ANALYSIS OF DATABASE FIREWALL AND ITS IMPORTANCE IN

INFORMATION SECURITY

Bijay Kumar Ranjit

School of Computing and Security Science
Edith Cowan University
Perth, Western Australia
branjit@our.ecu.edu.au
Abstract
No matter how strong the policy and guidelines are made to secure the sensitive information in an organization,
there is always a risk of system being compromised and theft of sensitive information. The organizations are
struggling hard to figure out the risks and mitigate. In addition to the external threats, the organization needs to
address internal threats as well. The organizations usually have a multiple application server for accessing the
information, for example, client access database through public website and different application server is setup
for the internal user or the employee. So, the best way to protect the information is to protect the database. This
idea gave birth to the development of Database Firewall.As it is known that the binding of variables will totally
get rid of SQL INJECTION attack but still in the process of development and testing, application developers dont
use it and in a hurry they deploy the code in the production server. Hence the organization needs to face the
consequences. Additionally, the information are also leaked and misused by internal user intentionally or without
any conscious. The paper demonstrate the effectiveness of the database firewall such as Oracle database
Firewall 5.1.0 Media over different kinds of attacks like SQL INJECTION.

Keywords
SQL Injection, Database firewall, Oracle RDMS

INTRODUCTION
Centralization of information and globalization of business has forced an organization to create a sophisticated
and complex data structure. So, the availability, confidentiality and integrity of the information have become a
key issue. Most of the relational database management system such as Oracle, PostgreSQL, Microsoft SQL
Server comes with the access control list(Bai and Peng 2006 ). But, the problem arises when the attacker
imitates itself as the legitimate user, they can easily get away with the sensitive information. The security experts
have already acknowledged the importance of application level firewall(Bailey, Gopal et al. 1994 ).
The main problem with traditional firewall is that it can only protect the system on the transport layer of Open
Systems Interconnection (OSI) layer (Liang and Xiaohu 2005 ). This kind of firewall is totally unaware of the
attacks that occur in application layer. Few approaches are also made to tap the network traffic and work with
Network Based Intrusion Detection System but either attacker easily by passes the system or they are already got
away after damaging the system leaving log as anonymous sources. Before database firewalls are introduced,
web application firewall seemed to arise. Web application firewall such as ModSecurity, Barrucuda, Bastille are
successful to mitigate the risk to some extent. But the problem with these firewalls is that they are application
focused or uses complex and complicated regular expression to match the attack(Razzaq, Hur et al. 2009 ).
Also, anyone including attacker can access the strategies these firewall uses and work around rule. Moreover, the
web application firewall may produce lots of false positive adding unnecessary overhead to the system
administrator.
This paper focuses on the defining the scope of database firewall and mitigation of possible threats that occurred
in database. It also simulates the possible attacks that can occur and found by different sources and test if they
are successfully mitigated by the proposed database firewall that are available in market. The network design and
database firewall is taken from Oracle database Firewall 5.1.0 Media in order to do the analysis of database
firewall.
The analysis of database firewall is done in following areas.

Firewall installation and configuration

User Interface

Flexibility with different databases

 Exploit

Performance

Firewall configuration
The database firewall is configured in a standalone database firewall mode. The network diagram for the
standalone diagram is shown below:

Figure 1: Database firewall architecture

The database firewall can act as a proxy or can be bridged to the database. From following the process given in
configuration it is found that some level of expert knowledge is required to properly configure the oracle
database firewall. It requires three interface card and specific amount of space in order to continue the
installation but in reality all the audit logs are stored in the centralized server. The firewall also can be configured
and installed in cluster and maintain by the firewall management console to distribute the load in the firewall.
User Interface
The simple web interface is available to login and manage the standalone database firewall. The administrator
uses the admin/admin as credential and the system will ask to change the password for the first time. Also web
interface is accessed using secure http which enables encryption of the all the traffic that helps to avoid
eavesdropping. After changing the password the interface consist of a dashboard which eases the administration
to configure the database firewall to be used with database.

Figure 2: Dashboard
Flexibility with different databases
Database firewall is a standalone firewall module which is especially dedicated for the database so it must have
capability to be used with multi database platform because organization cannot bear the consisting and resources
required to maintain the firewall for each databases. This requirement is achieved by the analysed database
firewall. It can work with

IBM DB2

Microsoft SQL Server

MySQL

Oracle

Sybase ASE

Sybase SQL Anywhere.

