Oracle数据库安全产品中,有两款是可以支持第三方数据库或非数据库(如操作系统,文件系统等)的。他们是:
- Oracle AVDF (Audit Vault & Database Firewall)
- Oracle Data Masking and Subsetting
完整的兼容性列表在Oracle Docs中提供,而非Oracle Support。
Oracle AVDF的兼容性列表
AVDF最新的版本是20。之前的版本是12.2。
快速了解,可以看以下文档:
- Primary Note For Audit Vault Server And Database Firewall (Doc ID 2169653.1)
- Audit Vault and Database Firewall : Frequently Asked Questions (Doc ID 1593059.1)
可以在Installation Guide中的2.2.1 Product Compatibility Matrix中找到。
Oracle Data Masking and Subsetting的兼容列表
Oracle Data Masking and Subsetting,以下简称Oracle DMS。
Oracle DMS属于Oracle Enterprise Manager Cloud Control,最新的版本是13.5。
快速了解,可以看一下此文档:Primary Note For Data Masking And Subsetting (Doc ID 2284638.1)
Oracle DMS对非Oracle数据库的支持是通过Oracle Database Gateway,参看这里:
Heterogeneous support
Mask and subset data in non-Oracle databases using Oracle Database Gateways, which is always included.
Oracle Database Gateway支持SQL Server,DB2,Sybase,Informix 和Teradata等。具体可参看这里:
- Primary Note for Oracle Gateway Products (Doc ID 1083703.1)
似乎没找到MySQL的,但MySQL应该可以Database Gateway中的ODBC类型来连接。
另外MySQL企业版本身也支持Data Masking。
如果不在兼容性列表中
AVDF
对于AVDF,在Oracle Audit Vault and Database Firewall Developer’s Guide中说到:
Audit collection is supported from many database types. See Product Compatibility Matrix for a list of supported database types and versions.
许多数据库类型都支持审计收集。 有关受支持的数据库类型和版本的列表,请参阅产品兼容性列表。
In case audit collection is not supported out of the box from a specific database type, then you can build custom audit collection plug-in to retrieve audit data stored in the audit trails.
如果特定数据库类型不支持开箱即用的审计收集,那么您可以构建自定义审计收集插件来检索存储在审计跟踪中的审计数据。
A collection plug-in provides functionality similar to the prepackaged collection plug-ins shipped with Oracle Audit Vault and Database Firewall, by retrieving audit data stored in audit trails.
收集插件通过检索存储在审计跟踪中的审计数据,提供类似于 Oracle Audit Vault 和 Database Firewall 随附的预打包收集插件的功能。
Oracle Audit Vault and Database Firewall allows developers and third-party vendors to build custom collection plug-ins. These custom plug-ins are capable of collecting audit data from a new target type.
Oracle Audit Vault and Database Firewall 允许开发人员和第三方供应商构建自定义收集插件。 这些自定义插件能够从新的目标类型收集审计数据。
我理解对于审计是可扩展的,也比较好扩展。但不包括数据库防火墙。
Oracle Data Masking and Subsetting
如果某数据库不支持,可以将此数据库的数据导出加载到Oracle中,然后脱敏。
脱敏完成后再倒回原数据库。感谢Jim提供的思路。
其实本身Gateway或者DB Link也是将数据导出转储到Oracle的Staging环境进行脱敏。参看这里。
Heterogeneous
Oracle Data Masking and Subsetting also supports data masking of data from any non-Oracle database, such as IBM DB2, Microsoft SQL Server, and Sybase.
Oracle Data Masking and Subsetting uses the DB links and the gateways to read data from non-Oracle production databases, copy the data to an Oracle-based staging environment, mask in the Oracle staging environment, and then write to the non-Oracle test databases.
It uses the same masking techniques that are used in the Oracle databases for masking the data.
其它几个问题
关于Database Firewall支持SQL的长度
SQL是否有64K长度限制?答案是没有。参看这里:
There is no limit to the length of SQL statements that the Analyzer can analyze; it displays up to the first 2000 characters of a statements. Also, it looks at all types of SQL statements, not just product-specific SQL. For example, it looks at regular ANSI SQL as well as Oracle PL/SQL.
关于数据库防火墙漏洞库的数量
我理解可能是对应Database Firewalls的Policy和Rule。在Database Firewalls中,有预定义和自定义的策略,详见以下文档:
AVDF的性能
AVDF的AV部分,由于是审计数仓,本身是个采集和分析工具,性能不是问题。对源数据库的影响,取决于审计的粒度。
AVDF的DF部分,在文档中是这么说的:
Database Firewall introduces very minimal latency overhead of less than 100 microseconds per SQL statement with 100K transactions per second. This is based on internal performance tests.
