Thursday, January 2, 2014

Installing Oracle AVDF (Database Firewall) Server 12.1.1.1.0

Installation of Oracle Audit Vault and Database Firewall (AVDF) 12.1.1.1.0 comprises of installing Audit Vault first and then Database Firewall. Oracle Audit Vault and Database Firewall come in two different installation medias. I have discussed on installation of Oracle Audit Vault in my previous post. This document deals with the installation of Oracle Database Firewall Server only.

Oracle Audit Vault and Database Firewall (Database Firewall) provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories. A highly accurate SQL grammar-based engine monitors and blocks unauthorized SQL traffic before it reaches the database. Database activity data from the network is combined with detailed audit data for easy compliance reporting and alerting. With Oracle Audit Vault and Database Firewall, auditing and monitoring controls can be easily tailored to meet enterprise security requirements.


Following are the top level steps that needs to be performed to install Oracle Database Firewall Server 12.1.1.1.0:
A.      Media Download
B.      Prerequisites
C.      Installation
D.      Post Installation


A.      Download Media
1.       Download media from https://edelivery.oracle.com/.
·         Open a web browser.
·         Type https://edelivery.oracle.com/ in the address bar.
·         Press "<Enter>" key.
·         Click on "Sign In / Register" button.

Image AVDF-121110-DF-01.png


2.       Login to edelivery
Sign In / Register button redirects to the login screen.
·         Provide login username and password.
·         Click on Sign in button to login.
Image AVDF-121110-DF-02.png

3.       Search Required Media
·         In Product pack select Oracle Database.
·         In Platform select Linux x86-64.
·         Select "Oracle Audit Vault and Database Firewall 12.1.1 Media Pack for Linux x86-64".
·         Click on "Go" button to search.

Image AVDF-121110-DF-03.png

4.       Download Media
·         Click on "Download" button next to "Oracle Audit Vault and Database Firewall (12.1.1.1.0) - Server" to download Audit Vault Server.
·         Click on "Download" button next to "Oracle Audit Vault and Database Firewall (12.1.1.1.0) - Database Firewall" to download Database Firewall. I will cover this in my next post.

Image AVDF-121110-DF-04.png

B.      Prerequisites
1.       Laptop/PC
·         Latest and fast processors
·         At least 8GB memory
·         Windows 64 bit
·         At least 50 GB free HDD (Hard Disk Drive)
·         VirtualBox pre-installed. VirtualBox can be downloaded from https://www.virtualbox.org/wiki/Downloads.  The activity was performed with release 4.3.4r91027 version of VirtualBox.
·         Host machine should be able to access guest machine. Later host machine has to access web console of Database Firewall server.
Host Machine:
IP Address       : 192.168.169.174
Subnet Mask  : 255.255.255.0
Gateway          : 192.168.169.1

Guest Machine (DF Server):
IP Address       : 192.168.169.22
Subnet Mask  : 255.255.255.0
Gateway          : 192.168.169.1


C.      Installation
1.       Set Default Machine Folder.
·         Open VirtualBox
·         Select File -> Preferences

Image AVDF-121110-DF-05.png

Enter "D:\VM\AVDF\12111" as Default Machine Folder.  Once this is set all the VMs created hence forth will be redirected to this location.

Image AVDF-121110-DF-06.png

2.       Create new virtual machine for Database Firewall Server.
·         Click on "New" icon to create new virtual machine for Database Firewall Server.

Image AVDF-121110-DF-07.png


3.       Give a name for Oracle Database Firewall Server.
·         Select Type as "Linux"
·         Select Version as "Oracle (64 Bit)"
·         Click on "Next" button to continue.

Image AVDF-121110-DF-08.png

4.       Specify memory size for the Virtual Machine.
For testing purpose 1.5 GB memory should work.
·         Enter required memory. Since I have 16 GB RAM in my laptop so I have allocated 3072MB memory.
·         Click on "Next" button to continue.
Image AVDF-121110-DF-09.png



5.       Add Virtual Hard Disk Drive.
·         Select "Create a virtual hard drive now" option.
·         Click on "Create" button.
Image AVDF-121110-DF-10.png

6.       Select Hard Drive File Type
·         Select "VMDK (Virtual Machine Disk)".
·         Click on "Next" button to continue.

