Strengthening Database Security with SQL Firewall in Oracle 26ai
SQL Firewall in Oracle 26ai
A hands-on, step-by-step walkthrough for
DBAs
Why SQL
Firewall Matters
▸
Robust
mitigation of SQL injection attacks
▸
Zero-trust
session context verification
▸
Bypass-proof,
kernel-level inspection
▸
Seamless
“capture and enforce” lifecycle
▸
Native
integration and scalability
The
4-Phase Implementation Flow
1️⃣ Enable SQL Firewall
→ 2️⃣ Capture Phase →
3️⃣ Generate Allow-List → 4️⃣ Enforce Phase
STEP 1 Enable the Global SQL Firewall
Turn on SQL Firewall at the database level before any capture or
enforcement can begin.
SQL Firewall enabled successfully at the
global level.
STEP 2 Enable Capture
Start a capture session for a target user (schema) to record
real, in-flight SQL activity:
BEGIN
DBMS_SQL_FIREWALL.CREATE_CAPTURE(
username => 'TEST',
top_level_only => FALSE,
start_capture => TRUE
);
END; /
✅ PL/SQL procedure successfully completed.
Capture running — recording live SQL
activity for the TEST user.
STEP 3 Stop Capture
Once enough representative traffic has been recorded, stop the
capture:
EXEC DBMS_SQL_FIREWALL.STOP_CAPTURE('TEST');
Capture stopped for the TEST user.
STEP 4 Review the Generated Allow-List Policies
The captured SQL activity is translated into allow-list
policies, viewable through:
▸
DBA_SQL_FIREWALL_ALLOWED_SQL
▸
DBA_SQL_FIREWALL_ALLOWED_IP_ADDR
▸
DBA_SQL_FIREWALL_ALLOWED_OS_USER
▸
DBA_SQL_FIREWALL_ALLOWED_OS_PROG
STEP 5 Enable the Missing OS Program
Only “sqlplus.exe” was captured as an allowed OS program, so we
explicitly enable the additional client program before enforcing:
Adding an allowed OS program to the
policy.
STEP 6 Test with SQL Developer
With enforcement active, a connection attempt is made from SQL
Developer — a client outside the original allow-list:
Connection attempt from SQL Developer
under active enforcement.
STEP 7 Review Blocked Records
SQL Firewall correctly intercepts and logs the unauthorized
attempt:
Blocked activity recorded by SQL
Firewall.
Result: only recognized SQL, IPs, OS
users, and programs are allowed to reach the database — everything else is
captured and blocked. 🛡️
Comments
Post a Comment