be displayed in the Administration Console and generates a syslog
message.
- Pass: The policy will allow all statements that match the cluster.
Logging Level
- Unassigned: No specific logging level has been set. The policy will not log any
statements that match an existing cluster that has an Unassigned logging level.
- Never: Never logs statements that match the cluster.
Setting Properties for Clusters
Use the Details or Baseline tab to set the following properties
for each cluster in the model:
Action: Permits, blocks, or generates warning when it
encounters a statement that matches the cluster
Logging Level: Logs, logs all statements, logs statements
that have a unique combination of cluster, source IP
address, database username, operating system username,
and client program name.
Threat Severity: Anticipated threat from statements in the
cluster. Threat severity is logged when a statement is
logged.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
- Sample: Logs only a sample of statements. The default sample frequency is 10,
and is set up in the Administration Console. For example, if the frequency is 10,
then a statement that matches a sample-logged cluster is logged on its first
occurrence. Thereafter, there must be a further 10 statements that are exactly the
same as the original for the statement to be logged again.
- Always: Logs all statements that match the cluster.
- Unique: Logs all statements that have a unique combination of cluster, source IP
address, and user name within the last hour. Therefore, a statement is not logged
if all three of these attributes match those of an existing statement that has been
logged in the past hour. The statement is logged only if at least one of these
attributes is different.
If the user name is not known, the policy will log the statement, providing there is
no other logged statement that belongs to the same cluster, has the same source
IP address and has no associated user name.
This logging level is recommended for policy development because it provides an
effective sample of traffic without having to log all statements.
Threat Severity: Each cluster can have an optionally-assigned threat severity. There
are six threat severity levels, ranging from Unassigned to Catastrophic (threat severity
5). When Oracle Database Firewall logs a statement, the threat severity of the statement
is also logged. Third-party reports and syslog can be used to display statements based
on the logged threat severity.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Select the cluster, right-click and select Properties. The Cluster Properties window is
displayed.
A cluster is a single statement or a group of statements that are selected. You can order and
filter on various columns to display the set of statements you wish to group together.
Setting Cluster Properties
Use the Oracle Database Firewall Analyzer to set cluster
properties:
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When you save a policy, you must provide a policy name. This name will be the file name with
a default extension of .dna. The file is saved by default in the smdl directory. Take note of
where the policy file is saved so that you will be able to locate it for uploading.
Note: In the course practice environment, the default directory is My Documents.
Saving the Policy
After you have developed a policy, save the policy to a file:
1. Select Create Policy in the File menu of the Firewall
Analyzer.
2. Specify the following:
a. Folder to save the policy file
b. Policy file name
3. Click Save.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
After you have saved the policy in a .dna file, you upload it to the Oracle Database Firewall
Management Server.
Perform the following steps to upload the policy:
1. Click Upload in the Policies section on the Monitoring tab page.
2. Browse for the Policy.
3. Provide a description of the policy. As the policies are refined, the description becomes
more important so that you can identify the policy when you apply the policy to an
enforcement point.
Uploading the Policy
After saving the policy file, use the Administration Console to
upload the policy to the Database Firewall Management Server.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
After the policy is uploaded, it appears on the settings page of the enforcement point. The
policies are listed in alphabetical order.
Select the policy you wish to apply to the enforcement point and click Save.
Specifying the Policy for the Enforcement Point
After you have uploaded the policy to the Database Firewall
Management Server, select the newly created policy for the
enforcement point.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Once you have defined a policy for your enforcement point, you should continue to review
reports to ensure your policy meets your compliance requirements. You may further refine the
policy as necessary.
Use unique log policies after you have deployed the initial policy. This enables Oracle
Database Firewall to log new SQL statements, which you then can import into the Analyzer
for analysis against the statements used to build the current policy. Unique log policies also
enable you to detect policy anomalies (such as anomaly default rules). This way, you can
identify possible security vulnerabilities and improve the policy further. You can repeat this
process as many times as required.
Refining the Policy
Policy development is an iterative process:
Maintain Log Mode Unique after the policy has been
deployed so that new SQL statements will be logged.
Use the Firewall Analyzer to import new SQL statements
for comparison with the current policy.
Analyze the data and assign threat severities, action
levels, and logging levels to each new cluster.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The policy definition may need to be updated based on additional analysis as shown in the
diagram in the slide.
Maintain Log Mode Unique after the policy has been deployed so that new SQL statements
will be logged. As additional statements are executed, they are compared with logged SQL
statements. You can also use the Firewall Analyzer to import new SQL statements for
comparison with the current policy.
Analyze the data and assign threat severities, action levels, and logging levels to each new
cluster.
Continuing to log statements and perform analysis can help you to find default rules that have
no associated policy. These are called anomaly default rules. It is advisable to log and
produce a warning for such statements.
Refining the Policy
Analysis
Policy
Update
Statements from clients
Unique Log Mode
Logged SQL
statements
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Baseline Anomalies are those statements that do not match any rule in the policy.
Refer to the "Policy Enforcement Flow" diagram presented earlier in this lesson. On that
diagram, you can see that the default rule is applied last in the sequence, and then only to
those statements that have not been matched by any other rule.
Baseline Anomalies
Any statement that does
not match any policy
rule is an anomaly.
The default rule
determines the action,
logging level, and threat
of statements that are
anomalies.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Selecting Sensitive data masking in the Tools menu displays a dialog that allows you to set
up rules for automatic masking of sensitive data in log files, such as credit card numbers.
If a logged statement matches the masking policy set up in this dialog, the policy
automatically replaces all user data in that statement, that is, string constants, integer
constants, hexadecimal constants, and float constants, with alternative characters. The
characters used depend on the data type.
The masking process prevents sensitive data from appearing in log files.
To mask sensitive data, select Mask sensitive data. You can mask all sensitive data in
all statements by selecting For all statements.
To mask only certain statements select "Only for statements matching the following
criteria"
Note: If you use "Only for statements matching the following criteria" be sure to include "*" as
one of the columns, so the SELECT * FROM statement does not cause sensitive data to be
logged.
Sensitive Data Masking
Turn data masking on or off.
Apply masking to all statements or only statements
meeting given criteria.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To choose the types of statements.
- Having columns: All statements that contain any of the columns selected in this
area will have sensitive data masked.
- Having procedures: If the Any checkbox is selected, all statements that contain a
procedure will have sensitive data masked. If you deselect Any, all statements that
contain any of the procedures selected in the area will have sensitive data
masked.
You can use the Add, Remove or Populate buttons to choose the columns or procedures:
Add enables you to specify a column or procedure name.
Remove enables you to remove the selected column or procedure from the list.
Populate enables you to add all the columns or procedures that are in the current model.
Note: Make sure you select the checkboxes next to the columns or procedures you want
masking to apply to.
If Invalid statements is selected, data in invalid statements (those that the policy would not
parse) is also masked, where possible. Note that, because the syntax of invalid statements
may not be correct, masking of all data in invalid statements may not be possible.
Note: If Treat double quoted strings as identifiers is deselected in the Policy Options dialog,
text in double quotation marks will also be masked.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Selecting Login/Logout Policy in the Tools menu displays a dialog that allows you to specify
the actions the policy must apply when a database client logs into or logs out of the database.
The dialog contains three policy sections, Login Policy, Failed Login Policy, and Logout
Policy. It also contains a Notes box that allows you to record notes about the policy. The
notes are not used or reported elsewhere.
Login Policy: You can use the Login Policy section to specify the login action level and
threat severity of successful or unsuccessful database user logins, and whether to log
logins.
Failed Login Policy: You can use this section to block a client or generate an alert
