Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

RippleTech's Informant

Participants in our Rolling Review must be capable of monitoring for, detecting, and preventing data extrusion from database servers when possible. RippleTech's Informant boasts in-depth monitoring, zero impact on performance, and detailed auditing.
Database extrusion prevention systems either monitor data returned by SQL queries or watch for anomalous behavior or both. Informant looks only for anomalous behavior and doesn't sit inline with the traffic flow. This approach can be highly effective without being obtrusive.
Informant performed well in all tests. The breadth of monitoring for the supported database platforms was impressive, allowing our rules to be extremely specific and effective. Native reporting falls a bit short and is best left to other security management systems.

Does your company lack in-depth native database logging capabilities or knowledge of what should be considered anomalous behavior? If so, here's a tip: RippleTech's Informant can protect your sensitive data without breaking the bank.

RippleTech's appliance version

RippleTech's appliance version

We previously reviewed Pyn Logic's Enzo 2006, a software-only offering running on Microsoft Windows. In contrast, RippleTech offers appliances sporting a hardened Linux installation and with the $2,995 Informant software preinstalled and optimized. We tested the appliance version.Even with the $4,995 appliance premium, Informant is still the least expensive database extrusion prevention, or DBEP, system we've seen to date. It doesn't lack functionality, either: Informant currently supports Oracle, Microsoft SQL Server, DB2, and, unique among the products tested so far, MySQL. RippleTech Informant also let us watch HTTP traffic, though that's not something the company focuses on.

By monitoring database activity using a mirrored switch port, Informant inspected all our SQL traffic, including user and administrative activity, with the exception of the content returned from SQL queries. This is notable because knowing what a database returned can help determine whether an attack was successful. Granted, organizations that need to comply with the Health Insurance Portability and Accountability Act and the like will appreciate that Informant isn't yet another source of possibly regulated data. However, Imperva's SecureSphere addresses this problem with a masking feature that hides sensitive data from view in both the administrative interface and reports, by replacing data in logs with asterisks. Still, we don't believe Informant is overly hindered by this lack of visibility into returned content because, fortunately, it sends alerts based on the number of rows returned, thus raising a red flag on SQL injection or malicious insider attacks that result in large amounts of data being disclosed.

In addition to tracking network activity, we could monitor local database management through host-based agents available for Red Hat Enterprise Server, CentOS, Solaris 8 and 9 (Sparc), and AIX 5.2 and 5.3. No local monitoring of Windows, yet.


RippleTech Informant; $2,995 per database server instance running on as many as four CPUs; an additional $4,995 as an appliance.

We're testing database extrusion prevention products at our Real-World Labs at the University of Florida. We're assessing ease of installation and configuration; breadth of database support; visibility into database activity--for example, network-based or local management on the database server; detection and notification and/or blocking of attacks; features; and price.

Imperva's SecureSphere Database Security Gateway

Pyn Logic Enzo 2006
Application Security, Crossroads Systems, Guardium, IPLocks, Symantec, Tizor Systems, and Transparency Software. Contact the author at [email protected] for consideration.

The true power behind Informant lies in its flexible expression-based rules. We could configure our rules manually or take advantage of predefined rule sets based on either the type of database being monitored or the goal being achieved through monitoring--for example, compliance, security, performance, or auditing. Rules can be written using Boolean expressions acting on metrics examined by Informant; these include begin_time, the starting time of a query; data_out, the bytes in an outbound result packet; return_rows, the number of rows in a returned result set; and query_text, the SQL query sent by the client.

RippleTech has defined about 35 metrics per supported database platform, so rule writing will be granular enough for most IT groups. For our tests, we created rules that worked flawlessly performing such tasks as alerting us if an IP address other than the developer's workstation connects, accesses our customer data table, or updates or requests more than 10 rows.

  • 1