Put Your Databases In Good Hands

Need to get a grip on what's going on within your database environment? Look no further than the SQL Guard 6.0 database extrusion prevention appliance. Guardium has thrown in practically every feature you'll need to lock down sensitive data--all that's missing is a sympathetic auditor. What, you thought this was a miracle box?

SQL Guard came to our University of Florida Real-World Labs on a Dell 1U server that can be deployed either in-line or out of band. In either scenario, it acts as a true extrusion prevention system, dropping traffic when in-line or sending TCP reset packets to the attacker and database server when out of band. We had no problems during testing with either option. Day-to-day management was a breeze thanks to a well-designed Web interface that shows off the maturity of the 6.0 release. As intuitive as we found the GUI, the sheer number of features available did sometimes leave us thumbing through the manual. Learn the ropes and this will be one formidable weapon.

SQL Guard supports Oracle 8i/9i/10G, Microsoft SQL Server 2000/2005, Sybase ASE/IQ, and IBM DB2 and Informix. The primary method of analyzing database activity is through monitoring network traffic to the database servers. This works great when your topology supports the addition of a network appliance. Where this is a problem, say because of the use of virtualization, where the application and database servers reside on the same physical server, Guardium joins Imperva and RippleTech in supporting database activity monitoring with its S-TAP software probe. S-TAP can monitor both network-sourced database and local console activity and supports HP-UX, Solaris, Linux, AIX, OSF1, and Windows operating systems. We installed S-TAP, and all database activity generated from the local SQL management console was reported.

LOOK, NO HANDS
Automation is one of SQL Guard's strengths. Practically every task, from database server discovery to classification of data, can be automated. We configured the system to scan our network daily to discover and profile new database servers. First, SQL Guard performed a port scan for the IP addresses and ports we defined. Next, it determined what type of database server was listening on the port and put that information into a report for our review.

Because database server contents change constantly, security personnel, auditors, even DBAs can't be expected to know every instance of private or regulated data. Fortunately, SQL Guard 6.0 includes automatic classification based on data patterns, column and row names, or permissions. Our test servers contained Social Security and credit card numbers, so we defined classification tasks that searched for our data using regular expressions. It was identified correctly.

SQL Guard's rules provide a lot of flexibility, enabling us to trigger on any combination of information related to database activity. One of the most useful rule-creation features was the policy simulator that would test our rule against data currently logged in SQL Guard. When creating rules with regular expressions to match data, a useful tool in the Web interface ensured that the regular expression was correct.

Similar to the previously reviewed DBEP systems, SQL Guard handled our attacks well whenever large amounts of data were coerced from the database or SSNs were retrieved using our Web server app instead of Excel. We created a rule to detect theft of customer information from our test site, even when it was stolen one record at a time. However, the rule may be impractical for large retailers because it relies on a minimum count of events within a specified interval, which had to be defined in minutes. An attacker could easily script a tool that would steal a single record every five minutes.

There are more than 100 preconfigured reports, and creating custom reports is simple. Given the extensive reporting capabilities and status dashboards, most shops will be able to get by without an security event and information manager, though support is included for products such as ArcSight.

See other reviews we've done of database extruison prevention products.

See original article on NetworkComputing.com