Software // Information Management
03:40 PM

Oracle's Database Firewall Brouhaha

Vendor takes on database activity monitoring, but competitors say Oracle is no one-stop shop for database security.

Oracle has stirred up the database security market with the release of a database firewall and a partnership with F5 for Web application security. It claims that, together, these steps will supersede the database activity monitoring market. But competitors counter that gaps in Oracle Database Firewall's auditing capabilities, and Oracle's vested interest in its own database platform, will limit the company's ability to be a one-stop shop for database security.

The database firewall creates a defensive perimeter around a database by looking at SQL statements sent to it to determine whether to pass, log, alert, block, or substitute SQL statements, based on a company's policies. Users can set whitelist and blacklist policies to control the firewall. Oracle aims to compete directly with database activity monitoring (DAM) products offered by IBM, AppSec, Imperva, and others.

Database firewalls aren't necessarily DAM replacements but rather alternatives, because most companies have yet to implement DAM, says Roxana Brodescu, Oracle's director of product marketing. "It's not so much about being easier to deploy, it's about being better, and it's about accuracy and security," says Brodescu.

Not surprisingly, competitors take issue with Oracle's point of view. Rob Rachwald, Imperva's director of security strategy, says that since most companies' database systems aren't built on Oracle alone, the technology will prove insufficient. However, Oracle's firewall is designed to work with other major database platforms, including DB2, SQL Server, and Sybase.

In conjunction with the database firewall, Oracle also unveiled a partnership with F5 to integrate that company's Web application firewall (WAF) with Oracle Database Firewall--a relationship that takes aim at Imperva in particular. Imperva has long touted its integrated WAF and DAM products. But while the partnership might seem good on paper, Rachwald questions the security chops of both companies. "F5 is a networking company, and Oracle is a database vendor," he says. "Neither company is a true security firm, so understanding abuse cases coming from hackers and insiders takes a backseat to the needs of the DBA."

Perhaps the most controversial part of Oracle's announcement is its assertion that database firewalls can act as DAM substitutes.

Database firewalls are a subdiscipline of DAM, not a potential replacement, says Josh Shaul, AppSec's VP of product management. They can provide external access controls, letting the system block specific queries, Shaul says, adding that the biggest value businesses get from DAM is a reliable, reviewable audit trail of privileged users' activities--the database firewall can't provide this, he says.

Privileged users generally can log in to the database server operating system directly and make local connections to the database from there, Shaul says. This common access method completely bypasses the database firewall, he says, allowing the local user unfettered and unaudited access to the data and system. However, the Oracle firewall does integrate with ArcSight security information and event management systems, so it can report on what's happening, says Vipin Samar, Oracle's VP of database security.

Write to us at

chart: Does your company use a database firewall?

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 21, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.