This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
Guardium SQL Guard 6.0
REVIEWED BY JAMES C. FOSTER
Price: Starts at $50,000
In an industry flush with
SQL Guard continues to address one of the most typical database audit failure points. Most auditors will not issue a "pass" if you leverage a database's native logging features because they are owned and controlled by the groups you are trying to monitor (for example, DBAs should not be responsible for configuring and monitoring DBAs). SQL Guard ensures a system of checks and balances between the security and database engineering teams.
The solution consists of local database agents, network-based appliances to passively gather traffic or to actively work as a firewall, and aggregation servers that collect and analyze data.
Passively collecting network traffic is as easy as running a sniffer; installing agents will require admin credentials and console-level access.
The classification feature helps you identify potentially sensitive information on a live database. You can create rules based on SQL Guard's Perl Compatible Regular Expression (PCRE) engine to search for data, specific permissions, or even conduct a catalog search. The results can be categorized and assigned additional rules for protection.
You can create any number of levels of classification depending on the complexity of your environment or business (low, medium, high, or severe, critical, sensitive, compliance, etc.).
The strong custom reporting is built atop a SQL querying engine.
The new incident management dashboard provides a clear-cut summary on policy violations and incidents. It permits you to quickly dig deep into the incident, via a click, to identify the timestamp, source/destination IP, user, full SQL string, technical incident specifics and more. The breadth of information is impressive.
Alerts are triggered in one of two ways: statistical or real time. Both save the same type and amount of data; however, one is merely logged into the back-end Guardium database and the other is logged and then passed to one of four notification mechanisms.
Organizations looking to monitor databases in real time will be best served leveraging SQL Guard's integration capabilities as opposed to its console. SQL Guard can easily integrate with SIEM or aggregation platforms via SMTP, SNMP, syslog, or a custom Web-based Java class.
Testing methodology: We tested a Guardium G2000 appliance testing a lab that contained DB2 8 and Oracle 9i and 10g on Linux 2.6, Informix 7 on AIX 5.3, SQL Server 2000 and 2005 on Windows Server 2003, and Sybase 15 on Sun Solaris 9.
This was first published in October 2007