This file type allows to split files into size of less than 2GB. A number of files will be automatically created by Virtual Box based on the size of Hard Drive that we specify in coming steps.

Image AVDF-121110-DF-11.png

7.       Storage on Physical Hard Drive
·         Select "Dynamically Allocated" option.
·         Select "Split into files of less than 2GB" check box. If this check box is selected then single Hard Disk file will be split into smaller files of less than 2GB each. Small size of files help during transfer to external hard disk drives for testing purposes.
·         Click on "Next" button to continue.

Image AVDF-121110-DF-12.png


8.       Choose a location for Hard Disk file
·         Provide appropriate file name for the virtual hard disk file.
·         Choose appropriate location to store virtual hard disk file.
·         Click on "Save" button to save the virtual hard disk file.
Image AVDF-121110-DF-13.png


9.       File Location and Size.
·         Review the file location.
·         Enter "130 GB" as the size of file.
·         Click on "Create" button to create Virtual Hard Disk File.

Image AVDF-121110-DF-14.png

NOTE: If the size of the file is less than 80 GB the installation will terminate with as shown in screenshot below.

Image AVDF-121110-DF-15.png


10.   Virtual Machine Details.
The screen below shows details of virtual machine just created. Review the details and modify if necessary. Use Settings icon to modify any settings.
Image AVDF-121110-DF-16.png

11.   Select Database Firewall Installation Media.
·         In the main screen of VirtualBox, select "Database Firewall" Virtual machine.
·         Click on "Settings" icon.
·         Click on "Storage"
·         Click on "Empty" CD icon.
·         Click on "CD icon" on the right side.
·         Click on "Choose a virtual CD/DVD disk file..."

Image AVDF-121110-DF-17.png


12.   Choose Virtual Optical Disk file.
·         Select Database Firewall ISO image file "V39779-01_DF.iso". Original filename was "V39779-01.iso".
·         Click on "Open" button to select the file.
Image AVDF-121110-DF-18.png


13.   Details of Installation media.
·         Review the details of Database Firewall Server installation media.

Image AVDF-121110-DF-19.png

14.   Set Network Adapter.
Installation of Oracle Database Firewall requires 3 network adapters.
Network Adapter 1:
·         Select Network on the left pane.
·         Select "Adapter 1" tab
·         Select Enable Network Adapter on the right pane.
·         Select Attached to as "Bridged Adapter".
·         Select Name as the available network adapter of your machine.

Image AVDF-121110-DF-20.png

Network Adapter 2:
·         Select Network on the left pane.
·         Select "Adapter 2" tab
·         Select Enable Network Adapter on the right pane.
·         Select Attached to as "Bridged Adapter".
·         Select Name as the available network adapter of your machine.
·         Select Promiscuous Mode as "Allow All".

Image AVDF-121110-DF-21.png

Network Adapter 3:
·         Select Network on the left pane.
·         Select "Adapter 3" tab
·         Select Enable Network Adapter on the right pane.
·         Select Attached to as "Internal Network".
·         Select Name as the available network adapter of your machine.
·         Select Promiscuous Mode as "Allow All".
·         Click on "OK" button.

Image AVDF-121110-DF-22.png

15.   Start installation of Oracle Database Firewall Server.
·         Select Database Firewall Virtual Machine on the left pane.
·         Review the details of Virtual Machine on the right pane.
·         Click on Start button  to start the installation.

Image AVDF-121110-DF-23.png

16.   Installation Main Screen
·         Type "install" and press "<Enter>" to continue.
Image AVDF-121110-DF-24.png



17.   Installation in Progress

Image AVDF-121110-DF-25.png



18.   Applying Configuration
·         Wait until the installer goes to next screen.

Image AVDF-121110-DF-26.png

19.   Enter Installation Passphrase
·         Enter a strong passphrase.
This passphrase will be used later to change other system passwords. It is recommended to note the password securely for future reference.

Image AVDF-121110-DF-27.png

NOTE: The passphrase should be 8 characters or more and contains an uppercase, lowercase, digit and punctuation. If this policy is violated then following message will be displayed.

Image AVDF-121110-DF-28.png


20.   Confirm Installation Passphrase
·         Re-enter the installation passphrase for confirmation.
·         Press "<Enter>" key to go to next screen.