(warning) after a number of consecutive unsuccessful logins. If triggered, blocking or
alerting continues for a period of time up to the specified Reset period.
Logout Policy: You can use the Logout Policy section to specify the logout action level
and threat severity of database user logouts, and whether to log logouts.
Note: These policies are applied to an IP address, not to a user. This can be used to foil
automated login attempts from a single IP address.
Adding Login/Logout Policy
Set policies for:
Logins
Failed logins
Logouts
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Describe the security model and policy enforcement
Supply logged data to the Firewall Analyzer
Supply SQL statement files to the Firewall Analyzer
Create a new model
Create a policy
Deploy a policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you initiate a workload on your DB01 database.
Starting the Collection Workload
This practice includes starting a workload on your DB01
database.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you begin the policy creation process.
Creating a Policy
Creating a new model from training on logged data
Viewing summary statistics
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you define your white list.
Creating a Basic White List
Setting properties for expected SQL statements (the white
list)
Defining the login/logout policy
Setting the properties for statements not part of the white
list
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you upload the policy and apply it to your enforcement point.
Uploading and Applying the Policy
Uploading the policy
Applying the policy to your enforcement point
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you verify that the policy you created is working correctly.
Executing Commands and Analyzing Results
Executing SQL statements
Verifying that the white list definition is correct
Performing forensic analysis
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will add an exceptions policy. Exceptions provide a means for bypassing
policy rules and are often used for DBAs, whose activity is not routine and is difficult to define
via a white list. In this practice, you add a DBA user who will be permitted to perform queries.
However, the activity of the user will be fully audited.
Adding an Exceptions Policy
Adding an exception for a specific user
Uploading and applying the refined policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: c
Quiz
In what order is the policy enforcement flow applied:
a. Profiles, default rule, exceptions, and then novelty policies
b. Novelty policies, profiles, default rule, and then exceptions
c. Exceptions, profiles, novelty policies, and then a default
rule
d. A default rule, exceptions, novelty policies, and then
profiles
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Creating Advanced Configuration Policies
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Create a profile
Create a novelty policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Profiles are used in two ways:
As a filter to limit the data in the Analysis tab so you can be more selective about the
data you display
As a factor to determine the statements to which to apply the policy rules.
The profile allows you to apply different rules to particular sets of users. The profile sets must
be defined before they can be assigned to a profile.
When Profiles are used in the Analysis tab, they act as filters changing the displayed
statements. When they are used in the Baseline or Details tabs, they are applied as rules in
the policy, and do not affect the displayed statement clusters.
Using Profiles
Profile:
A type of filter used to control the display of data
A policy rule factor used to apply policy rules by database
users, IP addresses, operating system users, client
programs, and times of day
Profile is a combination of any of the following types of
sets:
IP address: Named set of IP addresses of database clients
DB user: Named set of database user login names
Client program: Named set of client programs
OS user set: Named set of operating system user names
Timeslice: Named set of hours in a week
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Before you can select sets in a profile, the sets must be defined. You can create sets in the
Firewall Analyzer by clicking the Tools menu item, then selecting the type of set you wish to
create as shown in the upper left of the slide.
The first dialog box for the set is blank. DB User Sets is the example shown in the upper
center of the slide. Click Add to create a DB User Set.
In the dialog box, shown in the lower right, type a Name for the set, then select the users you
wish to add to the set from the list on the right. This list is populated from the users listed in
the training file, or from logs you have loaded for analysis. Click the single left angle bracket to
move the selected users to the Selected DB Users list on the left, or click the double left angle
bracket to move all the users from Recorded list to the Selected list.
The Add button allows you to enter any name, or use the "*" wildcard character.
Click OK to create the set.
The lower left of the slide shows the DB User Sets dialog box after several sets have been
created. From this dialog box you can add, edit, or delete sets.
Each of the set types has a similar dialog box for creating a set.
Defining Sets
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You can create a profile as follows:
1. Select Profile from the Tools menu to display the Profiles box as shown in the lower
right of the slide.
2. Click Add to display the Profile dialog box as shown in the lower right of the slide.
3. Provide a profile name and select one or more sets to be included in the profile.
The profile definition includes one or more of the following sets:
IP Address Set: A set of one or more IP addresses of database clients.
DB User Set: A set of one or more database user login names.
Client Program Set: A set of one or more database client program names
OS user set: A set of one or more operating system user names.
Timeslice: A timeslice is a set of one or more hours in a week.
When a profile is selected, it will filter the displayed values based on the sets in the profile. If
the profile only has a DB User Set, then only the statements issued by those users will be
shown.
When a profile has more than one set, the intersection of those sets is used.
Creating a Profile
1. Define each set to be used in the profile.
2. Create the profile:
A. Name the profile.
B. Select the sets to be used in the profile.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
By selecting a profile in the Analysis tab, you can restrict the data that is displayed. When you
first select Profile in the View menu, you are prompted to select a profile. You can change the
profile by selecting Change Profile in the View menu. Once you have selected a profile, only
the clusters with statements that have originated from the database users, IP addresses, OS
users, client programs, and times in the selected profile are displayed.
As an example, if the profile includes only a DB user set, the tab will display only those
clusters with statements that have originated from the database users in the DB user set,
irrespective of their IP address, and so forth. If the profile includes both a DB user set and a
timeslice, only clusters with statements that have occurred from one of the defined users
during one of the hours in the timeslice are displayed.
The Background Profile is the default in the Analysis tab.
Selecting a Profile in the Analysis Tab
Select Profile in the View menu.
Only those clusters with SQL statements
originating from the sources and times
matching the selected profile are displayed in
the Analysis tab.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
If you have not selected a profile, any policy rules you define are applied to the "background"
policy rules, that is, the action, logging level, and threat severity to use when no specific
profile policy rules apply.
When you select a profile in the View menu for the Details tab, you can restrict the policy rules
you define to the statements that meet the selected profile.
The policy rules for the selected profile will override the background rules. For example, if the
profile includes a DB user set and timeslice, then any rules you define will apply only for
statements that occur during one of the active periods in the timeslice from a database user
who is in the DB user set. If the profile does not include a timeslice, the selected rules will
apply, irrespective of the time a statement that matches the cluster occurs.
Unlike the Analysis tab, selecting a profile in the Details or Baseline tab does not affect the
clusters displayed (all clusters remain displayed).
Selecting a Profile in the Details Tab
Select Profile in the View menu.
It enables you to set up policy rules for the selected profile.
Selecting a profile in the Details tab does not affect the
cluster display.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In the slide, the last portion of policy enforcement flow is shown. Statements that have not
been matched by other policy elements are tested against the novelty policies, and if still not
matched are matched to the default rule associated with baseline anomalies. Since there is
only one default rule for baseline anomalies, novelty policies are used to specify the action
level, logging level and threat severity to use for statements that operate on selected tables,
classes of statements or both.
For example, if the default action level is Warn, the user may want to set up novelty policies
that apply a Pass action level to unseen statements that operate on tables containing public
information, and a Block action to all unseen statements that operate on tables containing
sensitive information.
Note: If a default rule matches more than one novelty policy, the worst-case policy is used.
For example, a policy that blocks takes priority over a policy that warns.
You use the Default Rule for Baseline Anomalies section in the Summary tab to specify the
default action level, logging level, and threat severity to use for statements that match no
novelty policy.
Using a Novelty Policy
Novelty policy: Specifies the action level, logging level, and
