Oracle Notes from Guatemala: Oracle Database Firewall

Mostrando entradas con la etiqueta Oracle Database Firewall. Mostrar todas las entradas

martes, 28 de mayo de 2019

How to block a Session from a specific IP in Oracle Database Firewall

Environment:

1 Audit Vault Server
1 Database Firewall (Configured as Proxy in 192.168.56.11:5557)
1 Oracle Database (Listener: 192.168.56.30:1521/orcl)
1 Oracle Client (192.168.56.30)

With Oracle Database Firewall I will create an "Exception" that uses a "IP Address Set" to block a Session being created from an Oracle Client with IP 192.168.56.30

Checking that we can connect from the machine with IP 190.168.56.30:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Wed Jun 12 04:56:32 2019

Last Successful login time: Wed Jun 12 2019 04:56:28 -06:00

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics, Real Application Testing

and Unified Auditing options

SQL> select * from dgomez.allowed;

COL1

--------------------

DEIBY

SQL>

Click in "Policy" and then "Create Policy":

Select Database Type, Policy Name, and Description. The Database Type should be according the the Database we are monitoring with Oracle Database Firewall, in my case, of course Oracle Database.

You will see all the sections that we can fill up in order to Block/Allow operations against the database, we can custom this as much as we want. Click in "IP Address Sets" under "Policy Controls":

Click in "Create New Set":

Type the name of the New Set, and also the IP that will be used by the "Exception". In this case, the IP that we want to block.

Verify that the IP Address Set was added correctly:

Now come Back to the "Policy Overview" Page, click in the title:

Click in "Add Exception" under "Exception Rules":

Type the name of the Exception Rule, in the section "Profile Sets" select "include" for "IP Address Set" and select the IP Address Set that was created before, in my case "IP Address set 1".
In the Section "Policy Controls" select "Block" for "Action", you can select any value for "Logging Level" and "Threat Severity".

Click in "Save" button.

Verify that the Exception rule was created successfully:

Come Back to the "Policy Overview" Page, click in the title:

Click in "Save":

Click in "Publish":

Verify that the new Policy was created successfully:

Now it's time to tell the Database Firewall which Policy should use for our Database.
Click in "Secured Targets", the Oracle Database will be there, select it. In my case the Secured Target is "db12c". If you don't know how to create a "Secured Target" check my previous article [How to configure Oracle Database Firweall as Proxy in DPE Mode].

Expand the section "Firewall Policy":

Select the Policy that was created before in this article, in my case "Policy1":

Verify that Secured Target is using the correct Policy:

Now it's time to test the configuration.

From the Oracle Client (192.168.56.30) I will try to connect to the Database through the Oracle Database Firewall which is configured as Proxy.

Check the IP of Oracle Client:

[oracle@db12c ~]$ ifconfig|egrep -A1 enp0

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.56.30 netmask 255.255.255.0 broadcast 192.168.56.255

Opening a new Session:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Wed Jun 12 04:59:40 2019

<< The Session just hang here indefinitely >>

If there was a session already Open at the time we set the Policy for this database, then the session will not able to perform any operation as you can see bellow, the session will get the error ORA-00900 for new upcoming operations:

SQL> select * from dgomez.allowed;

select * from dgomez.allowed

ERROR at line 1:

ORA-00900: invalid SQL statement

SQL>

Additional, I saw that if in the "Exception Rule" we put a text in "Substitution" field, then a different error is received when a new session is created.

Using "Tests 1" in "Substitution" field:

Error received when "Substitution" is specified:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Wed Jun 12 05:13:20 2019

ERROR:

ORA-00900: invalid SQL statement

ERROR:

ORA-00900: invalid SQL statement

Error accessing PRODUCT_USER_PROFILE

Warning: Product user profile information not loaded!

You may need to run PUPBLD.SQL as SYSTEM

ERROR:

ORA-00900: invalid SQL statement

Error accessing package DBMS_APPLICATION_INFO

SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level.

