Rolling Review: Pyn Logic Enzo 2006

Enzo 2006 may work well for small orgs with few databases, but it could become an implementation nightmare for enterprises with thousands of clients communicating with tens to hundreds of

May 11, 2007

6 Min Read
Network Computing logo

Enterprises deploy database-extrusion monitors for many reasons. Insider threats. Data leakage from faulty Web applications. Outside attacks. Or, simply, compliance. Pyn Logic wants to cover all these bases and bills its Enzo 2006 as a jack-of-all-database-protection trades, with functions ranging from database-extrusion prevention to granular access control for database servers. To accomplish this, Enzo sits directly between the client and the database server, proxying all connections in both directions.

Because it's software, Enzo differs from the more common DBEP appliance model, and not always in a good way. On the plus side, it'll appeal to IT shops that just can't squeeze one more black box into the server room, as well as those interested in virtualization. Enzo runs on Microsoft Windows, so for our testing purposes, we installed it on Windows Server 2003.

Enzo directly accepts, processes and transmits requests to the database server. Although we found the process completely transparent to the client, this approach makes Enzo a single point of failure that could prevent access to database servers. The box could also become a performance bottleneck under heavy load. Test carefully before buying.Dynamic Trio

Enzo comprises three aptly named components: the Director management interface for monitoring and administration; the Management Service, a Windows service that listens on a port, enabling management of the Engine from the Director; and the Engine proxy and enforcement piece, which acts on rules defined by the Director.

There's no baselining, business logic or advanced knowledge of the underlying database structure required for Enzo to work. It simply enforces the rules you set based on MAC (Media Access Control) or IP addresses, a schedule defined by the administrator, client identity or application. Think of it as a stateful database firewall instead of a deep-packet inspection IPS or IDS: The administrator does the heavy rules-definition lifting, with a little help from host- or network-based ACLs.

Enzo's unique feature set revolves around its approach to client authentication. Access rights can be defined using aliases that may be different from those used in the database. Say client access is defined in Enzo using the "John Doe" account existing in Active Directory. As the client accesses the database server through Enzo as John Doe, Enzo translates the connection to a different client identity to perform the transaction. This is useful when applications that use multiple IDs interact with a database with only a single account, yet an enterprise needs accurate logging of all client activity. Enzo does the translation and provides an audit trail.

This article is one in a series and is part of NWC's Rolling Review of extrusion-prevention systems. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now.

Expanding on the idea of client aliasing, Enzo supports two-factor authentication with RSA and CryptoCard. For our testing, CryptoCard gave us an evaluation kit. Additional setup was minor, and the delimiter for including a client identity and PIN during login was selectable. The only drawback to client aliases and two-factor authentication is the lack of support for Oracle databases. These features currently work only with Microsoft SQL Server 2000 and 2005.

Who Goes ThereClick to enlarge in another window

Like Imperva's SecureSphere, Enzo supports notifications to both syslog and SMTP servers. With filtering and rules on the servers receiving notifications, awareness of malicious activity can be near-real-time. Enzo also supports logging all events to a database through an ODBC connection. We set up the syslog link with no problem and immediately began seeing events on our Linux syslog server.

For ODBC logging, Pyn Logic requires that a DSN (data source name) be configured on the Enzo server before setup; logging then worked as advertised. Built-in reporting capabilities are basic, but provide a quick overview of what's going on with each Enzo Engine. Most enterprises will set up a SIM (security information manager) to leverage the logs available through syslog or ODBC.

Smaller organizations may find that Pyn Logic's Enzo 2006 is a good fit, giving them granular client access, account aliasing and an extra layer of protection between clients and database servers. However, because it lacks such features as automatic enumeration of databases, clients and usage patterns; SSL decryption; and rules for detecting actual data leakage, large enterprises with databases numbering in the double to triple digits and thousands of clients will find Enzo severely lacking.


>ABOUT THIS ROLLING REVIEW:Database extrusion prevention products are being tested at our Real-World Labs® at the University of Florida. We're assessing ease of installation and configuration; breadth of database support; visibility into database activity--for example, network-based or local management on the database server; detection and notification and/or blocking of attacks; features; and price.>FEATURED PRODUCT: Pyn Logic Enzo 2006; $9,999 per four-CPU installation, includes 90-day warranty and telephone support. Ongoing maintenance and software updates run 20 percent of license cost for one year, 44 percent for three years.

>ALREADY TESTED: Imperva's SecureSphere Database Security Gateway>NEXT UP:RippleTech Informant>OTHER VENDORS INVITED: Application Security, Crossroads Systems, Guardium, IPLocks, Symantec, Tizor Systems and Transparency Software. Contact the author at [email protected] for consideration.

NWC's Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. See our kickoff to this database extrusion detection/prevention series at

John H. Sawyer is a senior it security engineer at the University Of Florida and a GIAC-certified Firewall Analyst, Incident Handler and Forensic Analyst. Write to him at [email protected].

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights