Sep 7, 2023

FAQ: SQL Firewall 23c vs Oracle AVDF / Database Vault

Many people know that one of the new features of Oracle Database 23c is the built-in SQL Firewall. But this version, intended for use in a production environment, has not yet been released, and customers have questions about how this will compare with the existing Oracle Audit Vault and Database Firewall / Database Vault products, how it will be licensed, and whether a subscription to Oracle Cloud Infrastructure is required. I got my hands on a good document explaining many things, and we will discuss the most frequently asked questions under the cut (English version only).

Многие знают, что одной из новых фич СУБД Oracle Database 23c является встроенный SQL Firewall. Но данная версия, предназначенная для использования в продуктивной среде, еще не вышла, а у заказчиков возникают вопросы по тому, как это будет соотноситься с существующим продуктом Oracle Audit Vault and Database Firewall, как будет лицензироваться и потребуется ли подписка на Oracle Cloud Infrastructure. Мне в руки попал неплохой документ, разъясняющий многие вещи, и наиболее часто задаваемые вопросы мы обсудим под катом (только английская версия).


- What is SQL Firewall in Oracle Database 23c?

SQL Firewall is a feature built into the kernel of Oracle Database 23c that inspects all connections to the database and all requests, allowing requests that satisfy policies (i.e. "authorized" requests) and with the ability to block requests.

Main use cases:
- narrowing the attack surface on the DBMS and protection against SQL injections by introducing a white list of SQL queries;
- protection against possible unauthorized access to the DBMS by introducing a “trusted path”, i.e. the route that the request must follow in order for the DBMS to serve it.

- What about the Oracle Audit Vault & Database Firewall?

The functionality of SQL FIrewall in terms of white list of SQL queries is similar to the functionality of the Database Firewall, however, there are a number of different features - sometimes it is better to use one, and sometimes it is better to use the other. Database Firewall is a network solution for monitoring SQL traffic, allowing you to monitor not only Oracle DBMS, but also other DBMS (MySQL, MSSQL, Postgre etc). In the case of a non-Oracle DBMS, the choice of Database Firewall is obvious. In the case of Oracle, in many cases the built-in SQL FIrewall has advantages. Let's figure it out.

Benefits of Database Firewall:
- support for various DBMS;
- graphical on-prem administration console (SQL Firewall allows on-prem administration only through scripts / stored procedures, graphical console - in Oracle Data Safe, which is a cloud product);
- no additional load on the DBMS, since all work is performed on a dedicated Database Firewall server;
- various deployment options are possible, including Host Monitor and Network Sniffer.

Benefits of SQL Firewall:
- the component is built into the Oracle DBMS, and monitors all requests without exception, including requests coming from inside - from stored procedures, etc.;
- no network delays;
- no delays in the analysis of encrypted SQL traffic, since the analysis is performed after the traffic is decrypted;
- a more complete request context available at the analysis stage;
- is part of the DBMS, does not require separate hardware and client software settings;
- there is no option to bypass it.

IMHO, the use of SQL Firewall will be preferable in situations where it is only necessary to block suspicious traffic in the DBMS, the use of DBF in cases where monitoring of SQL queries is required not only for the Oracle DBMS and in general DBF is part of a corporate DAM (Database Activity Monitoring) solution. There are many options in the middle for when you want to use both products.

- What about the Database Vault?

The SQL Firewall functionality of creating a “trusted path” intersects with Oracle Database Vault, i.e. how exactly the client accesses the server (driver, program, host / port, etc.). For example, access is allowed from the application server, but not directly from SQL Plus. But in SQL Firewall, this trusted path can be associated with bad/good SQL queries, and Database Vault is better used to create realms, protection areas with mandatory access control. That is, it makes sense to use Database Vault and SQL Firewall together.

- So what should we license?

As for now it is expected that SQL Firewall can be used if you have purchased Database Vault or Oracle Audit Vault and Database Firewall (or both). SQL Firewall is included in some cloud database services.

- Do I need a subscription to Oracle Cloud Infrastructure?

Oracle is aggressively promoting cloud services, in particular Oracle Data Safe, and also includes many paid options in basic DBaaS subscriptions. At the moment, for SQL Firewall, built-in reports and UI are announced only in the cloud Oracle Data Safe, the use of which with the onprem DBMS is paid and requires a subscription, but not expensive. In the first option, you will have to use scripts / stored procedures, integration with Audit Vault is possible. With cloud-based databases that come with Database Vault functionality (such as Autonomous Data Warehouse / Transaction Processing), the use of both SQL Firewall and Data Safe will be free of charge.

That is, a subscription to OCI is optional, but desirable.

Conclusions: SQL Firewall in Oracle Database 23c can partially replace AVDF (in terms of creating a white list of SQL queries and blocking suspicious queries) and Database Vault (in terms of a trusted path), but does not completely replace these products. From a licensing point of view, it is especially convenient to use SQL Firewall if you've licensed Database Vault and need SQL query blocking functionality, or you've licensed AVDF and need trusted path functionality. Well, and get ready to move to the cloud, at least partially.

Documentation:

Note on blogs.oracle.com:

No comments:

Post a Comment