Rolling Review: Pyn Logic Enzo 2006

Enterprises deploy database-extrusion monitors for many reasons. Insider threats. Data leakage from faulty Web applications. Outside attacks. Or, simply, compliance. Pyn Logic wants to cover all these bases and bills its Enzo 2006 as a jack-of-all-database-protection trades, with functions ranging from database-extrusion prevention to granular access control for database servers. To accomplish this, Enzo sits directly between the client and the database server, proxying all connections in both directions.

Because it's software, Enzo differs from the more common DBEP appliance model, and not always in a good way. On the plus side, it'll appeal to IT shops that just can't squeeze one more black box into the server room, as well as those interested in virtualization. Enzo runs on Microsoft Windows, so for our testing purposes, we installed it on Windows Server 2003.

Enzo directly accepts, processes and transmits requests to the database server. Although we found the process completely transparent to the client, this approach makes Enzo a single point of failure that could prevent access to database servers. The box could also become a performance bottleneck under heavy load. Test carefully before buying.Dynamic Trio

Enzo comprises three aptly named components: the Director management interface for monitoring and administration; the Management Service, a Windows service that listens on a port, enabling management of the Engine from the Director; and the Engine proxy and enforcement piece, which acts on rules defined by the Director.

There's no baselining, business logic or advanced knowledge of the underlying database structure required for Enzo to work. It simply enforces the rules you set based on MAC (Media Access Control) or IP addresses, a schedule defined by the administrator, client identity or application. Think of it as a stateful database firewall instead of a deep-packet inspection IPS or IDS: The administrator does the heavy rules-definition lifting, with a little help from host- or network-based ACLs.

Enzo's unique feature set revolves around its approach to client authentication. Access rights can be defined using aliases that may be different from those used in the database. Say client access is defined in Enzo using the "John Doe" account existing in Active Directory. As the client accesses the database server through Enzo as John Doe, Enzo translates the connection to a different client identity to perform the transaction. This is useful when applications that use multiple IDs interact with a database with only a single account, yet an enterprise needs accurate logging of all client activity. Enzo does the translation and provides an audit trail.

Expanding on the idea of client aliasing, Enzo supports two-factor authentication with RSA and CryptoCard. For our testing, CryptoCard gave us an evaluation kit. Additional setup was minor, and the delimiter for including a client identity and PIN during login was selectable. The only drawback to client aliases and two-factor authentication is the lack of support for Oracle databases. These features currently work only with Microsoft SQL Server 2000 and 2005.

Like Imperva's SecureSphere, Enzo supports notifications to both syslog and SMTP servers. With filtering and rules on the servers receiving notifications, awareness of malicious activity can be near-real-time. Enzo also supports logging all events to a database through an ODBC connection. We set up the syslog link with no problem and immediately began seeing events on our Linux syslog server.

For ODBC logging, Pyn Logic requires that a DSN (data source name) be configured on the Enzo server before setup; logging then worked as advertised. Built-in reporting capabilities are basic, but provide a quick overview of what's going on with each Enzo Engine. Most enterprises will set up a SIM (security information manager) to leverage the logs available through syslog or ODBC.

Smaller organizations may find that Pyn Logic's Enzo 2006 is a good fit, giving them granular client access, account aliasing and an extra layer of protection between clients and database servers. However, because it lacks such features as automatic enumeration of databases, clients and usage patterns; SSL decryption; and rules for detecting actual data leakage, large enterprises with databases numbering in the double to triple digits and thousands of clients will find Enzo severely lacking.

John H. Sawyer is a senior it security engineer at the University Of Florida and a GIAC-certified Firewall Analyst, Incident Handler and Forensic Analyst. Write to him at [email protected].