Oracle Database Firewall To Replace DAM? Not So Fast, Competitors Say

AppSec, Guardium disagree with Oracles assertion that database firewalls can act as a DAM substitute

SAN FRANCISCO, CA -- RSA Conference 2011 -- Oracle stirred the database security pot this week with the release of a new database firewall product and a partnership with F5 for Web application security, which together it claims will supersede the database activity monitoring (DAM) market. The assertion sparked controversy among competitors who say gaps in the database firewalls auditing capabilities and Oracles vested interest in its own database platform will limit its play as a one-stop shop for database security.
Mondays release of Oracle Database Firewall is the culmination of the companys acquisition of database security vendor Secerno last year. The product creates a defensive perimeter around databases by looking at SQL statements sent to the database through the wire to determine whether to pass, log, alert, block, or substitute SQL statements based on an organizations policies. Users can set whitelist or blacklist policies to control the product, which is designed to work not only with Oracle databases, but also other major platforms, such as DB2, SQL Server and Sybase platforms.
According to Oracle executives, the company hopes to compete directly with DAM products offered by firms such as IBM, AppSec, and Imperva.
This actually does provide database activity monitoring itself because it sees all of the traffic that is going through the wire, says Vipin Samar, vice president of database security for Oracle, who notes Oracle Database Firewall integrates with ArcSight security information and event management systems. So it can itself report on whats happening.
Roxana Brodescu, director of product marketing for Oracle, says that database firewalls arent seen necessarily as a replacement for DAM, but rather as an alternative because most companies have yet to implement DAM.
The question is if youre going to deploy something, why deploy database activity monitoring when you can deploy database firewall? she says. Its not so much about [being] easier [to deploy], its about [being] better, and its about accuracy and security.
Unsurprisingly, competitors took issue with Oracles claims, some more colorfully than others.
Most companies arent built on Oracle architectures alone, [so] this solution will prove extremely insufficient for most organizations that will also need support for other vendor technologies, says Rob Rachwald, director of security strategy at Imperva. When Oracles boast of unbreakable databases backfired, they purchased the weakest database security vendor -- Secerno -- on the market to fill the gap. Two chihuahuas dont make a pit bull. And in todays threat-filled environment, enterprises need a pit bull.
In conjunction with the database firewall release, Oracle also unveiled a partnership with F5 to seamlessly integrate F5s Web application firewall (WAF) capabilities with Oracle Database Firewall -- a relationship that takes aim at Imperva in particular. Imperva has long touted its integrated WAF and DAM products. But while the partnership might seem good on paper, Rachwald questions the security chops of both companies.
F5 is a networking company, and Oracle is a database vendor, he says. Neither company is a true security firm, so understanding abuse cases coming from hackers and insiders takes a back seat to the needs of the DBA.
Perhaps the most controversial part of Oracles announcement this week, however, is its assertion that database firewalls can act as a DAM substitute. Competitors contend that Oracles new product lacks some big capabilities to do so.
Database firewall is a subdiscipline of DAM, not a potential replacement. Database firewalls can provide external access controls, allowing the system to block specific queries from running against the database. However, the biggest value businesses are getting from DAM solutions today is a reliable, reviewable audit trail of the activities of privileged users -- which is not a capability of the database firewall, says Josh Shaul, vice president of product management at AppSec. Privileged users generally can login to the database server OS directly and make local connections to the database from there. This common access method completely bypasses the database firewall, allowing the local user unfettered and unaudited access to the data and system.
Phil Neray, VP of data security strategy for IBM InfoSphere Guardium, agrees that the database firewalls lack of visibility into privileged access is a critical gap.
[The] announcement from Oracle doesnt address a key limitation of the Oracle Database Firewall, which is its inability to block unauthorized access by privileged users that connect directly to the database via local connections such as SSH rather than over the network, Neray says. This is a key compliance requirement -- for example, to block unauthorized access by outsourced DBAs for SOX and PCI -- as well as a key security requirement, for example, to prevent hackers with stolen privileged credentials from accessing sensitive data.
Guardium was itself purchased by another database platform developer, IBM, in 2009, so Neray understands Oracles drive to establish itself as a major player in the database security market. But he wonders about the companys commitment to servicing customers with heterogeneous environments.
Its logical to buy database security products from database vendors, but only if theyre firmly committed to heterogeneous DBMS support, Neray says. Oracles support for non-Oracle platforms is spotty at best, with some products, such as Oracle Database Vault, only supporting Oracles proprietary platforms, while other products, like the Oracle Database Firewall and Oracle Audit Vault, dont even support other DBMS platforms, such as Teradata, Netezza, PostreSQL, and DB2 for z/OS. In addition, Oracle Audit Vault doesnt support older Oracle platforms, such as 8i.
The third-party vendors in the space go a step further, wondering whether any database vendor is the best source for effective cross-platform security and monitoring solutions when they have such an interest in seeing to the success of their in-house database management systems.
Very few enterprise organizations have standardized on a single database vendor. Virtually all organizations have heterogeneous database environments and require support for a range of DBMS platforms, says Thom VanHorn, vice president of global marketing for AppSec. As such, a customer is best served by a third-party vendor that does not have a vested interest in one specific platform. History has shown us that when it comes to vulnerability assessment and database security, the major DBMS vendors have lagged far behind the more agile third-party database security, risk, and compliance solutions.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Oracle Database Firewall To Replace DAM? Not So Fast, Competitors Say