Rolling Review Wrap-Up: Extrusion-Prevention Systems

When a Web server attack exposed Second Life customer data last September, Linden Lab invalidated all user passwords and announced that one lowly SQL injection flaw had enabled attackers to run arbitrary SQL commands on a back-end database. The company admitted that 650,000 names along with contact information, encrypted passwords and payment data had been compromised.

Fast forward to May, when University of Missouri employees probably wished they were in some alternate universe. IT staff noticed abnormal application behavior on May 3 and the next day discovered a mother lode of errors. One vulnerability was in a Web page used to check the status of help desk issues, and exploiting a SQL injection flaw enabled an attacker to retrieve names and Social Security numbers the old-fashioned way—one record at a time, using tens of thousands of Web requests.

By the time IT realized what was happening, sensitive data on 22,396 people was long gone.

The sad truth is, it's no coincidence that over the past year an increasing number of security breaches have been the result of database compromises, rather than pilfered laptops. Steal a PC from a car and you might get nothing but some hardware and an MP3 collection. Infiltrate a database of customer information and the possibilities are endless. And this trend will only continue as more companies deploy data-rich online services needing database back ends.

Real-World Analyst Assessment
Click to enlarge in another window

In the case of Second Life, attackers mined personal information on thousands of users who might have ended up the focus of highly targeted phishing scams. For UM, affected employees must worry about identity theft because of one insecure Web application and old database still left in service.Sure, it would have been ideal if secure programming techniques were always followed when developing Web applications. But let's face it—basing your data security strategy on developers producing bulletproof apps is like going to a shootout with one round in your magazine.

A better idea? If Linden Lab and UM had database extrusion prevention systems deployed at the time of the compromises, these breaches could have been prevented. The offerings we reviewed in our DBEP Rolling Review can keep abnormally large numbers of records from being returned, as in the Linden Lab compromise, and block the SQL injection attacks seen in the UM hack.

In the pantheon of defenses, DBEP systems have a slight advantage over standard data leakage protection products that sit at the network perimeter or run as endpoint agents in that they can be placed directly in front of your databases. They see traffic before an attacker can obfuscate, transform or encrypt data to evade detection. With data leak prevention, an attacker can avoid discovery if he gains a level of control over the data before it's shuttled through the network.

Enterprises worried about exposure through attacks against Web servers with database back ends, the database servers themselves or via misuse by authorized users do have protection options—we were generally pleased with the products we reviewed, with only a couple of exceptions as noted in the features chart (below). These products are not one-size-fits-all, but any of the five could have prevented a good number of the breaches that are currently making news.

Wild Cards

We put five DBEP systems to the test in our University of Florida Real-World Labs. Crossroads Systems, Guardium, Imperva, and Rippletech sent us appliances, while Pyn Logic submitted software. We also invited Application Security, IPLocks, Symantec, Tizor Systems, and Transparency Software. Symantec declined. Application Security and Transparency Software didn't have their latest revisions ready within our testing window. The others never responded.

When we started testing we weren't entirely sure what to expect, but we knew exactly what we were looking for: ease of installation and configuration, a breadth of database support, good visibility into database activity, detection and notification or blocking of attacks, helpful features, and a reasonable price.

To be effective, DBEP systems must provide visibility into database activity, whether it occurs on the network between the database and application servers or locally on the database server. Rules can then be created to monitor for activities that indicate possible misuse or attack. After an activity is detected, it can be allowed, blocked, recorded or alerted on.Up to this point, all the products we tested worked pretty much the same. It's the extras that separated the leaders from the rest of the pack.We found it interesting that the top two vendors in our review, Guardium and Imperva, approach the problem of database extrusion differently. Imperva focuses heavily on network security, with features like a stateful firewall, intrusion prevention system signatures and vulnerability scanning of the database server. Guardium, in contrast, concentrates more heavily on reporting. We found at least a dozen different ways to take data gathered during monitoring and turn it into automated audit statements and security assessments that report on the security of a database server based on generated alerts, not by testing the server directly.

Baselining database activity and creating related policies are a key differentiator for the appliances from Crossroads, Guardium and Imperva. Each could monitor database activity and determine a base policy to fit the usage profile. Imperva stood out thanks to its dynamic profiling, which monitored activity, created usage profiles and then allowed those profiles to dynamically update themselves by defining safe margins and hard limits. For any enterprise with large-scale database deployments, this is a welcome feature that will spare DBEP administrators from constantly having to update policies as user roles change over time.

