Oracle's Database Firewall Brouhaha

Find out more
about database security

>> See all our Analytics Reports <<

Oracle has stirred up the database security market with the release of a database firewall and a partnership with F5 for Web application security. It claims that, together, these steps will supersede the database activity monitoring market. But competitors counter that gaps in Oracle Database Firewall's auditing capabilities, and Oracle's vested interest in its own database platform, will limit the company's ability to be a one-stop shop for database security.

The database firewall creates a defensive perimeter around a database by looking at SQL statements sent to it to determine whether to pass, log, alert, block, or substitute SQL statements, based on a company's policies. Users can set whitelist and blacklist policies to control the firewall. Oracle aims to compete directly with database activity monitoring (DAM) products offered by IBM, AppSec, Imperva, and others.

Database firewalls aren't necessarily DAM replacements but rather alternatives, because most companies have yet to implement DAM, says Roxana Brodescu, Oracle's director of product marketing. "It's not so much about being easier to deploy, it's about being better, and it's about accuracy and security," says Brodescu.

Not surprisingly, competitors take issue with Oracle's point of view. Rob Rachwald, Imperva's director of security strategy, says that since most companies' database systems aren't built on Oracle alone, the technology will prove insufficient. However, Oracle's firewall is designed to work with other major database platforms, including DB2, SQL Server, and Sybase.

In conjunction with the database firewall, Oracle also unveiled a partnership with F5 to integrate that company's Web application firewall (WAF) with Oracle Database Firewall--a relationship that takes aim at Imperva in particular. Imperva has long touted its integrated WAF and DAM products. But while the partnership might seem good on paper, Rachwald questions the security chops of both companies. "F5 is a networking company, and Oracle is a database vendor," he says. "Neither company is a true security firm, so understanding abuse cases coming from hackers and insiders takes a backseat to the needs of the DBA."

Perhaps the most controversial part of Oracle's announcement is its assertion that database firewalls can act as DAM substitutes.

Database firewalls are a subdiscipline of DAM, not a potential replacement, says Josh Shaul, AppSec's VP of product management. They can provide external access controls, letting the system block specific queries, Shaul says, adding that the biggest value businesses get from DAM is a reliable, reviewable audit trail of privileged users' activities--the database firewall can't provide this, he says.

Privileged users generally can log in to the database server operating system directly and make local connections to the database from there, Shaul says. This common access method completely bypasses the database firewall, he says, allowing the local user unfettered and unaudited access to the data and system. However, the Oracle firewall does integrate with ArcSight security information and event management systems, so it can report on what's happening, says Vipin Samar, Oracle's VP of database security.

Write to us at [email protected].

InformationWeek: Mar. 14, 2011 Issue

Download a free PDF of InformationWeek magazine
(registration required)