Image AVDF-121110-DF-29.png


21.   Oracle Database Firewall Installation Successful.
Congratulations if you get screen like below screenshot.  Installation of Database Firewall is now completed successfully.
·         Press "<Enter>" button to go to next screen.

Image AVDF-121110-DF-30.png

22.   Refreshing link state
Server will automatically refresh the link state and redirect to next screen.

Image AVDF-121110-DF-31.png


23.   Select Management Interface
·         Select one of the available interface as Management Interface. This will be used to connect to the server through terminals like ssh, putty e.t.c. for maintenance operations.
·         Press"<Enter>" key to make the selection and go to next screen.

Image AVDF-121110-DF-32.png

24.   Select available ethernet device.
·         Make selection as shown in below screenshot.
·         Press "<Enter>" key to go to next screen.

Image AVDF-121110-DF-33.png

25.   Specify IP address
·         Enter IP address, subnet mask and gateway for the management interface.
·         Press "<Enter>" key to complete the installation and reboot the server.

Image AVDF-121110-DF-34.png


26.   First Reboot
The first reboot of the server could take up to an hour depending upon the configuration of the machine that is being used. There is nothing much to do here other than wait until the installation completes.
Image AVDF-121110-DF-35.png


27.   Database Firewall Server Installation Complete
Screenshot below shows the final screen after the installation of Oracle Database Firewall server is completed. Use Up/Down arrow keys and press "<Enter>" key to make appropriate selection.

Image AVDF-121110-DF-36.png

D.      Post Installation
Login to Database Firewall Web Console
1.       Open a web browser in your host machine and enter following url in the address bar https://192.168.169.22
2.       Press "<Enter>" key to go to the specified url.
3.       Click on "Proceed Anyway" button.

Image AVDF-121110-DF-37.png

4.       Enter Installation Passphrase
·         Enter Installation Passphrase.
·         Click on "Login" button.

Image AVDF-121110-DF-38.png

5.       Post Installation Configuration
As a part of post installation configuration an administrator user for Database Firewall has to be created and password of root and support user has to be reset.
·         Enter FWADMIN as username. Usually administrator user for Database Firewall is named as FWADMIN. THIS USERNAME IS CASE SENSITIVE.
·         Users "root" and "support" are created in operating system. While connecting to this server using terminals like ssh and putty, first login as support user then switch to other users. User "oracle" is implicitly created in the operating system. By default database named "dbfwdb" is created.
·         Click on "Save" button after all the information has been filled.

Image AVDF-121110-DF-39.png

6.       Login to Database Firewall web console
System will redirect to the login screen after Save button is clicked in the earlier screen.  
·         Enter the username and password for the administrator user of Oracle Database Firewall.
·         Click on Login button to login to the web console.

Image AVDF-121110-DF-40.png

7.       Check System Status
On initial login, Database Firewall web console shows the status.
·         Click on Show Report button to check Diagnostic Status.