Figure 3: Supported RDMS

It can also monitoring two database server at the same time but the database server must be homogeneous. E.g.
databases cannot be mixture of oracle and Microsoft SQL Server.
Exploit
Database firewall is all about the logging and auditing the vault. Here in the test simulation the SQL injection
query are tested from the firewall. Since our test database is Oracle, we cannot test the multiple statement
execution so creating a test plan for different other (Kost 2007 )vault. The oracle 11gR2 database is used with
the user scott to test the SQL INJECTION. Oracle Database Firewall Policy Analyzer was used to test.
The necessary table is checked using SQLPLUS for the exploit.

Figure 4: Using Sqlplus to determine test user and table

The field name from any table is checked using desc (abbreviation of describe) command.

SQL Manipulation

SELECT deptno FROM dept WHERE deptno =10 UNION SELECT username FROM dba_users WHERE
username like '%'
The logs for theSQL Injection can be seen in the logs

(Kost 2007 )

Performance
There is always been tradeoff between the security and the availability of the system. So, database firewall must
be tested for the execution time it adds in order to fetch the result to the end user. As it is known that the web
application has a threshold in the maximum execution time. If database firewall takes too long to process the
SQL statement and returns the result the user may be waiting forever to get the result the web server might
already closed the session before database could response to the request.
Few tests has been made to get the result from the database through the database firewall and it is found no
significant deviation in time taken to execute and fetch the result. But in real time the result may differ. In future
work this can be tested in the high end server and significant result can be obtained with and without the
database firewall.
Actually, more the system administrator pushes the policy in the database firewall more execution time will be
taken to execute and fetch the result. So, the organization may choose the policies and create new policy
according to the requirement of the organization.
Figure 5: Policy setting

DISCUSSION
Though there is trade-off in the cost, complexity and security, database firewall is necessary in any high end
business organization which holds the secure and sensitive data. Here from the analysis we come to know that
the database firewall can play a significant role in order to achieve the database security. The database firewall
have two modes of operation; a) monitoring b) enforcement. The monitoring mode of operation can help the
administrator to provide the base line of the policy. The base line can be discussed between the organization high
level personnel and policy can be set up. During this period the operation is not disrupted. After the policy can be
applied and monitored in different level.
Here in this paper, the analysis of database firewall is done in different areas. Hence, the trade-off always remain
between the cost-efficiency and security but database firewall as a first line of defence in data manipulation
attack and data theft can prove to be the better option in the long run (Tbeileh 2011 ).

CONCLUSION AND FUTURE WORK

In this paper we study the weaknesses of other security measure in protecting the sensitive information
effectively. Different approaches of protection using traditional firewall or even the web application firewall are
not sufficient to successfully protect the information. We also investigate how the attacker can easily bypass
different types of security measures. The configuration and installation of database firewall is found to be
troublesome, nevertheless, the Oracle database firewall is a great addition to the security of the
database(Baccam 2011 ). The future work can be done in the database cluster with the firewall management
console and comparison between the other freely available database firewall can be done. Also the other
functionality of the database firewall can be tested and evaluated.

REFERENCES

Baccam,T.(2011)."SANSInstituteProductReview:OracleDatabaseFirewall."RetrievedNovember1,2013,
fromhttp://www.oracle.com/us/products/database/sansoracledbfirewall517965.pdf.

Bai,K.andL.Peng(2006). TowardsDatabaseFirewall:MiningtheDamageSpreadingPatterns.Computer
SecurityApplicationsConference,2006.ACSAC'06.22ndAnnual.
Bailey,M.L.,etal.(1994).PathFinder:APatternBasedPacketClassifier.OSDI,Citeseer.

Kost,S.(2007).AnIntroductiontoSQLInjectionAttacksforOracleDevelopers.

Liang,C.andY.Xiaohu(2005).Areferencemodelandsystemarchitecturefordatabasefirewall.Systems,Man
andCybernetics,2005IEEEInternationalConferenceon.

Razzaq,A.,etal.(2009). MultiLayeredDefenseagainstWebApplicationAttacks.InformationTechnology:
NewGenerations,2009.ITNG'09.SixthInternationalConferenceon.

Tbeileh, K. (2011). "Oracle Database Firewall: First Line of Defense." Retrieved October 28, 2013, from
http://www.oracle.com/openworld/laden/sessionpresentations/database/13440enok1436892.pdf.