threat severity to use for unseen statements that operate
on selected tables and/or classes of statement
Used to loosen or tighten the default unseen statement
policies for specific classes of statements, tables, or both
Novelty Policies
Default Rule
Not matched by policies
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
An example of setting novelty policies is as follows:
Set up a default action level of Warn. Then set up novelty policies that apply a Pass action
level to unseen statements that operate on tables containing public information and a Block
action to all unseen statements that operate on tables containing sensitive information.
Other examples of novelty policies are:
Restrict access to sensitive data by blocking access to sensitive tables and allow access to
other tables.
Applications that use dynamic SQL are difficult to white list, one strategy is to set the novelty
policy to allow only read-only access to certain tables, which will allow most proper uses of
dynamic SQL, and defeat some SQL injection techniques.
Note: Policies built with a white list approach, that define allowed statements, are less difficult
to analyze than policies that use a mixed white list and blacklist method.
Novelty Policy Example
Default action:
Warn
Action: Block
Tables contain
public data?
Tables contain
sensitive data?
Action: Pass
Yes Yes
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Perform the following steps to create a novelty policy:
1. Click New Novelty Policy on the Summary tab.
2. In the New Novelty Policy dialog box, select the tables and statement classes for the
novelty policy, and then click OK. If you do not select any specific tables, all tables are
implicitly selected. If you do not select any specific statement classes, all statement
classes are implicitly selected.
3. In the Policy Rules section of the Summary tab, right-click the novelty policy rule and
click Properties.
4. Specify the action level, logging level, and threat severity to use. Specify statement
substitution if required. Click OK.
Creating a Novelty Policy
1. On the Summary tab, click New
Novelty Policy.
2. In the New Novelty Policy dialog
box, select the tables and
statement classes for the novelty
policy. Click OK.
3. In the Policy Rules section of the
Summary tab, right-click the
novelty policy rule and click
Properties.
4. Specify the action level, logging
level, and threat severity for the
policy.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Create a profile
Create a novelty policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will modify the existing white list policy to allow all activity of a new
application.
Creating a Policy for a New Application
Creating the HR App User DB User set
Creating a new policy
Uploading the policy and assigning it to your enforcement
point
Testing your configuration
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will update your policy using exception matches.
Updating the Policy
Updating with log data
Updating the policy for exception matches
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you define a profile.
Creating a Profile
Setting properties
Creating a profile
Removing the exception policy
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will set a rule that blocks read access to a sensitive table. All other out-of-
baseline behavior will generate alerts without blocking.
Creating a Novelty Policy
Defining the novelty policy rule
Defining the anomaly default rule
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: a, e, f
Table names, column names, and statement types cannot be specified in profile sets, but they
can be specified in rules.
Quiz
A policy can contain multiple profiles. Each profile holds sets of
factors which are used to group statements. Which of the
following cannot be used in a profile?
a. Table names
b. Client IP addresses
c. Database user names
d. Client programs
e. Column names
f. Statement types (DML, Read-Only, DCL)
g. Day and time periods
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Reporting
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Explain the Oracle Database Firewall reporting system
Use Summary reports
Use Summary Compliance reports
Use Audit reports
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall reporting system is based on tables stored in the SECURELOG
schema in the Oracle database that is installed with the Management Server.
The forensic tables, TRAFFIC_LOG_QUERIES and TRAFFIC_LOG_QUERY_RESULTS, contain
information about all the SQL statements that Oracle Database Firewall logs. Data in these
tables can be viewed through the Administration Console.
In addition to the two tables described previously, Oracle Database Firewall creates a new
table for each search. This table is derived from TRAFFIC_LOG_QUERY_RESULTS and is
named TRAFFIC_LOG_QUERY_RESULTS_ID where ID is the identifier of the search. This
table is deleted when the corresponding entry in TRAFFIC_LOG_QUERIES is deleted.
The database object auditing tables contain information about the stored procedures and user
roles collected by the stored procedure auditing and user role auditing functions. The data in
these tables can be viewed through the audit reports available in the Administration Console.
The summary tables store general information about the data that is being monitored, such as
the names of the users logging in, the monitored databases, user sessions, database traffic,
events, and sample SQL statements.
Detailed information about the tables is available in the Oracle Database Firewall
Administration Guide.
Reporting System Overview
Three types of built-in reporting systems:
Forensic
Includes every transaction that is logged by the active policy
Filtered by the user for content
No hardcopy output
Audit
Based on the Search Log Results record set with results
displayed in Audit reports
Data is refreshed when new reports are run or the report set
is refreshed by user
Summary
Created by the system during the summarization process
Results are based around cluster results
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Traffic log files are summarized every hour by default. Summary tables are used to generate
summary reports.
The Search Traffic Log function is used to generate audit reports when requested.
Reporting System Architecture
Traffic log files are automatically summarized and data is
stored in the summary tables.
Search Log Results form the record sets for audit reports.
Log file on
DBFW
Pulled by Management
Server to temp store
Files awaiting
summarization
Traffic log files in
permanent store
File being
summarized
Search Log
Results
Summary
Tables
Search Log
Results filter
Reporting
Database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Reporting tab of the Oracle Database Firewall Administration Console provides an
interface for the following types of reports:
Traffic Log: The traffic log stores details of all logged SQL statements.
Audit reports: These reports include only the data included in a selected traffic log
search.
Summary reports: These reports extract the requested information from the traffic log
while the report is being created. They contain only summarized data.
Reports are generated using a built-in reporting tool. The reports can be viewed as Adobe
Acrobat PDF documents or in a Microsoft Excel spreadsheet format.
Oracle Database Firewall Reporting
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary reports are generated by extracting the required information from the traffic log
when the report is requested.
To access the Summary Reports page, click the Summary reports link on the Reporting
page. Then choose the type of Summary report you wish to view.
Traffic log files are summarized every hour. You can force the files to be summarized at any
time by clicking Summarize Now on the specific summary report page.
Using the Summary Reports
Access the Summary reports page by clicking Summary
reports on the Reporting page.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Database Firewall compliance reports include data from all protected databases classified
with the relevant compliance category. You can include a database in a compliance category
on the Protected Database Details page.
The compliance types are defined as follows:
SOX: Sarbanes-Oxley Act
PCI: Peripheral Component Interconnect
DPA: Data Protection Act
GLBA: Gramm-Leach-Bliley Act
HIPAA: Health Insurance Portability and Accountability Act
Using the Summary Compliance Reports
Specify compliance reporting for a protected database:
When adding a protected database
On the Protected Database Details page
Compliance reports include data from all protected
databases with the relevant compliance classification.
Multiple compliance reporting standards may be specified
for a protected database.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Each time you run the Search log function, you must specify a title for the search. The search
conditions are saved. This search can be accessed and run again, refreshed or deleted in the
Log Search Results page.
By setting the dates to be relative, the same search can be refreshed with a current set of
data.
Using the Search Log Function
Search Log creates a record set that can be
automatically updated each time it is run.
Dates can be relative or absolute.
Results can be restricted to a maximum number of results.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Log Search Results provide a convenient way to specify a data set for any number of audit
reports. Each log search result set return a set of records with the same attributes, so a report
designed to report on one result set, can be used against any result set.
After specifying the search criteria and executing the search, you can view the results in the
Administration Console from the Log Search Results link on the Reporting tab. Alternatively,
you can view a formatted report by selecting the Search identifier when running a report from
the Audit Reports group.
Using the Search Log Results
Access Search Log Results in the Administration
Console or by running an audit report.
Provide the name of the search result being processed.
Use any report with any result set as the record attributes
are the same.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You can view the log search result by clicking the title on the Log Search Results page under
the Reporting tab. Details of a specific statement can be viewed by clicking on the description
column which provides a drop-down list of details associated with the statement.
You can apply further filters to the information displayed by clicking on the Filter button. This
affects what is viewed on the page and does not affect the contents of the log search result
itself.
Viewing Log Search Results
Click to apply a filter.
Click the link to
see the details.
Click to view the
search results.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Access the Audit reports from Reporting page by clicking the Audit reports link.
Audit reports depend on Traffic Log search results. Click Search Log on the Audit reports
page or in the Traffic Log section of the Reporting page.
Log Search Results are the basis for the Audit reports. The log search collects log records
from the log files stored on the Management Server based on the conditions specified on the
Search Traffic Log page. The log search results are stored in temporary tables in the
Management Server database.
Use a log search to set the limits to the data you wish to view in the Audit report.
Creating Audit Reports
Audit reports are created from traffic log search results.
These reports are based on data that is moved from log
files in the Management Server into temporary tables
named TRAFFIC_LOG_QUERY_RESULTS_n in the
reporting database.
Use an input filter to control the amount of data in each
traffic log query table.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
After specifying the search criteria and executing the search, you can view a formatted report
by navigating to the Audit Reports report group display.
Using the Search Log Results in Audit Reports
Search Log Traffic results are accessed via audit reports.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You can view the report in an Adobe Acrobat PDF format, or as a Microsoft Excel
spreadsheet by clicking Customize.
Click Schedule to schedule the report for regular execution and email the report to a specified
address.
Generating the Audit Report
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To use third party reporting tools, the report user account (DBFW_REPORT) must be unlocked
on the Management Server database. As the root user execute the following commands:
su - oracle
. oraenv
ORACLE_SID [oracle] = dbfwdb
sqlplus / as sysdba
ALTER USER dbfw_report IDENTIFIED BY <password> ACCOUNT UNLOCK;
EXIT;
To allow access to the SECURELOG schema reporting tables, use the Administration
Console as follows:
1. Navigate to the System settings page in the System tab.
2. Click Change.
3. On the Edit Network Configuration page, find the Secure Log Access.
4. Change the setting from disabled to 'all' or a list of allowed IP addresses.
5. Click Apply.
Reporting with Other Tools
To use other reporting tools:
Allow access to the SECURELOG schema reporting tables
Enable remote access for the report user
Use TNS naming or Easy Connect
Make a remote connection
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The screenshot in the slide shows an example of connecting to the Management Server
database using an easy connect string:
$ sqlplus dbfw_report/oracle_4U@//10.228.10.200:1521/dbfwdb
The screenshot also shows the results from an example SELECT statement:
SQL> select * from securelog.summary_clusters
2 where rownum <5;
Example: Reporting with SQL*Plus
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Explain the Oracle Database Firewall reporting system
Use Summary reports
Use Summary Compliance reports
Use Audit reports
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you generate a report to view a summary of statements outside of policy by
day.
Creating Summary Reports
This practice covers creating a Database Traffic Anomalies
report.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you create an audit report for activity by the JTAYLOR database user.
Creating Audit Reports
Generating a search of the traffic log
Viewing a search log result
Creating an audit report for activity by the JTAYLOR
database user
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: b
Quiz
The Audit reports extract data from the traffic logs on the
Database Firewall Management Server:
a. True
b. False
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: a
Quiz
Compliance reporting must be enabled in the enforcement
point in order that the proper data is collected:
a. True
b. False
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Stored Procedure Auditing
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Create users and set permissions for stored procedure
auditing
Enable stored procedure auditing in the Database Firewall
Audit changes to stored procedures
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The stored procedure auditing feature of Oracle Database Firewall enables you to audit and
approve changes to stored procedures on monitored databases for compliance purposes.
You can also decline changes to stored procedures. However, this has no affect on the actual
stored procedures in the database. Approving and declining changes to stored procedures is
a means to comply with audit regulations.
Stored Procedure Auditing Overview
Stored procedure auditing: Audit and approve/decline
changes to stored procedures on monitored databases
Approving and declining changes has no effect on the
stored procedures in the database
Stored procedure auditing is supported for the following
types of databases:
Oracle Database
Microsoft SQL Server
Sybase ASE
Sybase SQL Anywhere
IBM DB2 LUW
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall connects to the database at scheduled intervals to determine if any
changes or additions have been made to stored procedures.
When you activate stored procedure auditing, you can specify how frequently the audit job
should execute. Additional information on activating stored procedure auditing is provided
later in this lesson.
Database users update
stored procedures
Stored Procedure Auditing Architecture
Database Firewall
Management Server
Database Firewall
Analyzer
Monitored Oracle
database
Database
Firewall
Checks for updates
Send updates to
Database Firewall
SPA user
Database users update
stored procedures
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To use stored procedure auditing, you execute a script on each database to define a user that
will be able to access the required objects that indicate a change to a stored procedure. The
user connects to the database, and retrieves procedure and user information.
For Oracle databases, execute the spa_setup.sql script. The script prompts for username
and password. The user is created and granted CREATE SESSION, and SELECT on
SYS.DBA_OBJECTS and SYS.DBA_SOURCE.
For Microsoft SQL Server databases, execute the spa_add_user.sql script to create the
user. Execute spa_add_db_permissions.sql script to grant user permissions for a
specified database or spa_add_all_db_permissions.sql to grant user permissions
for all databases. The scripts grant VIEW DEFINITION, and SELECT on SYS.ALL_OBJECTS
and DBO.SYSCOMMENTS for Version 8 and higher databases. The script grants SELECT on
DBO.SYSOBEJCTS and DBO.SYSCOMMENTS for earlier versions.
Creating Users and Setting Permissions
To use stored procedure auditing, create users and set
permissions on the monitored databases by uncompressing the
appropriate database file in the database/spa directory of the
Utilities disk and executing scripts as follows:
Oracle Database:
Execute the spa_setup.sql script to create a user and
grant necessary privileges to the user.
Microsoft SQL Server:
Execute the spa_add_user.sql script to create the user.
Execute the spa_add_db_permissions.sql or
spa_add_all_db_permissions.sql script to grant
permissions to the user.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
For a Sybase Adaptive Server Enterprise (ASE) database, execute spa_add_user.sql to
create the user. Execute the spa_add_db_permissions.sql script to grant the user
permissions. The script grants SELECT on DBO.SYSDATABASES, DBO.SYSOBJECTS, and
DBO.SYSCOMMENTS.
For a Sybase SQL Anywhere database, you must first install the SQL Anywhere ODBC drive
for Linux. Then execute the spa_setup.sql script to create a user and grant privileges to
the user. The script grants CONNECT, and SELECT on SYS.SYSUSER, SYS.SYSPROCEDURES,
and SYS.SYSPROCPARM.
For an IBM DB2 database, there are no scripts to be executed. Create a new user or use an
existing user account for stored procedure auditing. Grant SELECT on SYSCAT.ROUTINES to
the user.
Sybase ASE:
Execute the spa_add_user.sql script to create the user.
Execute the spa_add_db_permissions.sql to grant
Sybase SQL Anywhere:
Install the SQL Anywhere ODBC driver for Linux.
Execute the spa_setup.sql script to create the user and
grant the necessary privileges to the user.
IBM DB2:
Create a user or use an existing user account.
Grant SELECT on SYSCAT.ROUTINES to the user.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You enable or activate stored procedure auditing through the Oracle Database Firewall
Administration Console. Select your enforcement point and click Settings. Specify the IP
address for the database server, the TCP port, and the database name. Supply the name and
password of the user that you created by executing the spa_setup.sql or
spa_add_user.sql script. Specify a time for the first stored procedure audit to execute.
Indicate the frequency with which you want the audits to execute. The default is once a week.
If you want to execute an immediate audit, you can do so by navigating to the Manage
Enforcement Point page and clicking Run Now in the Stored Procedure Auditing Control
section.
Enabling Stored Procedure Auditing
Use the Administration Console to activate stored procedure
auditing for a selected enforcement point.
Specify the IP
address for the
server, the TCP port,
and the database
name.
Specify the
username and
password.
Specify the audit
frequency.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The following activities pertain to stored procedure auditing:
Running a manual stored procedure audit: In addition to a regularly scheduled audit,
you can invoke a stored procedure audit immediately by clicking Run Now in the
Stored Procedure Auditing Control section of the Managed Enforcement Point page.
Viewing all additions or changes made to stored procedures: You can select a
stored procedure and view the actual code that was executed when the procedure was
created or modified.
Approving and declining changes: After changes have been recorded in the Oracle
Database Firewall, you can view the changes and then indicate whether the changes
are approved or declined. Note that the approval or declining of changes is for auditing
purposes only. No changes are made to the stored procedures in the database.
Viewing approvals and approval history: Through the reports you can view a list of
the changed stored procedures, approvals, and a complete approval history.
Auditing Changes to Stored Procedures
Stored procedure auditing activities include:
Running a manual stored procedure audit
Viewing all additions or changes made to stored
procedures
Approving and declining changes
Viewing approvals
Viewing approval history
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The following stored procedure audit reports can be viewed:
Summary: Lists the enforcement points which have stored procedure auditing enabled.
This page shows the number of fully approved stored procedures, the number that are
pending approval, and the total number of audit history records.
Approved: Lists each stored procedure that has at least one approval.
Pending: Lists each stored procedure that is awaiting at least one approval.
Audit History: Lists all previous and pending approvals.
You can further refine the approved, pending, and audit history reports by using the Filter
feature on each report.
Viewing the Stored Procedure Audit Report
Access stored procedure auditing reports from the Reporting
tab.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You can view additional stored procedure auditing reports as follows:
1. Click Audit reports on the Reporting page.
2. Click the SPA report group link on the Audit Reports page.
3. Click the appropriate link depending on the type of report you wish to view.
There are three types of SPA reports available:
Details of SPA Changes Pending Approval: Provides a report indicating stored
procedure code changes that are pending approval. The report also includes an
approval block at the end.
Summary of SPA Approved Changes: Provides a listing of stored procedures and an
indication of what type of changes have occurred, such as New or 1 modification.
Summary of SPA Changes Pending Approval: Provides a listing of stored procedures
that have been changed and are awaiting approval. The report also includes an
approval block at the end.
The reports can be viewed in Adobe PDF or in Microsoft Excel format. Each report can be
saved (retained) or scheduled to run as a recurring report.
Viewing SPA Audit Reports
Additional reports can be accessed on the Audit reports/SPA
page:
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When you click Pending in the Stored Procedure Auditing section of the Reporting tab, the
Pending Approvals for Stored Procedures page is displayed. This page displays a list of
auditing stored procedures.
You can click the stored procedure name link to view the SQL text used to create the stored
procedure.
When you click the space just below the stored procedure link, a modification history for the
stored procedure is displayed. Additional information on this feature is provided in the practice
for this lesson.
You can approve and decline the changes for a specific stored procedure by clicking the
appropriate button. You can also approve pending changes to all stored procedures listed in
the Pending Approvals report (based on the selected filters) by clicking Approve All.
Viewing Pending Approvals and Taking Action
View the pending stored procedure approvals and take action
on them on the Pending Approvals for Stored Procedures page.
Click Filter to
specify filter
settings.
Click the stored
procedure name
link to view the
stored procedure.
Click Decline or
Accept for a
specific store
procedure.
Click Approve All
for bulk approval
of all changes.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Create users and set permissions for stored procedure
auditing
Enable stored procedure auditing in the Database Firewall
Audit changes to stored procedures
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you create a user in the DB01 database for stored procedure auditing. The
user is created and privileges are granted to the user by executing the spa_setup.sql
script found on the Oracle Database Firewall Utilities disk.
Creating a User for Stored Procedure Auditing
This practice involves executing the spa_setup.sql script on
your Oracle database to define a user and grant the required
privileges for stored procedure auditing.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you enable stored procedure auditing in your DB01 database.
Enabling Stored Procedure Auditing
This practice includes the following tasks:
Activating stored procedure auditing for your DB01
database
Testing that the configuration is correct
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you initial a manual audit and approve changes to the stored procedures in
your DB01 database.
Practice 7-3 Overview: Running a Manual Audit
and Approving Changes to Stored Procedures
Initiating an initial manual audit of your DB01 database
Approving the initial changes to the stored procedures
Updating a few stored procedures, running another audit,
reviewing the changes, and approving the changes
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: a, b, c
Quiz
Which of the following functions does stored procedure auditing
perform?
a. Creates a baseline of stored procedures
b. Compares changes to the baseline
c. Keeps a record of approved and pending changes
d. Blocks the use of unapproved changes
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
User Role Auditing
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Create users and set permissions for user role auditing
Enable user role auditing in the Database Firewall
Audit changes to user roles
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The user role auditing feature of Oracle Database Firewall enables you to audit and approve
changes to user roles on monitored databases for compliance purposes. You can also decline
changes to user roles. However, this has no effect on the actual users in the database.
Approving and declining changes to user roles is a means to comply with audit regulations.
User Role Auditing Overview
User role auditing: Audit and approve changes to user
roles in databases on a specific server
Approving and declining changes has no effect on the
users in the database
User role auditing is supported for the following types of
databases:
Oracle Database
Sybase ASE
Sybase SQL Anywhere
IBM DB2
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Oracle Database Firewall connects to the database at scheduled intervals to determine if any
changes have been made to the roles granted to users.
When you activate user role auditing, you can specify how frequently the audit job should
execute. Additional information on activating user role auditing is provided later in this lesson.
Database users grant and
revoke roles
User Role Auditing Architecture
Database Firewall
Management Server
Database Firewall
Analyzer
Monitored Oracle
database
Database Firewall
Checks for updates
Send updates to
Database Firewall
URA user Database users grant and
revoke roles
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To use user role auditing, you execute a script on each database to define a user that will be
able to access the required objects that indicate any change to a users roles. The user
connects to the database, and retrieves user and role information.
For Oracle databases, execute the ura_setup.sql script. The script prompts for a
username and password. The user is created and granted CREATE SESSION, and SELECT on
SYS.DBA_USERS, SYS.DBA_ROLE_PRIVS, SYS.DBA_SYS_PRIVS, SYS.PROXY_USERS and
SYS.V_$PWFILE_USERS.
For Microsoft SQL Server databases, execute the ura_add_user.sql script to create the
user. Execute the ura_add_db_permissions.sql script to grant user permissions for a
specified database or ura_add_all_db_permissions.sql to grant user permissions for
all databases.
To use user role auditing, create users and set permissions on
the monitored databases by uncompressing the appropriate
database file in the database/ura directory of the Utilities
disk and executing scripts as follows:
Oracle Database:
Execute the ura_setup.sql script to create a user and
grant necessary privileges to the user.
Microsoft SQL Server:
Execute the ura_add_user.sql script to create the user.
Execute the ura_add_db_permissions.sql or
ura_add_all_db_permissions.sql script to grant
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
For a Sybase Adaptive Server Enterprise (ASE) database, execute ura_add_user.sql to
create the user. Execute the ura_add_db_permissions.sql script to grant the user
permissions.
For a Sybase SQL Anywhere database, you must first install the SQL Anywhere ODBC driver
for Linux. Then execute the ura_setup.sql script to create a user and grant privileges to
the user.
For an IBM DB2 database, there are no scripts to be executed. Create a new user or use an
existing user account for user role auditing. Grant SELECT on
SYSIBMADM.AUTHORIZATIONIDS and SYSCAT.DBAUTH to the user.
Sybase ASE:
Execute the ura_add_user.sql script to create the user.
Execute the ura_add_db_permissions.sql to grant
Sybase SQL Anywhere:
Install the SQL Anywhere ODBC driver for Linux.
Execute the ura_setup.sql script to create the user and
grant the necessary privileges to the user.
IBM DB2:
Create a user or use an existing user account.
Grant SELECT on SYSIBMADM.AUTHORIZATIONSIDS and
SELECT on SYSCAT.DBAUTH to the user.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You enable or activate user role auditing through the Oracle Database Firewall Administration
Console. Select your enforcement point and click Settings. Specify the IP address for the
database server, the TCP port, and the database name. Supply the name and password of
the user that you created by executing the ura_setup.sql or the ura_add_user.sql
script. Specify a time for the first user role audit to execute. Indicate the frequency with which
you want the audits to execute. The default is once a week. If you want to execute an
immediate audit, you can do so by navigating to the Manage Enforcement Point page and
clicking Run Now in the User Auditing Control section.
Enabling User Role Auditing
Use the Administration Console to activate user role auditing
for a selected enforcement point.
Specify the IP
address for the
and the database
name.
Specify the
username and
password.
Specify the audit
frequency.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The following activities pertain to user role auditing:
Running a manual user role audit: In addition to a regularly scheduled audit, you can
invoke a user role audit immediately by clicking Run Now in the User Auditing Control
section of the Managed Enforcement Point page.
Viewing all additions or changes made to user roles: You can select a user and view
the actual code that was executed when the user roles were granted or modified.
Approving and declining changes: After changes have been recorded in the Oracle
Database Firewall, you can view the changes and then indicate whether the changes
are approved or declined. Note that the approval or decline of changes is for auditing
purposes only. No changes are made to the users in the database.
Viewing approvals and approval history: Through the reports you can view a list of
the changed user roles, approvals and a complete approval history.
Auditing Changes to User Roles
User role auditing activities include:
Running a manual user role audit
Viewing all additions or changes made to user roles
Approving and declining changes
Viewing approvals
Viewing approval history
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The following user role audit reports can be viewed:
Summary: Lists the enforcement points which have user role auditing enabled. This
page shows the number of fully approved user role changes, the number that are
pending approval, and the total number of audit history records.
Approved: Lists each user that has at least one approval.
Pending: Lists each user that is awaiting at least one approval.
Audit History: Lists all previous and pending approvals.
You can further refine the approved, pending, and audit history reports by using the Filter
feature on each report.
Viewing the User Role Audit Report
Access user role auditing reports from the Reporting tab.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
You can view additional user role auditing (URA) reports as follows:
1. Click Audit reports on the Reporting page.
2. Click the URA report group link on the Audit Reports page.
3. Click the appropriate link depending on the type of report you wish to view.
There are three types of URA reports available:
Details of URA Changes Pending Approval: Provides a report indicating user role
changes that are pending approval. The report also includes an approval block at the
end.
Summary of URA Approved Changes: Provides a listing users and an indication of
what type of role change has occurred, such as New or 1 modification.
Summary of URA Changes Pending Approval: Provides a listing of users that have
been changed and are awaiting approval. The report also includes an approval block at
the end.
The reports can be viewed in Adobe PDF or in Microsoft Excel format. Each report can be
saved (retained) or scheduled to run as a recurring report.
Viewing URA Audit Reports
Additional reports can be accessed on the Audit reports/URA
page:
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
When you click Pending in the User Role Auditing section of the Reporting tab, the Pending
Approvals for User Roles page is displayed. This page displays a list of audited user roles.
You can click the user role name link to view the SQL text used to create the user role.
When you click the space just below the user role link, a modification history for the user role
is displayed. Additional information on this feature is provided in the practice for this lesson.
You can approve and decline the changes for a specific user role by clicking the appropriate
button. You can also approve pending changes to all user roles listed in the Pending
Approvals report by clicking Approve All.
Viewing Pending Approvals and Taking Action
View the pending user role approvals and take action on them
on the Pending Approvals for User Role page.
Click Filter to
specify filter
settings.
Click the user
role name link to
view the user role
definition.
Click Decline or
Accept for a
specific user role.
Click Approve All
for bulk approval
of all changes.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Create users and set permissions for user role auditing
Enable user role auditing in the Database Firewall
Audit changes to user roles
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you create a user in the DB01 database for user role auditing. The user is
created and privileges are granted to the user by executing the ura_setup.sql script found
on the Oracle Database Firewall Utilities disk.
Creating a User for User Role Auditing
This practice involves executing the ura_setup.sql script on
your Oracle database to define a user and grant the required
privileges for user role auditing.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you enable user role auditing in your DB01 database.
Enabling User Role Auditing
Activating user role auditing for your DB01 database
Testing that the configuration is correct
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you initiate a manual audit and approve changes to user roles in your DB01
database. In addition, you make new changes to roles and view the changes.
Practice 8-3 Overview: Running a Manual Audit
and Approving Changes to User Roles
Initiating an initial manual audit of your DB01 database
Approving the initial changes to user roles
Granting and revoking privileges, running another audit,
reviewing the changes, and approving the changes
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: b
Quiz
With user role auditing, changes to user privileges are not
available to the user until the changes have been approved.
a. True
b. False
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Configuring and Using Local Monitoring
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Describe the function of local monitoring
Install Oracle Database Firewall monitoring software
Enable local monitoring
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Oracle Database Firewall local monitoring feature enables an enforcement point to
monitor, not block, SQL traffic originating from sources with direct access to the database,
such as console users or batch jobs executing on the database server. Local monitoring does
not send traffic across the network. The Oracle Database Firewall local monitoring software is
installed directly into the database that you are monitoring. Local monitoring uses an
additional table in the database to log the following:
The last statement sent to the database by a console user or other process.
All statements originating from console users or processes that affect the data in the
database, such as ALTER TABLE and DROP TABLE operations.
The table is cleaned after the information is pulled to the Database Firewall.
Oracle Database Firewall supports local monitoring for Oracle Database, SQL Server, and
Sybase ASE databases, but not for Sybase SQL Anywhere.
Note: If the monitored database is a Microsoft SQL Server 2005 or later database, ensure
that the database uses mixed-mode authentication.
Local Monitoring Overview
Local monitoring software enables an enforcement point to
monitor SQL traffic that originates from sources with direct
access to the database.
Local monitoring send only logs of local traffic to the
Firewall across the network.
Local monitoring software is installed directly into the
database that you are monitoring.
Local monitoring is available for:
Oracle Database
Sybase ASE
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
With local monitoring, the Oracle Database Firewall collects data by querying the database at
regular intervals, and then uses the data in the same manner as statements originating from
database clients. Depending on the design of the policy, the statements may be logged or
produce warnings. Because local monitoring is not inline between the traffic and the
database, the statements cannot be blocked.
Database Clients
and Applications
Oracle Database Firewall Architecture:
Local Monitoring
Database Firewall
Local Monitor
Database Firewall
Management Server
Database Firewall
Analyzer
Protected Databases
Console User
Captures monitored
SQL
Protected Databases
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The local monitoring software installation creates two users, DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY. Each user is granted privileges as described in the slide.
Installing Oracle Database Firewall Monitoring
Software
Installation scripts are in the database\localmonitor
folder of the Oracle Database Firewall Utilities disk.
Installation process creates two database users and grants
privileges as follows:
User Privileges
DBFW_CONSOLE_ACCESS CREATE SESSSION
ADMINISTER DATABASE TRIGGER
CREATE PROCEDURE
CREATE SEQUENCE
CRETAE TABLE
CREATE TRIGGER
DBFW_CONSOLE_ACCESS_QRY CREATE SESSION
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The scripts you use to create the DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users, grant privileges, and create tables and triggers used by
the local monitoring system are located in the Oracle compressed file in the
database/localmonitor directory of the Utilities disk.
The DBFW_CONSOLE_ACCESS user is only used when you execute the dcam_setup.sql
script. After executing the dcam_setup.sql script, you can disable the user by locking the
account.
Installing Local Monitoring in an Oracle Database
1. Uncompress the oracle compressed file located in the
2. Log in to the database as a user with the CREATE USER
privilege.
3. Execute the dcam_new_user.sql script to create the
DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users specifying
passwords as arguments.
4. Log in as the DBFW_CONSOLE_ACCESS user and execute
the dcam_setup.sql script.
5. Disable the DBFW_CONSOLE_ACCESS user.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
DBFW_CONSOLE_ACCESS_QRY users, set user permissions, and create tables and the event
notification framework used by the local monitoring system are located in the sqlserver
compressed file in the database/localmonitor directory of the Utilities disk.
Installing Local Monitoring in a
Microsoft SQL Server Database
1. Uncompress the sqlserver compressed file located in
the database/localmonitor directory.
2. Log in to the database as a user with privileges to create
users.
3. Execute the dcam_new_user.sql script to create the
DBFW_CONSOLE_ACCESS_QRY users with default
passwords.
4. Change the passwords for the two accounts.
5. Execute the dcam_setup.sql script.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
DBFW_CONSOLE_ACCESS_QRY users, set user permissions, and create objects used by the
local monitoring system are located in the sybase compressed file in the
Installing Local Monitoring in a Sybase ASE
Database
1. Uncompress the sybase compressed file located in the
database/localmonitor directory.
2. Execute the following scripts as a user with administrative
privileges and privileges to create users:
dcam_sa_setup.sql
scam_sa_setup.sql
scam_sa_setup_global_trigger.sql
3. Log in to the database and change the passwords of the
DBFW_CONSOLE_ACCESS_QRY users.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To enable local monitoring, select Activate Local Monitor on the enforcement point Settings
page. The password required on this page is the password you specified for the
DBFW_CONSOLE_ACCESS_QRY user.
Enabling Local Monitoring
Enable local monitoring by on the enforcement point Settings
page of the Administration Console.
Specify the IP
address for the
and the database
name.
Specify the password of the
DBFW_CONSOLE_ACCESS_QRY
user.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Describe the function of local monitoring
Install Oracle Database Firewall monitoring software
Enable local monitoring
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you install the Oracle Database Firewall local monitoring software in your
DB01 database. Use the dcam_new_user.sql script available on the Oracle Database
Firewall utilities disk, to create the DBFW_CONSOLE_ACCESS and
DBFW_CONSOLE_ACCESS_QRY users. Execute the dcam_setup.sql script to create tables
for local monitoring.
Practice 9-1 Overview: Installing the Local
Monitoring Software in the Oracle Database
Executing the dcam_new_user.sql script to create the
users
Executing the dcam_setup.sql script to create tables
and other objects required for local monitoring
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you enable local monitoring in your DB01 database.
Practice 9-2 Overview: Enabling Local Monitoring
This practice covers activating local monitoring for your DB01
database.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you generate a workload on your DB01 database and view the local
monitored traffic.
Viewing Local Monitored Traffic
Executing a script to generate a workload on your DB01
database
Viewing the local monitored traffic in the Administration
Console
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: c
Quiz
The purpose of local monitoring is to:
a. Block SQL traffic that originates on the database server
b. Capture network SQL traffic that bypasses the Database
Firewall
c. Capture SQL traffic that originates on the database server
d. Block SQL statements issued by OS privileged users on
the database server
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Configuring and Using Remote Monitoring
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Explain the function of remote monitoring
Configure the remote monitor
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
A remote monitor is associated with an enforcement point. The remote monitor usually
resides on a database server and is used when the Database Firewall cannot be placed to
directly monitor the network traffic.
The remote-agent script on the Linux or Unix server captures the SQL traffic and sends the
traffic to an Oracle Database Firewall. This configuration works well in an environment where
there are multiple databases on several servers sharing a common switch, or network
segment.
The remote monitor allows monitoring and alerts, but cannot block SQL.
Remote Monitoring Overview
Remote monitoring enables an enforcement point to
directly monitor SQL traffic.
Execute the remote-agent script on the Linux server
that you want to serve as the remote monitor to capture
SQL traffic and send it to an Oracle Database Firewall.
It is designed for environments where Oracle Database
Firewall will manage many small databases in a distributed
environment.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Remote monitoring enables an enforcement point to monitor SQL traffic to a database when
the Database Firewall cannot be placed to directly monitor the SQL traffic to that database. To
use remote monitoring, you run a script from the operating system of the server that you want
to use for the remote monitor. The remote monitoring software is not installed into the
database, but on the database server. The script captures the network SQL traffic coming into
the database server and sends a copy of it over the network to an Oracle Database Firewall.
This SQL data is then available for reports generated by this Database Firewall. You can
configure one Database Firewall to manage multiple remote monitoring configurations on your
network.
The remote monitor works like a network sniffer. It will collect network SQL traffic on the IP
address and port you configure.
Protected Databases
Oracle Database Firewall Architecture:
Remote Monitoring
Database Clients
and Applications
Database Firewall
Remote Monitor
remote-agent
script
Database Firewall
Management Server
Protected Databases
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The remote-agent script requires the tcpdump and netcat utilities. You can download them
from the following locations:
tcpdump packet analyzer: http://www.tcpdump.org
GNU netcat networking utility: http://netcat.sourceforge.net
You can test for the presence of these utilities by logging in as root and executing the
following commands:
# which tcpdump
# which nc
Prerequisites for Remote Monitoring
The remote-agent script requires:
1. A Linux or UNIX operating system
2. tcpdump utility available from http://www.tcpdump.org/
3. netcat (nc) utility available from
http://netcat.sourceforge.net/
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
1. On the Monitor tab, select List Enforcement Points. Click Settings for the enforcement
point you wish to use for remote monitoring.
2. Select Activate Remote Monitor. The Enabled Monitor Address field appears.
3. Enter the IP address of the server that will be used as the remote monitor.
4. Click Add, and then Save.
5. Return to the Monitor and Settings page and click Configure for the IP address you wish
to configure.
Configuring the Remote Monitor in the
1. Select the enforcement point that
you want to use for the remote
monitor.
2. On the Monitor Settings page,
select Activate Remote Monitor.
3. Enter the IP address of the server
where the remote monitor software
will be installed.
4. On the Download Monitor
Configure File page, click
Download Configuration File and
save the remote-agent.conf
file.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
If the server you are using to run the remote monitor can run a browser, use it to connect to
the Database Firewall Administration Console and use the browser to download the
configuration file.
If there is no graphical user interface, you will have to transfer the file to the target server
some other way. For example, you may use a USB Flash Drive.
Download Configuration File
Click Download Configuration File to save the file to the
local machine.
As the root user on the remote monitor:
Transfer the file to the remote monitor machine
Place the remote-agent.conf file in the /etc directory
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The remote-agent.conf file provides the configuration information required by the
remote-agent script. The RA_TCPDUM_FILTER is a filter that is used by tcpdump to
capture the SQL arriving at the specified port on the server hosting the protected database.
RA_TARGET_IP and RA_TARGET_PORT provide destination address and ports for the SQL
traffic that is captured. This is the management link IP address of a Database Firewall
appliance.
Contents of the remote-agent.conf file
# Remote Agent Configuration File
RA_TCPDUMP_FILTER="(tcp and ((ip[2:2] > 40) or
(tcp[tcpflags] & (tcp-rst|tcp-fin|tcp-syn) !=
0)) and (dst host 10.228.10.103 and tcp dst
port 1521)) or (vlan and (tcp and ((ip[2:2] >
40) or (tcp[tcpflags] & (tcp-rst|tcp-fin|tcp-
syn) != 0)) and (dst host 10.228.10.103 and
tcp dst port 1521)))"
RA_TARGET_IP=10.228.10.200
RA_TARGET_PORT=5502
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The remote agent script can be found in the extras directory of the Oracle Database
Firewall Utilities 5.0 disk, which contains the dbfw.iso CD image. Copy the remote-agent
script to the /bin directory on the remote monitor machine and change the permissions with
the chmod command as follows:
# chmod +x remote-agent
Execute the remote-agent script as follows. Use the configuration file option if you are
monitoring multiple databases.
# remote-agent --config=/etc/db_sales_remote-agent.conf &
In this case, you can have multiple configuration files with different names.
Note: By default the remote-agent script monitors the eth0 device on the machine where
it is installed. If the traffic is using a different device, you can change the default to eth1 with;
# remote-agent --interface=eth1
Executing the Remote Monitoring Script
1. Log in as the root user on the Linux server that will serve
as the remote monitor.
2. Copy the remote-agent script from the extras directory
of the Utilities disk to the Linux server.
3. Change permissions so that the remote-agent script can
be executed.
4. Execute the remote-agent script to enable the remote
monitor to begin collecting SQL traffic and sending it the
Oracle Database Firewall.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The enabled and connected icons indicate the remote monitor is working. If the remote
monitor is not communicating with Database Firewall, the Connected icon is a red warning.
