Understanding Oracle SQL Firewall: How it Protects Your Database

In today’s digital world, safeguarding your data in crucial! Databases could be prime targets for internal and external threats. Oracle SQL Firewall can provide real-time protection against common database attacks. It restricts database access to only certain, authorized SQL statements or specific connections for users. The SQL Firewall is part of the Oracle database kernel.

With the help of SQL Firewall, you can monitor, control and prevent unauthorized and malicious SQL statements from running in your database. Think of it as a gatekeeper that reviews every query before it accesses your data.

SQL Firewall acts as an additional layer of defense and helps with the following:

• provides real time protection by allowing only authorized SQL statements and database connections.
• mitigates the risk of SQL injection attacks, suspicious or compromised access
• mitigates the risk of human error, accidentally running damaging SQL statements
• enforces trusted connection paths to the database.
• block connections that do not come from trusted IP addresses, OS usernames, or programs

SQL Firewall only allows explicitly authorized SQL statements. Anything else that is run, is logged and violations are raised. You have the option to block unauthorized statements, or just log them, and decide
later what to do with it. The SQL Firewall works with an allow-list (a positive security model). Instead of trying to identify and block every possible malicious query, it focuses on defining and allowing only the known good SQL statements. The allow-list is a set of permitted actions: SQL statements, trusted connection paths etc.

The SQL Firewall policies can be defined at the user level, so 2 different users can have different policies. Also you can define the policies at the CDB level or PDB level. All SQL statements and commands are supported, except SAVEPOINT, COMMIT and ROLLBACK.

In order to take advantage of SQL firewall, you must license it, either with the Oracle Database Vault Feature, or with the Oracle Audit Vault and DB Firewall feature.

Getting started with SQL Firewall, is few steps process:

1. Enable the SQL Firewall in the database with DBMS_SQL_FIREWALL.ENABLE procedure.
2. Capture the normal SQL activities. This is the “learning mode” of the SQL traffic for the users you want to enable the firewall. This learning step will help with building the allow-list.
   You will need to create a capture for each user, with DBMS_SQL_FIREWALL.CREATE_CAPTURE. While the capture is still running, you can review the results in the DBA_SQL_FIREWALL_CAPTURE_LOGS view. Once you gathered enough information, maybe days, weeks or months…stop the capture.
3. Policy Definition: based on the learned patters, or manual configuration, you create the allow list, and define the policies that specify which SQL statements are permitted for specific users or applications. To generate the allow-list, you use DBMS_SQL_FIREWALL.GENERATE_ALLOW_LIST.
4. Enforcement Mode: Once policies are in place, SQL Firewall intercepts every SQL statement before it reaches the database. It compares the incoming query against the defined policies. To enable the policy from previous step, use DBMS_SQL_FIREWALL.ENABLE_ALLOW_LIST
5. Action: If a query matches a defined policy, it’s allowed to execute. If it violates a policy, SQL Firewall can take various actions, such as one or more of the following:

• Logging the violation: Providing an audit trail of unauthorized attempts.
• Generating alerts: Notifying administrators of suspicious activity.
• Preventing the execution: Blocking the harmful SQL statement from reaching the database.
  To monitor the violations, you can monitor the DBA_SQL_FIREWALL_VIOLATIONS view.

In conclusion, Oracle SQL Firewall is a powerful security feature that can significantly bolster your database defenses. By focusing on allowing only legitimate SQL, it provides a proactive and granular approach to protecting your valuable data assets.