Image AVDF-121110-DF-41.png



Output of Diagnostic Status is given below:
Diagnostic Status - OK
Checking if exists: /etc/platform.conf                                                   OK
Checking if exists: /usr/local/dbfw/etc/stund.conf                                              OK
Checking if exists: /usr/local/dbfw/etc/mwecsvc.conf                                     OK
Checking if exists: /usr/local/dbfw/etc/privkey.pem                                             OK
Checking if exists: /usr/local/dbfw/etc/cert.crt                                                OK
Checking if readable by user dbfw: /etc/platform.conf                                    OK
Checking if readable by user dbfw: /usr/local/dbfw/etc/dbfw.conf                                OK
Checking if readable by user dbfw: /usr/local/dbfw/etc/privkey.pem                              OK
Checking if readable by user dbfw: /usr/local/dbfw/etc/cert.crt                                 OK
Checking if readable by user dbfw: /usr/local/dbfw/etc/stund.conf                               OK
Checking if readable by user dbfw: /usr/local/dbfw/etc/mwecsvc.conf                             OK
Checking if readable by user dbfw: /usr/local/dbfw/etc/middleware.ppk                           OK
Checking if readable by user dbfw: /var/dbfw/tmp                                                OK
Checking if writable by user dbfw: /usr/local/dbfw/etc/dbfw.conf                                OK
Checking if writable by user dbfw: /usr/local/dbfw/upload                                       OK
Checking if writable by user dbfw: /var/dbfw/tmp                                                OK
Checking if /dev/mapper/vg_root-lv_root mounted on /(ext3)                                      OK
Checking if /dev/mapper/vg_root-lv_tmp mounted on /tmp(ext3)                             OK
Checking if /dev/mapper/vg_root-lv_home mounted on /home(ext3)                                  OK
Checking if /dev/mapper/vg_root-lv_local_dbfw mounted on /usr/local/dbfw(ext3)                  OK
Checking if /dev/mapper/vg_root-lv_local_dbfw_tmp mounted on /usr/local/dbfw/tmp(ext3)          OK
Checking if /dev/mapper/vg_root-lv_var_log mounted on /var/log(ext3)                     OK
Checking if /dev/mapper/vg_root-lv_var_tmp mounted on /var/tmp(ext3)                     OK
Checking if /dev/mapper/vg_root-lv_var_www mounted on /var/www(ext3)                     OK
Checking if /dev/mapper/vg_root-lv_var_www_tmp mounted on /var/www/tmp(ext3)                    OK
Checking if /dev/mapper/vg_root-lv_oracle mounted on /var/lib/oracle(ext3)                      OK
Checking if /dev/mapper/vg_root-lv_var_dbfw mounted on /var/dbfw(ext3)                          OK
Checking if /usr/local/dbfw/volatile mounted on /usr/local/dbfw/volatile(tmpfs)                 OK
Checking if shmfs mounted on /dev/shm(tmpfs)                                                    OK
Checking network address                                                                 OK
Checking network mask                                                                           OK
Checking bridges:                                                                        OK
Checking DNS:                                                                            OK
Checking gateway:                                                                        OK
Checking if certificate is valid at least for one year:                                         OK
Checking controller connection                                                           OK
Checking if backgroundrb is running:                                                            OK
Checking if HTTP server is running:                                                             OK
Checking if cron is running:                                                                    OK
Checking if stund process is running:                                                           OK
Checking if monitor process is running:                                                  OK
Checking if database is running:                                                         OK
Checking that IPv6 is disabled                                                           OK
Checking Oracle listener                                                                 OK
Checking Oracle database processes                                                       OK
Checking netfilter rules                                                                 OK
Checking monitoring processes                                                                   OK
Current platform: multi 
Script executed as: dbfw

8.       Configure Network Interfaces and Hostname
·         Click on "Network" link on the left panel.
·         Click on "Change" button at the bottom of the right corner.
·         Change the hostname to "fwserver01".
·         In "Proxy Ports" section, select "Enabled" check box, enter "15211" as port number and click on "Add" button.
·         In Traffic Sources section, change the IP address from "192.168.0.220" to "192.168.168.23".
·         Click on "Save" button. This usually requires a reboot but we will restart the server once all the post-installation configuration is complete. Review the image below.

Image AVDF-121110-DF-41-a.png

Image AVDF-121110-DF-42.png

Image AVDF-121110-DF-43.png

9.       DNS and Access configuration
·         Click on "Services" link on the left panel.
·         Click on "Change" button on the right panel.
·         Leave the DNS Server configuration unchanged i.e. leave values of "DNS Server 1", "DNS Server 2" and "DNS Server 3" to "disabled".
·         Set the value of "Web Access" to "all".
·         Set the value of "SSH Access" to list of IP address from where this server will be accessed. The list of IP addresses should be separated by space.
·         Leave the value of "SNMP Access" to "disabled".
·         Review the changes.
·         Click on "Save" button.

Image AVDF-121110-DF-44.png

Image AVDF-121110-DF-45.png

10.   Change Date and Time
·         Click on "Date and Time" from system menu on the left panel.
·         Click on "Change" button at the corner of right panel in the bottom.


Image AVDF-121110-DF-46.png

·         Set date and time correctly in "System Time" fields.
·         Select "Enable NTP Synchronization" check box and enter NTP server addresses in Server 1,  Server 2 and Server 3 respectively as below:
o   0.centos.pool.ntp.org
o   1.centos.pool.ntp.org
o   2.centos.pool.ntp.org
·         Click on "Save" button.

