Rolling Review: Guardium SQL Guard

Is it time to bite the compliance bullet and get a grip on what's going on within your database environment? Look no further than the SQL Guard 6.0 database extrusion prevention appliance. Guardium has thrown in practically every feature you'll need to lock down sensitive data—all that's missing is a caring, sympathetic auditor. What, you thought this was a miracle box?

SQL Guard came to our University of Florida Real World Lab on a beefy Dell 1U server that can be deployed either inline or out-of-band. In either scenario, it acts as a true extrusion prevention system, dropping traffic when inline or sending TCP reset packets to the attacker and database server when out-of-band. We had no problems during testing with either placement option. Day-to-day management was a breeze thanks to a thorough, well-designed and attractive Web interface that shows off the maturity of the 6.0 release. As intuitive as we found the Web interface, the sheer num-ber of features available in each screen sometimes left us thumbing through the man-ual. Once you learn the ropes, this will be one formidable weapon against data theft.

SQL Guard supports Oracle 8i/9i/10G, Microsoft SQL Server 2000/2005, Sybase ASE/IQ, and IBM DB2 and Informix. The primary method of analyzing database ac-tivity is through monitoring network traffic to the database servers. This works great when your topology supports the addition of a network appliance. For environments where this is a problem, say due to layout or use of virtualization, where the applica-tion and database servers reside on the same physical server, Guardium joins Imperva and RippleTech in supporting database activity monitoring with its S-TAP software probe. S-TAP can monitor both network-sourced database activity and local console activity and supports HP-UX, Solaris, Linux, AIX, OSF1 and Windows OSes.

We installed the S-TAP on our Windows Server 2003 R2 systems with no problem. All database activity generated from the local SQL management console was reported in SQL Guard.

Look, No Hands

Automation is one of SQL Guard's strengths. Practically every task, from database server discovery to classification of data, can be automated. We configured the system to scan our network every day to discover and profile new database servers. First, SQL Guard performed a port scan for the IP addresses and ports we defined. Next, it deter-mined what type of database server was listening on the port and put that information into a report for our review.

Because database server contents change constantly, security personnel, auditors, even DBAs can't be expected to know every single instance of private or regulated data. Fortunately, SQL Guard 6.0 includes automatic classification based on data pat-terns, column and row names, or permissions. Our test servers contained SSNs and credit card numbers, so we defined classification tasks that searched for our data using regular expressions. It was identified correctly.

SQL Guard's rules provide a lot of flexibility. We could trigger on any combination of information related to database activity including client/server IP, database name/user, data patterns, SQL command, source application, field name, time of day and more. One of the most useful rule-creation features was the policy simulator that would test our rule against data currently logged in SQL Guard. When creating rules with regular expressions to match data, a useful tool in the Web interface ensured the regular expression was correct.Similar to the previous DBEP systems we've reviewed, SQL Guard handled our at-tacks well whenever large amounts of data were coerced from the database, or SSNs were retrieved using our Web server application instead of Excel. We created a rule to detect theft of customer information from our test e-commerce site, even when it was stolen one record at a time. However, the rule could be impractical if used on a large online retailer because it relied on a minimum count of events within a specified time interval, which had to be defined in minutes. A paranoid attacker could easily script a tool that would steal a single record every 5 minutes or hour to avoid detection.

More than 100 preconfigured reports should satisfy everyone from your pointy haired boss to the corporate auditors. Creating custom reports is as simple as dragging and dropping items of interest. We created several reports to track usage patterns and SQL commands used during our testing. Reports can be printed, saved as CSV files or exported as PDFs. Given the extensive reporting capabilities and various status dashboards, most shops will be able to get by without an external SIEM, although support is included for products such as ArcSight and Network Intelligence.

Our take: Guardium has put together a solid feature set that should please security pros looking to take back control of database activity. With several deployment op-tions, extensive rules, flexible reporting and automatic data classification and database discovery, SQL Guard 6.0 delivers true database extrusion prevention.

John H. Sawyer is a Senior Security Engineer at the University of Florida. He can be reached at [email protected]0