Oracle puts firewall around databases

Oracle has introduced a database-specific firewall that protects against external and internal database attacks, including SQL injections.

"Oracle Database Firewall offers organisations a first line of defence that can stop internal and external attacks from reaching databases," Vipin Samar, Oracle's vice president of database security, said in an announcement at RSA on Monday. "Evolving threats to databases requires enterprises to look at new security solutions."

The product aims to safeguard Oracle's 11g database and its previous versions, along with versions 9.x of IBM DB2 for Linux, Unix and Windows; Microsoft SQL Server 2000, 2005 and 2008; Sybase Adaptive Server Enterprise (ASE) versions 12.5.5 to 15; and Sybase SQL Anywhere V10.

The product uses whitelisting and blacklisting to pass, log, alert, block or substitute SQL statements. Security policies can be set using attributes such as the time of day, IP address, application, user and SQL category.

It can be used as an in-line network product for both blocking and monitoring of statements, or out-of-band for monitoring only.

The product "does not require any changes to existing applications, the database infrastructure or the existing operating system of the target database", Oracle said.