Oracle has recently released a new product named Oracle Database Firewall. Essentially the concept is same and that is to monitor and possibly block the unwanted connections to database (rather than OS here). However it does not block connections because it is not on network level but what it does is block invalid SQL statements. Now what is the definition of invalid SQL considering that any syntactical errors are detected by DBMS already.
Here invalid SQL does not mean the SQL that produces wrong results but here it means an SQL that is suspected to be one created from SQL injection techniques. SQL injections are pretty common and in most cases if not all they are unavoidable. There are techniques to prevent code from inadvertently executing injected statements but someway or the other they all fail to protect the data fully. But now you have database firewall. And the best thing about it is that it only works with Oracle Database but also on SQL Server, Sybase, IBM's DB2 etc.
For more information you can see this podcast from Director Security at Oracle Corp.
Here invalid SQL does not mean the SQL that produces wrong results but here it means an SQL that is suspected to be one created from SQL injection techniques. SQL injections are pretty common and in most cases if not all they are unavoidable. There are techniques to prevent code from inadvertently executing injected statements but someway or the other they all fail to protect the data fully. But now you have database firewall. And the best thing about it is that it only works with Oracle Database but also on SQL Server, Sybase, IBM's DB2 etc.
For more information you can see this podcast from Director Security at Oracle Corp.
No comments:
Post a Comment