Psst! Informant Tells A Good Story For A Song

WE MAKE THE RULES

The true power behind Informant lies in its flexible expression-based rules. We could configure our rules manually or take advantage of predefined rule sets based on either the type of database being monitored or the goal being achieved through monitoring--for example, compliance, security, performance, or auditing. Rules can be written using Boolean expressions acting on metrics examined by Informant; these include begin_time, the starting time of a query; data_out, the bytes in an outbound result packet; return_rows, the number of rows in a returned result set; and query_text, the SQL query sent by the client.

RippleTech has defined about 35 metrics per supported database platform, so rule writing will be granular enough for most IT groups. For our tests, we created rules that worked flawlessly performing such tasks as alerting us if an IP address other than the developer's workstation connects, accesses our customer data table, or updates or requests more than 10 rows.

Informant stood up well to our series of attacks when it came to bulk data transfers, but it succumbed to small amounts of data leakage. Attacks from our test e-commerce site were detected when more than a single row (or customer record) was returned, but when we slowly stepped through the customer database one row at a time, we were able to make off with data. As no agent is available for Windows, we were unable to test for privileged-insider attacks using the local database console; however, all attacks attempting to access data outside the scope of the current user's privileges triggered our rules.

Informant includes a superset of logging features seen in previously reviewed products from Imperva and Pyn Logic. Logging and alerting are both through standard syslog, SNMP traps, SMTP messages, execution of custom scripts, or insertion into Microsoft SQL Server. Unlike Imperva and the upcoming product in our review lineup, Guardium, there's no dashboard for monitoring alerts. Enterprises can choose to leverage an existing security information and event manager, or SIEM; purchase a new one, such as an offering from RippleTech partner NetForensics; implement a syslog/SNMP monitor that isn't necessarily as robust or expensive as most SIEMs; or depend on logging on to Microsoft SQL Server. We went the latter route. The MS SQL Server instance provided for testing uses RippleTech's LogCaster, which is included with the purchase of Informant, for log management, and SQL Server 2005's Reporting Services for event monitoring, compliance reporting, and forensic auditing of incidents. We found this a powerful combination, and best of all, even with hardware and software costs, the as-tested price is still lower than that of the similar Imperva SecureSphere.

Management of Informant was extremely simple thanks to Web-based interfaces for both configuration and system management. The Informant configuration interface was straightforward and looked surprisingly like the Linksys home router management interface. Those opting for the appliance will find the open source Webmin software provides system management.

Don't let these simplistic management interfaces fool you, however--Informant is a powerful tool for getting a better look at what's going on within your enterprise database deployments, at a reasonable cost. The plethora of metrics monitored is impressive and can alert IT to potential breaches--before they become devastating.

John H. Sawyer is a senior security engineer at the University of Florida. He can be reached at [email protected]

Rolling Reviews present a comprehensive look at a hot technology category, including market analysis, product reviews, and wrapping up with a synopsis of our findings. See our kickoff and other reviews in this database extrusion detection/prevention series at Rolling Reviews.