5 Replies Latest reply: Apr 29, 2014 4:56 AM by 1db54947-8f33-44bb-afad-aed2f0ba857d RSS

    Audit Vault and DB Firewall Design

    1db54947-8f33-44bb-afad-aed2f0ba857d

      I have and application (JAVA Based) connected to the database 11g using JDBC,

      I am going to implement Audit Vault and DB firewall R12 for three reasons:

      1. monitoring the traffic

      2. blocking un wanted SQL statements.

      3. blocking un wanted IPs/Users

       

      Our two Physcial servers that will be used for Audit Vault and DB Firewalls contain two NIC each.

       

      My Questions:

      1.  How to put these two servers in our network to be able to mointor as well block traffic, we don't need to change anything to our exisiting network configuration.

      2.  How to DB Firewall will block unwanted incomming traffic from the JAVA application to our database.

       

      please any usefull documents, links, ideas, network design

       

      I tried official Oracle Document, it is useless

        • 1. Re: Audit Vault and DB Firewall Design
          Harm Joris ten Napel-Oracle

          hi,

           

          1. if you plan to block sql using the firewall you will need 3 NICs in the firewall appliance since apart from the management interface you will need to setup a bridge (with 2 NICs) to physically route the traffic through the firewall, this also requires you to patch the appliance properly inside your datacenter between the protected database and the client or middle tier servers, so you can't do  this w/o changing anything in your nw configuration.

          2. you will need to compile a whitelist based on what your trusted applications are doing normally, this is an iterative process, then the firewall will be able to block sql not in the whitelist (replace it with something like select 1 from dual), since the only physical network path from the java clients to  the secured target db goes via the bridge

           

          Comment: so if you have a chance: pull one NIC out of the AV server (it only needs 1) and plug it into the firewall appliance.

           

          greetings,

           

          Harm ten Napel

          • 2. Re: Audit Vault and DB Firewall Design
            1db54947-8f33-44bb-afad-aed2f0ba857d

            Hi Napel,

            thanks for the reply.

            based on Oracle Documentation:

            Oracle Database Firewall can be configured (Bridge, out of band, or configured as a proxy).

            1. Out of band: can not be used for blocking.

            2. do you have idea what is the difference between proxy and Bridge.

             

            and how can I let my application access my DB through the firewall?

            • 3. Re: Audit Vault and DB Firewall Design
              Harm Joris ten Napel-Oracle

              hi

               

              with proxy  the client is configured to connect to  the proxy and the firewall forwards the request to the secured target, with a bridge the firewall is inline between client and server and this is the only mode that allows DPE (policy enforcement) for example check Introducing Oracle Audit Vault and Database Firewall

               

              greetings,

               

              Harm ten Napel

              • 4. Re: Audit Vault and DB Firewall Design
                1db54947-8f33-44bb-afad-aed2f0ba857d

                thanks for the update,

                1. that is mean I have only one option for blocking which is proxy configuration, right?

                2. and how many NIC required on the server for this configuration?

                 

                3. and how to allow the client/middleware to pass through the DB firewall instead of direct db connection?

                also

                sorry for my questions:

                4. how to configure high DB firewall avaialbity (I want to configure two servers for DB firewall)?

                5. what happened to the client/middleware old/new connections if all DB firewalls goes down (in case using proxy configuration)?

                • 5. Re: Audit Vault and DB Firewall Design
                  1db54947-8f33-44bb-afad-aed2f0ba857d

                  sorry Napel,

                   

                  I returned back to the documenation, it clearly state that:

                   

                  Inline between the database clients and database: This method enables Database Firewall to both block potential attacks and/or operating as an audit or monitoring system.

                  • As a proxy: Using this method, the Database Firewall acts as a traffic proxy, and the database client applications connect to the database using the Database Firewall's proxy IP and port address.

                   

                  +++ what is the different between them (how to configure each of them from db firewall and client side)?