Rolling Review: Crossroads Systems StrongBox DBProtector

Rounding out our Rolling Review of database extrusion prevention products is Crossroads Systems StrongBox DBProtector. While it provided the easiest to use interface we've seen yet and plenty of attractive graphs to please the pointy hairs, DBProtector lacked some features, like blocking traffic when out-of-band and database security assessment, that we found in competitors like Guardium and Imperva.

DBProtector arrived at our University of Florida Real World Lab as a 2U appliance. Once racked, initial configuration was quick and easy. Deployment options include inline or out of band using a switch monitoring port to observe all the database server's traffic. Even though its deployment methods are the same as Guardium and Imperva, DBProtector has the capability to block only when deployed inline. Additionally, no host agents are currently available, so any activity on the local database server console will be missed.

IBM DB2 8.1/8.2, Microsoft SQL Server 2000/2005 and Oracle 9i/10g are supported in the current release, but before they can be protected, DBProtector must map them to understand the database layout. The mapping process is simple—just supply credentials for all the databases you're interested in protecting, and the product imports information about table structures, users, stored procedures and more. Because many auditors will not understand internal naming conventions, Crossroads supplies what it calls Business Objects, essentially aliases that can be defined once mapping is complete to make policy development and audit review more user friendly.

Organizations under compliance and regulatory pressure to ensure separation of duties will welcome the granular roles in DBProtector. For example, an appliance administrator might have privileges only to configure the appliance and see reports regarding system health. Auditors can be given reviewer privileges that allow them to access reports on database activity, but no more, while the policy manager may approve, reject and activate policies. One feature we were surprised to see missing was external directory support. That means all users accessing DBProtector must have local accounts.

The user interface is Java-based and very well designed. Menus are laid out intuitively, the dashboard with pie charts and bar graphs is very attractive, and the online help is in-depth. We particularly liked the capability to drill down into the different charts and graphs. Double-clicking provided detailed records of user, table, column and policy activity.Plumbing the Depths

DBProtector's policies, or rules, are defined as enabling and disabling. By default, all activity is blocked, then allowed through the creation of enabling policies. Crossroads recommends that enabling policies be a bit broad and disabling policies be more specific; however, for highly sensitive environments, we recommend that enabling policies be as precise as possible. Care must be taken, though, that too much administrative overhead isn't created from overly complex policies. Think about those who come after you: The more intricate a policy, the harder it is to decipher it, especially, if you aren't the one who developed it.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

At first, we thought that the metrics for building policies were limited, but as we continued to work with the interface and build a variety of rules, it became apparent that this was not the case. Policies are created through a context-sensitive wizard that shows only those metrics that are relevant based on whether the policy is affecting database objects, database responses, applications used, time of day, SQL impact (access, modify, execute), and rows returned.

DBProtector fared as well—or as poorly, depending on whether you're a "glass half full" kind of person—as the other products in our review when confronted with our attacks. It was able to spot large numbers of customer records being returned through our e-commerce application but couldn't detect theft when we lifted one record at a time. When deployed inline, it blocked the attacks it detected and alerted when placed out-of-band.

Crossroads' interface development team has done an impressive job in making DBProtector extremely user friendly. Organizations looking for database extrusion prevention should keep DBProtector on their short lists.John H. Sawyer is a Senior Security Engineer at the University of Florida. He can be reached at [email protected]