SQL injection and credential misuse remain serious threats to database security. Oracle SQL Firewall offers a practical way to defend against these risks by allowing only approved SQL statements and trusted connection paths for each database user.
Instead of relying solely on application-level controls, SQL Firewall operates directly inside the database kernel. This makes it difficult to bypass and gives you fine-grained control over what each user can do.
How SQL Firewall Works
SQL Firewall uses an allow-list approach. You first let it observe normal activity for a user, then create a policy that defines exactly which SQL statements and connection details are permitted. Anything outside that policy triggers a violation that can be logged or blocked in real time.
It evaluates both the SQL statement itself and the context in which it runs, including the client IP address, operating system user, and program name. This helps protect against stolen credentials and unexpected access paths.
Key Benefits in Practice
- Inspects every SQL statement, including those generated inside PL/SQL
- Works whether connections are local or remote, encrypted or not
- Gives you the choice to log violations only or actively block them
- Applies per database user, making it easy to protect application accounts or individual users
- Integrates well with other Oracle security features like Database Vault and auditing
Setting Up SQL Firewall - A Practical Approach
Here is a straightforward way to implement SQL Firewall for an application service account.
Step 1: Enable SQL Firewall
EXEC DBMS_SQL_FIREWALL.ENABLE;
Step 2: Start Capturing Normal Activity
Begin recording what the target user typically does. This example captures activity for an application user named APP:
BEGIN
DBMS_SQL_FIREWALL.CREATE_CAPTURE(
username => 'APP',
top_level_only => TRUE,
start_capture => TRUE
);
END;
/
Let the application run normally for a sufficient period so the firewall learns the expected SQL patterns and connection details.
Step 3: Review What Was Captured
Check the captured data to confirm it covers the expected workload:
SELECT SQL_TEXT
FROM DBA_SQL_FIREWALL_CAPTURE_LOGS
WHERE USERNAME = 'APP';
Step 4: Generate the Allow-List Policy
Once you are satisfied with the captured data, create the policy:
EXEC DBMS_SQL_FIREWALL.GENERATE_ALLOW_LIST('APP');
You can review the allowed SQL statements and connection contexts using the DBA_SQL_FIREWALL_ALLOWED_* views.
Step 5: Enable Enforcement
Activate protection for the user. This example enforces allowed SQL statements and blocks violations:
BEGIN
DBMS_SQL_FIREWALL.ENABLE_ALLOW_LIST(
username => 'APP',
enforce => DBMS_SQL_FIREWALL.ENFORCE_SQL,
block => TRUE
);
END;
/
You can choose to enforce SQL statements, connection context, or both. You can also decide whether to block or only log violations.
Monitoring and Ongoing Management
Review violations regularly using this query:
SELECT SQL_TEXT, FIREWALL_ACTION, IP_ADDRESS, CAUSE, OCCURRED_AT
FROM DBA_SQL_FIREWALL_VIOLATIONS
WHERE USERNAME = 'APP'
ORDER BY OCCURRED_AT DESC;
Periodically clean up old violation records and consider exporting policies using Data Pump for backup or movement between environments.
Important Considerations
- SQL Firewall only captures statements that execute successfully
- It normalizes SQL by replacing literal values before storing signatures
- Connection context is checked at session creation time
- You can add new allowed entries later from either the capture log or violation log
- Existing sessions are not terminated when you first enable a policy
When to Use SQL Firewall
This feature works especially well for:
- Protecting application service accounts that run a known set of SQL statements
- Adding an extra layer of defense for sensitive users such as reporting accounts or DBAs
- Quickly restricting direct database access to known IP addresses or programs
- Detecting and responding to potential SQL injection attempts in real time
Final Thoughts
Oracle SQL Firewall provides a practical, database-native way to enforce least-privilege access at the SQL level. By combining allow-listing of both statements and connection contexts, it helps reduce the attack surface without requiring major changes to your applications.
Start with a focused rollout on your most critical application accounts, review the captured activity carefully, and gradually expand protection across your environment.