Verifying that the Remote Monitor is Active
The Remote Monitor area of the enforcement point Status page
provides confirmation that the remote monitor is active.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Describe the function of remote monitoring
Configure the remote monitor
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you configure the remote monitor on your database server. The database
server has two network interfaces. The EP_DB01 enforcement point is watching the traffic on
IP address 192.168.56.203. The SQL generated using the connect string DB01 uses this IP
address. The SQL traffic that uses the connect string DBDIRECT uses the second network
interface at IP address 192.168.56.103. The enforcement point EP_DB01 does not monitor or
block traffic using the DBDIRECT connect string.
In this practice, you configure an additional enforcement point EP_DIRECT to monitor the
SQL traffic using the DBDIRECT connect string. Then create a remote monitor running at the
first IP address, 192.168.56.203, simulating a remote monitor running on a separate machine.
Configuring the Remote Monitor
Creating the remote-agent.conf script
Placing the remote-agent.conf script in the proper
location
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you execute the remote-agent script on the server you plan to use as the
remote monitor.
Executing the Remote Monitor Script
Placing the remote-agent script in the proper location
Setting the permissions on the remote-agent script
Executing the remote-agent script
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you log in to your DB01 database by using the SQL*Plus client, execute a
query, and view the log traffic.
Viewing Remote Traffic
This practice covers viewing traffic that bypasses the Database
Firewall.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: e
Quiz
The remote monitor performs the following functions:
a. Monitors SQL traffic generated on the database server
b. Monitors all SQL traffic passing over the network
c. Blocks inappropriate SQL traffic
d. Blocks SQL traffic that bypasses the firewall
e. Monitors SQL traffic for a specific protected database
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Additional System Management Tasks
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Objectives
following:
Define archive destinations and create an archive
schedule
Manually archive data
Restore data from an archive
Configure Syslog logging
Delete logs and history
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
To prevent problems that might occur by the accumulation of processed traffic log files on the
Oracle Database Firewall or Oracle Database Firewall Management Server, the system ensures a
target of 25% of the disk space remains free for the reliable operation of the system. This 25% free
disk space value cannot be changed.
When calculating the amount of disk space required for storage of traffic log files, the 25% free
disk space target should be taken into account.
Processed traffic log files are retained on disk to allow time for archiving, and to permit ad-hoc
searches of data for forensic purposes. It is recommended that data be archived in a timely way,
soon after collection. Once the free disk space target is exceeded, log files may be deleted by the
system and will no longer be available for archiving and ad-hoc searching.
Understanding Processed Traffic Log File Space
Management
Free disk space target of 25% is automatically enforced by
the Database Firewall system.
Log files may be deleted by the Database Firewall system
once the free disk space target is exceeded.
Be sure to archive traffic log files in a timely fashion.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The Database Firewall administrator is required to archive data and configuration information.
Traffic logs and reports should be moved to long term storage to prevent the Database Firewall
disks from filling up.
First, configure an archive destination. Using the Administration console, specify the server,
directory, and owner of the archives. This can be routed to either a Windows Share (using SMB
protocol) or a Unix/Linux server using secure copy (scp).
Next schedule an archive job. There are two types of archives: configuration and data.
Configuration archives take the data from the Management Server. This data is the system
configuration data including baseline policies. The data archive job archives traffic logs or audit
history for stored procedure auditing and user role auditing. The configuration archives are useful
for recovery of the Database Firewall. The data archives are irreplaceable for forensic purposes.
Schedule an archive job by specifying the destination and when you wish the job to run. The
archive job can be started from the Archive tab in the Database Firewall Administration Console.
In the Management Server Administration Console, choose the Appliances tab and then the
Manage tab.
Database Firewall Analyzer files are archived separately using OS utilities and include:
Policy Files: File extension .dna
Model Files: File extensions .smdl and .smdl_data
Training Files: File extension .train
Archiving Data
Configure a destination
Manually archive
Schedule an archive job
Restore an archive
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Configure an archive destination. Click the Archive tab and then click Create under Archive
Destination. On the Create Archiving Destination page, specify the following:
Transfer method: Either Windows File Sharing (using SMB protocol) or secure copy (scp)
Name: Create a name for this destination
Username: Supply the user name for the OS account that will accept the file transfer
Address: Provide the IP Address of the destination server. If this is a secure copy and name
resolution is enabled, the machine name can the entered.
Port: The port defaults to the well known port for the transfer method selected.
Path: For secure copy the directory is relative to the home directory of the user. For
Windows File Sharing provide /sharename/directory_path
Authentication Method: You can choose either Key Authentication or Password when
using secure copy, but only Password for Windows File Sharing. If you wish to use Key
Authentication, click the Key Authentication link and follow the instruction for adding the
public key to the .ssh file on the destination.
Configuring a Destination
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Create a Manual Archive job on the Create Archive Job page. The manual job runs immediately,
with the options shown in the slide.
You must specify a Job Name and Destination, then you choose the Archive class either Log files
or Audit Files. You can choose whether to include file that have been previously archived, which
databases to archive, and the date range for the log files to archive.
The manual archive process allows more choices than the scheduled job does.
Manually Archive
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
On the Database Firewall Administration Console, you have a choice of scheduling an archive job
for log files or audit files. To schedule the job choose a day or a date, a destination, and which
databases to include.
Scheduling an Archive Job
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
If you want to restore data from an archive, click Restore Data in the Jobs menu. You can use the
Restore from Archive page to restore a set of log or audit files from the destination in a specified
date range. Note the restore process restores all the files that meet the specification.
If you want to restore configuration from an archive, click Restore Configuration in the Jobs menu.
On the Restore from Archive page the only option is the archive destination from which you wish
to restore.
After restoring configuration data at an Oracle Database Firewall Management Server, display the
Appliances page, click Manage for each Oracle Database Firewall device being controlled and
select the Restore option.
Restoring from an Archive
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
The syslog connector allows you to send alerts, statistics, and heartbeat messages to a syslog
server. Oracle Database Firewall updates the syslog messages in real time. The Syslog Settings
page allows you to configure TCP or UDP destinations and select the category of messages to be
forwarded to the syslog destination.
The syslog message has the following format:
message = date time hostname source num: DBFW:id message_text
An example message is:
Aug 15 11:02:57 DBFW DBFW1: DBFW:1 Configuration file reloaded
The maximum size of a DBFW syslog message is 1024 bytes.
Configuring syslog Logging
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
After you have archived the data, you can manually delete log files and history as shown in the
screenshot in the slide.
Access the Delete Logs page by clicking Manage in the Logs section of the System tab page.
Deleting Logs and History
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Summary
Define archive destinations and create an archive
schedule
Manually archive data
Restore data from an archive
Configure syslog logging
Delete logs and history
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you will configure an archive destination.
Practice 11-1: Defining the Archive Destination
This practice covers configuring the archive destination.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
In this practice, you initiate a manual archive.
Practice 11-2: Performing a Manual Archive
This practice covers initiating a manual archive.
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D
Answer: d
Quiz
The Database Firewall must have room to store traffic logs. To
avoid problems, the Database Firewall and Management
Server reserves what % of free disk space for logs?
a. 5%
b. 15%
c. 20%
d. 25%
e. 30%
O
r
a
c
l
e

U
n
i
v
e
r
s
i
t
y

a
n
d

C
o
u
n
t
e
r
h
o
u
s
e

C
o
n
s
u
l
t
a
n
t
s

L
t
d

u
s
e

o
n
l
y
T
H
E
S
E

e
K
I
T

M
A
T
E
R
I
A
L
S

A
R
E

F
O
R

Y
O
U
R

U
S
E

I
N

T
H
I
S

C
L
A
S
S
R
O
O
M

O
N
L
Y
.

C
O
P
Y
I
N
G

e
K
I
T

M
A
T
E
R
I
A
L
S

F
R
O
M

T
H
I
S

C
O
M
P
U
T
E
R

I
S

S
T
R
I
C
T
L
Y

P
R
O
H
I
B
I
T
E
D

D72591GC14

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

D72591GC14

Hochgeladen von

Copyright:

Verfügbare Formate

Implementing Oracle Database

Das könnte Ihnen auch gefallen