Protect Your Oracle Database from SQL Injection and Unauthorized Access with SQL Firewall


SQL injection and credential misuse remain serious threats to database security. Oracle SQL Firewall offers a practical way to defend against these risks by allowing only approved SQL statements and trusted connection paths for each database user.

Instead of relying solely on application-level controls, SQL Firewall operates directly inside the database kernel. This makes it difficult to bypass and gives you fine-grained control over what each user can do.

How SQL Firewall Works

SQL Firewall uses an allow-list approach. You first let it observe normal activity for a user, then create a policy that defines exactly which SQL statements and connection details are permitted. Anything outside that policy triggers a violation that can be logged or blocked in real time.

It evaluates both the SQL statement itself and the context in which it runs, including the client IP address, operating system user, and program name. This helps protect against stolen credentials and unexpected access paths.

Key Benefits in Practice

  • Inspects every SQL statement, including those generated inside PL/SQL
  • Works whether connections are local or remote, encrypted or not
  • Gives you the choice to log violations only or actively block them
  • Applies per database user, making it easy to protect application accounts or individual users
  • Integrates well with other Oracle security features like Database Vault and auditing

Setting Up SQL Firewall - A Practical Approach

Here is a straightforward way to implement SQL Firewall for an application service account.

Step 1: Enable SQL Firewall

EXEC DBMS_SQL_FIREWALL.ENABLE;

Step 2: Start Capturing Normal Activity

Begin recording what the target user typically does. This example captures activity for an application user named APP:

BEGIN
  DBMS_SQL_FIREWALL.CREATE_CAPTURE(
    username       => 'APP',
    top_level_only => TRUE,
    start_capture  => TRUE
  );
END;
/

Let the application run normally for a sufficient period so the firewall learns the expected SQL patterns and connection details.

Step 3: Review What Was Captured

Check the captured data to confirm it covers the expected workload:

SELECT SQL_TEXT 
FROM DBA_SQL_FIREWALL_CAPTURE_LOGS 
WHERE USERNAME = 'APP';

Step 4: Generate the Allow-List Policy

Once you are satisfied with the captured data, create the policy:

EXEC DBMS_SQL_FIREWALL.GENERATE_ALLOW_LIST('APP');

You can review the allowed SQL statements and connection contexts using the DBA_SQL_FIREWALL_ALLOWED_* views.

Step 5: Enable Enforcement

Activate protection for the user. This example enforces allowed SQL statements and blocks violations:

BEGIN
  DBMS_SQL_FIREWALL.ENABLE_ALLOW_LIST(
    username => 'APP',
    enforce  => DBMS_SQL_FIREWALL.ENFORCE_SQL,
    block    => TRUE
  );
END;
/

You can choose to enforce SQL statements, connection context, or both. You can also decide whether to block or only log violations.

Monitoring and Ongoing Management

Review violations regularly using this query:

SELECT SQL_TEXT, FIREWALL_ACTION, IP_ADDRESS, CAUSE, OCCURRED_AT
FROM DBA_SQL_FIREWALL_VIOLATIONS 
WHERE USERNAME = 'APP'
ORDER BY OCCURRED_AT DESC;

Periodically clean up old violation records and consider exporting policies using Data Pump for backup or movement between environments.

Important Considerations

  • SQL Firewall only captures statements that execute successfully
  • It normalizes SQL by replacing literal values before storing signatures
  • Connection context is checked at session creation time
  • You can add new allowed entries later from either the capture log or violation log
  • Existing sessions are not terminated when you first enable a policy

When to Use SQL Firewall

This feature works especially well for:

  • Protecting application service accounts that run a known set of SQL statements
  • Adding an extra layer of defense for sensitive users such as reporting accounts or DBAs
  • Quickly restricting direct database access to known IP addresses or programs
  • Detecting and responding to potential SQL injection attempts in real time

Final Thoughts

Oracle SQL Firewall provides a practical, database-native way to enforce least-privilege access at the SQL level. By combining allow-listing of both statements and connection contexts, it helps reduce the attack surface without requiring major changes to your applications.

Start with a focused rollout on your most critical application accounts, review the captured activity carefully, and gradually expand protection across your environment.

Post a Comment

Previous Post Next Post