Detecting attacks is good, being able to do something about it is better. F5 and Oracle take their collaborative relationship even further into the data center, integrating web application and database firewall solutions to improve protection against web and database-focused attacks.
It is often the case that organizations heavily invested in security solutions designed to protect critical application infrastructure, such as the database, are unwilling to replace those solutions in favor of yet another solution. This is not necessarily a matter of functionality or trust, but a decision based on reliance on existing auditing and management solutions that are a part of the existing deployment. More information is good, but not if it simply becomes an entry in a log somewhere that is disconnected and not integrated into existing operational security processes.
Organizations already heavily invested in Oracle technologies are likely to consider deploying the Oracle Database Firewall to protect their critical business information residing in their Oracle database. As enterprise customers deploy more web-based database applications, IT continues to face the challenge of securing both application and database environments from threats such as SQL injection and cross-site scripting attacks. By using F5 and Oracle solutions together, customers can now benefit from enhanced protection for web-based database applications without unnecessarily increasing the auditing burden imposed by additional logging.
“70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009)
This collaborative solution pairs F5 BIG-IP® Application Security Manager™ (ASM™) and Oracle Database Firewall to provide comprehensive database security from the application layer down to the database. Oracle Database Firewall monitors traffic between applications and the database to detect and prevent SQL injection, privilege or role escalation attacks, and others. Because its target is the database, it uses an innovative SQL grammar analysis approach that is highly accurate and scalable. Unlike web application firewalls, it analyzes the intent of the SQL statements sent to the database. It is not dependent on recognizing the syntax of known security threats, and can therefore block previously unseen attacks, including those targeted against an organization. ASM, on the other hand, focuses on the detection and prevention of attacks at the application layer – including SQL injection – and through integration with Oracle Database Firewall ASM can notify the database firewall of the incoming threat. Such notification includes the context of the request – including user identity, session, IP address and time – that is subsequently logged and acted upon according to Oracle Database Firewall policies, enabling a more comprehensive report of attacks.
Because this integration allows operators and administrators to correlate attacks with users, it can better enable the identification of attacks originating from inside the organization – such as from compromised desktops or servers – which can then be leveraged as a means to eradicate potential internal attack vectors such as bots and other trojans proliferating of late throughout the enterprise. That’s important, because a study conducted last year by Microsoft found that over 2.2 million PCs in the U.S. were part of botnets, and that the U.S. is the “number one country consumed with botnet PCs.” With so many potential avenues of attack both internal and external to the organization, there simply can’t be something as too much protection.