Rolling Review: Imperva's Secure Sphere
A strong start to our database extrusion-detection/-prevention series, Imperva's Secure Sphere is quick to learn user behavior, and its numerous signatures let it handily block known attacks against both the
March 31, 2007
Database IDS/IPSS have many of the same strengths and weaknesses of their network-focused kin: Protection schemes may be more like poodles than rottweilers and, for your own sanity, we recommend choosing an extrusion detection/prevention product that can self-learn normal usage patterns. Imperva's SecureSphere Database Security Gateway G4, tested with the optional MX Management Server, is a win on both counts. It did a fine job learning our user behavior, and numerous signatures let it handily block known attacks against both the database server and the underlying OS.
This article is the second of a series and is part of NWC's Rolling Review of extrusion-prevention systems. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now. |
Although the $45,000 DSG can be deployed and managed on its own, the MX Server provides a convenient single point of entry. We recommend springing for the extra $15,000 if you manage multiple SecureSphere appliances, including the DSG and Imperva's Database Monitoring Gateway and Web Application Firewall.The DSG and the management server are both run-of-the-mill 1U servers, but the DSG G4 sports a four-port Ethernet card and two onboard Ethernet ports. These extra ports let it sit inline and perform monitoring. With two ports per inline implementation, the DSG G4 could sit inline and monitor two separate networks/servers.
Test Setup
To enable management, Server Groups must be created within the MX Server Web interface, so we set up two containing our Microsoft SQL and Oracle servers. To establish our baseline, we automated several Ruby scripts and iMacros to run at regular intervals to simulate user activity, both directly to the database server and through the e-commerce Web site.
Imperva uses what it calls "Dynamic Profiling" to create baselines and learn what's considered normal user behavior. We could have created profiles and defined tables manually, but it's much more efficient to let the DSG go on its merry way, then modify profiles based on actual business usage.
Likewise, learned profiles can change dynamically based on rules. Our scripts automatically queried several tables in the HR database, randomly inserted a new employee and updated rows every few hours. Once the baseline was established and current users were allowed, we set rules that would allow new users, but alert when they were first seen. The feature worked as expected--a new profile was created, and respective behavior was learned. When we set a rule to stop allowing previously unseen users, database-access attempts were denied.After profiles are established, the fun starts. We created definitions for what constitutes database extrusion. Companies looking to address PCI compliance take note: Imperva provides several rulesets for detecting credit-card leakage, but they're overwhelming, with more than 200 unique rules for each major vendor. Moreover, all rules are enabled by default! We suspect many companies will simply leave all rules enabled and live with false positives. The problem, of course, is that after a while you'll stop paying attention.
Continue to the next page ...
READ MORE |
---|
>ABOUT THIS ROLLING REVIEW:Database extrusion prevention products are being tested at our Real-World Labs® at the University of Florida. We're assessing ease of installation and configuration; breadth of database support; visibility into database activity--for example, network-based or local management on the database server; detection and notification and/or blocking of attacks; features; and price. >NEXT UP:Pyn Logic's Enzo Database Intrusion Prevention System >OTHER VENDORS INVITED:Application Security, Crossroads Systems, Guardium, IPLocks, Symantec, Tizor Systems and Transparency Software. Contact the author at [email protected] for consideration. NWC's Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. See our kickoff to this database extrusion detection/prevention series at nwc.com/rollingreviews. |
Too Much Information?
The DSG's user-behavior auditing is much more granular than that of most database server software. Responses from the database can be logged to see what data generated alerts, for example. Although this is useful, it's also a violation waiting to happen. Imagine if an attacker were able to dump 1,500 customer credit-card numbers, and those numbers were included in the DSG's logs. You're in the PCI doghouse. Or, how about queries that include sensitive information as defined by HIPAA or SOX?
Click to enlarge in another window |
Fortunately, Imperva addresses this by including a global option to exclude raw queries from logs. Imperva also aids compliance by ensuring separation of duties by moving database logging outside the DBA's purview.
Because the DSG can be placed inline, it can act as a firewall and an IPS, making its $45,000 price tag more palatable. On top of using profiles to determine normal traffic, the DSG includes signatures for known attacks and protocol decoders to detect anomalies that could indicate an attack. Imperva told us that since most customers have firewalls in place, this is one of the lesser-used features, but we consider it a nice addition to help in a layered-defense security model.We tried several SQL injection attacks that were built into our e-commerce app. The signatures detected some, but not all of them. We also turned off the signatures to see if the Web user's profile would catch the change in behavior. It did. And, sticking with the IPS mindset, the DSG includes signatures that can block known attacks against both the database server and the underlying OS.
Another nice touch: Imperva includes an assessment piece for determining the security posture of a database server. It checks for general database security features, tests for actual database vulnerabilities and verifies the security of the underlying OS, in addition to protecting it from known attacks. We ran the assessment against default installs of Microsoft SQL Server 2000 and 2005 to see what it would tell us. As we had hoped, the scanner found all the vulnerabilities we expect to be in default installs of each product.
All management tasks are performed directly on the MX Management Server interface. Changes must be propagated to devices under management by clicking the "Activate Settings" button; once that happens, changes take place in near-real-time. For enterprises with many database servers spread out geographically or those looking to use other Imperva products, the MX Management Server is a smart choice for centralizing management and policies into one easy-to-use interface.
Imperva's DSG is a solid product, and we look forward to testing rivals to see how they stack up. Look for our comprehensive comparison chart and report card after we've completed testing.
John H. Sawyer is a senior IT security engineer at the University of Florida and a GIAC Certified Firewall Analyst, incident handler and forensic analyst. Write to him at [email protected].0
You May Also Like