Oracle SQL Firewall is one of the most important security additions in Oracle 23ai. It’s a kernel-level feature (not an add-on product) that inspects every SQL statement sent to the database and compares it against a learned whitelist of approved statements.
How it works:
- Learning phase: SQL Firewall observes your application’s normal SQL traffic and builds a whitelist of allowed statements, users, and connection paths.
- Enforcement phase: Any SQL statement not in the whitelist is either blocked, logged, or both.
Setting up SQL Firewall:
-- Enable SQL Firewall
EXEC DBMS_SQL_FIREWALL.ENABLE;
-- Start learning for a specific user
EXEC DBMS_SQL_FIREWALL.START_CAPTURE('APP_USER');
-- (Let the application run normally for the learning period)
-- Stop learning and create the allow-list
EXEC DBMS_SQL_FIREWALL.STOP_CAPTURE('APP_USER');
EXEC DBMS_SQL_FIREWALL.CREATE_ALLOW_LIST('APP_USER');
-- Enable enforcement
EXEC DBMS_SQL_FIREWALL.ENABLE_ALLOW_LIST(
username => 'APP_USER',
enforce => DBMS_SQL_FIREWALL.ENFORCE_SQL,
block => TRUE
);What it catches:
- SQL injection attempts that generate SQL not in the whitelist
- Unauthorized queries run by rogue application code or DBA accounts
- Unexpected data exfiltration queries (
SELECT * FROM userswhen the app only does parameterized lookups) - Suspicious connection paths (e.g., a user who normally connects from the app server suddenly connecting from a different IP)
Monitoring violations:
SELECT username, sql_text, action_taken, timestamp
FROM dba_sql_firewall_violations
ORDER BY timestamp DESC;SQL Firewall is especially valuable for organizations subject to PCI-DSS, HIPAA, or SOX compliance. It provides a last line of defense at the database level — even if the application layer is compromised.