How to register an Oracle Database Firewall in Oracle Database Audit Vault

Version of Oracle Database Firewall: 12.2.0.10.0

Version of Oracle Audit Vault: 12.2.0.10.0

Registering the Oracle Audit Vault Server in the new Oracle Database Firewall

Login to Oracle Database Vault
Click in “Settings” menu
Click in “Server Certificate”
Copy the Certificate

Click in “System”

Click in “Audit Vault Server”

Enter the IP of the Audit Vault Server

Enter the Certificate that was copied from Audit Vault Server

Click in “Apply” button

Registering the new Oracle Database Firewall into the Oracle Audit Server

Login into Oracle Audit Server

Click in “Database Firewalls” menu, then “Database Firewalls” and click in “Register” Button

Enter the name of the new Oracle Database Firewall and its IP. Click in “Save” Button

Verify that the Secondary Oracle Database Firewall was added successfully

How to configure Oracle Database Firewall as Proxy in DPE mode

The version of Oracle Database Firewall for this article es: 12.2.0.10.0

IP of Oracle Database Firewall: 192.168.56.11
Port of Oracle Database Firewall: 5557

IP of the Database Server: 192.168.56.30
Port of the Database: 1521 (Default)

Registering Oracle Audit Vault Server in Oracle Database Firewall:

First step is to configure Oracle Audit Vault Server to work with Oracle Database Firewall. To do so we have to register Oracle Audit Vault Server's certificate in Oracle Database Firewall.

Login into Oracle Audit Vault Server web console:

Click in "Settings"-> "Security" menu -> "Server Certificate":

Copy the server's certificate:

Login in to the Oracle Database Firewall console.
Click in "System" menu -> "Audit Vault Server".
In "Audit Vault Server 1 IP Address" field, enter the IP Address of the Audit Vault Server.
Paste the Audit Vault Server's certificate in the "Audit Vault Server 1 Certificate"

Registering Oracle Database Firewall in Oracle Audit Server

Login in to Oracle Audit Vault Server web console.
Click in "Database Firewalls" -> "Settings"

Verify the Database Firewall was registered successfully:

Configuring Network Interfaces for Proxy in Oracle Database Firewall

Login in to Oracle Database Firewall web console.
Click in "System"-> "Network Configuration"
Click in "Change" button

In this Oracle Database Firewall there are 3 network interfaces connected. The first one is used for "Management", in the other two are not used, that's why we see two unallocated network interfaces.

Under "Unallocated Network Interfaces" click in "Device"
For the first interface select "Traffic Proxy" and Click in "Add" Button.

Configuring the Proxy network interface:

Input a correct IP Address (A default is generated randonmly)
Check "Enabled" Under "Proxy 0"
Specify a port for the new Proxy and check "Enabled"
Click in "Add" button under "Traffic Proxies" -> "Proxy 0" -> "Proxy Ports"
Click in "Save" Button

Creating a Secured Target in Oracle Audit Vault Server

Login in to Oracle Audit Vault Server
Click in "Secured Targets" -> "Targets" -> "Register" Button
Enter the basic information for the Secured Target

Fill up only the section "Add Secured Target Addresses (For Firewall)" and leave empty the other sections ("Secured Target Location (For Auditing)" and "Collection Attributes").

Click in "Add" Button under "Add Secured Target Address (For Firewall)" Section

Confirm the Secured Target was created:

Configuring Enforcement Point in Oracle Audit Vault Server

Login in to Oracle Audit Vault Server
Click in "Secured Targets" -> "Enforcement Points" and then click in "Create" Button.
Fill up all the information required.

Specify a name for the Enforcement Point.
Select "Database Policy Enforcement (DPE)
Select the Secured Target that was created before, in this case "db12".
Select Firwall that was created before, in this case "dbfirewall".
Select the Proxy Interface that was created before, in this case "Proxy 0:5557"

Click in "Save" Button.

Confirm the Enforcement Point was created successfully:

The Enforcement Point seems to be "Up", but for some reason the connections were failing using the IP and Port of Oracle Database Firewall, as you can see bellow:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Fri Jun 7 09:50:39 2019

ERROR:

ORA-12543: TNS:destination host unreachable

To fix it, I had to "start" the Enforcement Point manually, even if the state is "Up". After to manually start up the Enforcement Point, I was able to create sessions through Oracle Database Firewall that was configured as Proxy:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Fri Jun 7 09:55:10 2019

Last Successful login time: Fri Jun 07 2019 09:54:59 -06:00

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics, Real Application Testing

and Unified Auditing options

SQL> show user

USER is "DGOMEZ"

SQL>

How to install Oracle Database Firewall 12c

Version of Oracle Database Firewall to install: 12.2.0.10.0

Insert the Oracle Database Firewall ISO disk into the machine:

Select "Install (wipes system)":

The Installation will start:

The installation will ask for the Installation Passphrase. Save this Passphrase because it will be used later, if you loose this you will have re-install from scratch.