Rolling Review: Imperva's Secure Sphere

Database IDS/IPSS have many of the same strengths and weaknesses of their network-focused kin: Protection schemes may be more like poodles than rottweilers and, for your own sanity, we recommend choosing an extrusion detection/prevention product that can self-learn normal usage patterns. Imperva's SecureSphere Database Security Gateway G4, tested with the optional MX Management Server, is a win on both counts. It did a fine job learning our user behavior, and numerous signatures let it handily block known attacks against both the database server and the underlying OS.

Although the $45,000 DSG can be deployed and managed on its own, the MX Server provides a convenient single point of entry. We recommend springing for the extra $15,000 if you manage multiple SecureSphere appliances, including the DSG and Imperva's Database Monitoring Gateway and Web Application Firewall.The DSG and the management server are both run-of-the-mill 1U servers, but the DSG G4 sports a four-port Ethernet card and two onboard Ethernet ports. These extra ports let it sit inline and perform monitoring. With two ports per inline implementation, the DSG G4 could sit inline and monitor two separate networks/servers.

Test Setup

To enable management, Server Groups must be created within the MX Server Web interface, so we set up two containing our Microsoft SQL and Oracle servers. To establish our baseline, we automated several Ruby scripts and iMacros to run at regular intervals to simulate user activity, both directly to the database server and through the e-commerce Web site.

Imperva uses what it calls "Dynamic Profiling" to create baselines and learn what's considered normal user behavior. We could have created profiles and defined tables manually, but it's much more efficient to let the DSG go on its merry way, then modify profiles based on actual business usage.

Likewise, learned profiles can change dynamically based on rules. Our scripts automatically queried several tables in the HR database, randomly inserted a new employee and updated rows every few hours. Once the baseline was established and current users were allowed, we set rules that would allow new users, but alert when they were first seen. The feature worked as expected--a new profile was created, and respective behavior was learned. When we set a rule to stop allowing previously unseen users, database-access attempts were denied.After profiles are established, the fun starts. We created definitions for what constitutes database extrusion. Companies looking to address PCI compliance take note: Imperva provides several rulesets for detecting credit-card leakage, but they're overwhelming, with more than 200 unique rules for each major vendor. Moreover, all rules are enabled by default! We suspect many companies will simply leave all rules enabled and live with false positives. The problem, of course, is that after a while you'll stop paying attention.

Continue to the next page ...

Too Much Information?

The DSG's user-behavior auditing is much more granular than that of most database server software. Responses from the database can be logged to see what data generated alerts, for example. Although this is useful, it's also a violation waiting to happen. Imagine if an attacker were able to dump 1,500 customer credit-card numbers, and those numbers were included in the DSG's logs. You're in the PCI doghouse. Or, how about queries that include sensitive information as defined by HIPAA or SOX?

Fortunately, Imperva addresses this by including a global option to exclude raw queries from logs. Imperva also aids compliance by ensuring separation of duties by moving database logging outside the DBA's purview.

Because the DSG can be placed inline, it can act as a firewall and an IPS, making its $45,000 price tag more palatable. On top of using profiles to determine normal traffic, the DSG includes signatures for known attacks and protocol decoders to detect anomalies that could indicate an attack. Imperva told us that since most customers have firewalls in place, this is one of the lesser-used features, but we consider it a nice addition to help in a layered-defense security model.We tried several SQL injection attacks that were built into our e-commerce app. The signatures detected some, but not all of them. We also turned off the signatures to see if the Web user's profile would catch the change in behavior. It did. And, sticking with the IPS mindset, the DSG includes signatures that can block known attacks against both the database server and the underlying OS.

Another nice touch: Imperva includes an assessment piece for determining the security posture of a database server. It checks for general database security features, tests for actual database vulnerabilities and verifies the security of the underlying OS, in addition to protecting it from known attacks. We ran the assessment against default installs of Microsoft SQL Server 2000 and 2005 to see what it would tell us. As we had hoped, the scanner found all the vulnerabilities we expect to be in default installs of each product.

All management tasks are performed directly on the MX Management Server interface. Changes must be propagated to devices under management by clicking the "Activate Settings" button; once that happens, changes take place in near-real-time. For enterprises with many database servers spread out geographically or those looking to use other Imperva products, the MX Management Server is a smart choice for centralizing management and policies into one easy-to-use interface.

Imperva's DSG is a solid product, and we look forward to testing rivals to see how they stack up. Look for our comprehensive comparison chart and report card after we've completed testing.

John H. Sawyer is a senior IT security engineer at the University of Florida and a GIAC Certified Firewall Analyst, incident handler and forensic analyst. Write to him at [email protected].0