Management was performed through a Web browser for all the products tested, except for Crossroads DBProtector, which featured a Java-based interface. We saw few usability issues in the Web interfaces, though it became obvious after testing with both Mozilla Firefox on Linux and Internet Explorer on Windows that they were built with IE in mind. Crossroads' Java interface was both pleasing to the eye and easy to navigate. For the Web-based offerings, Guardium's and Imperva's GUIs were well done, with Guardium's being slightly more polished.Crossroads Systems DBProtector

Crossroads Systems DBProtector has one of the best-looking and fastest Java-based management interfaces we've seen. Deployment options allow it to be inline and out-of-band, but blocking can be performed only when inline. It has several dashboard-type displays that show the status of accesses and violations, with the ability to drill down into each for detailed information.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Priced at $45,000 as tested, DBProtector was the only product that required us to scan our databases to learn the structure before we could create rules. Once built, rules are flexible, and a wizard makes it easy for admins of any skill level to use this product effectively. Currently, the feature set is limited when compared with Imperva and Guardium, but Crossroads assured us it has big plans for DBProtector. It handily made our shortlist.

> Click to read the Crossroads Systems DBProtector review

Guardium SQL Guard

Guardium has put a lot of work into SQL Guard, making it a formidable competitor to the Imperva SecureSphere Database Security Gateway. Deployment options are the same as for the SecureSphere, and host agents are also available. A lot of focus has been placed on automating tasks to occur at scheduled intervals. For example, SQL Guard was the only product tested that could scan a range of IP addresses and ports looking for new database servers. When found, databases are queried for version informatio, and notification is sent to an administrator. This feature could be set to run daily or weekly, as could many of the product's other reporting capabilities.

The most common realization IT groups have when deploying DBEP is that what they may consider "normal" usage of the database is never what really takes place day-to-day. Thus we found the most useful feature when creating polices with this product was the simulator that tests policies against historical data already captured by SQL Guard. The only downside of the policy simulator is that testing is limited to access policies, and not what Guardium calls "exception and extrusion rules." At $50,000 as tested, SQL Guard was the most expensive product in the roundup by $5,000, but it offers wide database and OS support and easily made our shortlist.> Click to read the Guardium SQL Guard review

Imperva SecureSphere Database Security Gateway; Editor's Choice

Right from the start, Imperva SecureSphere Database Security Gateway impressed us with its plethora of features. Deployment options include both inline and out-of-band monitoring via a switch's network monitoring port or network tap, with both options allowing blocking, either by dropping traffic entirely when inline or sending TCP reset packets when out-of-band. Only one other product in our review, Guardium SQL Guard, has the same blocking capability.Unique to Imperva SecureSphere was the ability to scan the database server for vulnerabilities and act as an IPS. The DSG scans the database software and underlying operating system to find known vulnerabilities and weak security configurations that could allow the server to be compromised. Additionally, when deployed inline, it can act as a stateful firewall and IPS with over 2,500 signatures to prevent attacks such as protocol violations, SQL injection and known worm activity. SecureSphere cost $45,000 as tested and is our Editor's Choice for this Rolling Review series.

> Click to read the Imperva Secure Sphere review

PynLogic Enzo 2006

Pyn Logic's $9,999 Enzo 2006 is a Windows-based, software-only DBEP system. It's the only product we reviewed that could be deployed inline only and was the least flexible system tested, with only about half the features other vendors offered. That said, since it sat inline and proxied all connections to the database server, Enzo was unique in being able to force two-factor authentication and user aliasing.

Pyn Logic partnered with RSA and CryptoCard to add two-factor authentication, which can be enforced when users are connecting from remote locations, specific IP or MAC addresses, or even at certain times of day. With user aliasing, the database server can have one user account that is aliased to multiple users within a Microsoft Active Directory, with Enzo handling authentication and aliasing in a manner transparent to the user. Still, we consider it suitable only for small organizations because it lacks features vital for the enterprise, such as automatic enumeration of databases, clients and usage patterns; SSL decryption; and rules for detecting actual data leakage.

> Click to read the PynLogic Enzo 2006 review

Rippletech InformantRippletech has a lot of potential with Informant, but currently, it can be deployed only out-of-band, and it doesn't support blocking malicious activity. However, it is possible to run custom scripts that could add a rule to a firewall and IPS, and we could use a tool like hping to send TCP resets.

The interface could use some work; we found it was very utilitarian, and management of the underlying Linux system was through Webmin. Still, Informant easily took our Best Value award, at just $2,995 as tested, and it is available as either software or an appliance. The product comes with a large number of rules that are prepopulated for several different regulations and database server types. Rules are based on regular expressions, as with the products from Imperva and Guardium. Informant can also monitor HTTP traffic and is the only product tested that supports MySQL. It made our shortlist.

> Click to read the Rippletech Informant review

John H. Sawyer is a senior IT security engineer at the University of Florida and a GIAC Certified Firewall Analyst, Incident Handler and Forensic Analyst. Write to him at [email protected]. '