Image AVDF-121110-DF-47.png

Image AVDF-121110-DF-48.png

11.   Change Keyboard Layout

Image AVDF-121110-DF-49.png

12.   Post-Install Configuration Complete
·         This completes post-installation configuration of Oracle Database Firewall.
·         After network settings has been changed Database Firewall asks for reboot of server. In such cases it is recommended to reboot the server.

13.   Reboot Server
·         Login to the database firewall server.
·         Select "Power Off" using Up/Down arrow keys as shown in image below.
·         Press "Enter" button.
·         Enter "root" user pasword when prompted.
·         Press "Enter" to shutdown the server.
·         To start server, select Database Firewall machine in VirtualBox Manager and click on start icon.

Image AVDF-121110-DF-50.png

Image AVDF-121110-DF-51.png

Image AVDF-121110-DF-52.png


Hope this helps...


References:

Oracle® Audit Vault and Database Firewall Installation Guide
Release 12.1.1

E27778-08
http://docs.oracle.com/cd/E37100_01/doc.121/e27778/toc.htm

Oracle® Audit Vault and Database Firewall Administrator's Guide
Release 12.1.1

E27776-13


http://docs.oracle.com/cd/E37100_01/doc.121/e27776/toc.htm

Oracle Audit Vault and Database Firewall


6 comments:

  1. Hi,

    this is a great article. however i found some inconsistencies in the documentation written and the screen shots.
    basically i want to know what is the correct configuration for the three NICs of the DBFW?

    because you mention using all the three NICs with bridged network where as the third NIC's screenshot shows that its an internal network with deny all as its promiscuous mode.

    also clarify whether this configuration is a DAM mode firewall or a DPE mode.

    regards

    Ravi

    ReplyDelete
  2. Hi Ravi thank you very much for reviewing the article in so detail.

    The third NIC is supposed to be Internal Network. Further, I have not yet configured my firewall. DAM and DPE mode comes into play when you actually start to configure firewall policy. I will soon be writing this soon.

    Regards,
    Ashish Man Baisyet

    ReplyDelete
  3. Ok, Ashish.
    no problem. i will be following your blog. its good to see stuff working.

    eitherway, i am also setting up the same stuff, AV+DF+DB and just got interesting. audit vault could see the SQL sentences that are being generated on the targte DB from the Sys.AUD$ table.

    i would like to configure the EPs, policies and transformations for the SQLs in the DBFW and see in action the DBFW 12c.

    great work

    regards

    ravi

    ReplyDelete
  4. hi Ashish

    i would like to know what is the configuration of the NICs you have used. Because the MAC Addresses from the VirtualBox screenshots are not coinciding with the MAC addresses that the DBFW is showing in the Interface selection and configuration.

    for ex:

    NIC1
    Type: Bridge
    MAC: xx:xx:xx:xx:xx:xx
    Interface in DBFW:eth0
    IP/mask: 192.168.x.y/255.255.255.0
    Purpose: Adminstration

    NIC2
    Type: Bridge
    MAC: xx:xx:xx:xx:xx:xx
    Interface in DBFW:eth1
    IP/mask: 192.168.x.y/255.255.255.0
    Purpose:

    NIC3
    Type: Internal
    MAC: xx:xx:xx:xx:xx:xx
    Interface in DBFW:eth3
    IP/mask: 192.168.x.y/255.255.255.0
    Purpose:

    because, it seems that the DBFW is not taking the NICs in the order that we create them in the virtual box. for example, the adapter #2 of virtualbox is the eth0 of DBFW.

    and a good knowledge of these NICs is required to configure the admin segment, traffic source etc stuff. otherwise things get messed up.

    regards

    ravi

    ReplyDelete
  5. Hi Rabi,

    Thank you very much for for reviewing my article. I have used multiple VMs to write this article so the MAC address might have been different. All you need is IP address so you can ignore the MAC address for the setup.
    Regards,
    Ashish Man Baisyet

    ReplyDelete
  6. Hi Ashish,
    thanks for your article,

    As Rabi, also i feel slightly disappointed.

    AVDF is very easy to install on 12 version.

    But this is all about security.

    I think the 3 Nic's configuration is a very important point to avoid or not sql injection.
    This is one of the most add value of this product.

    They can't be on the same VLan and it will be accurate to explain this part in detail.

    Laurent

    ReplyDelete