This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
Price: Starts at $35,000
Imperva's SecureSphere Database Security Gateway offers a unique combination of automated monitoring and proactive auditing for protecting your databases, the "Crown Jewels" of your organization. Their configuration flexibility, a product strongpoint, allows you to protect against insider abuse, external attacks, or simply comply with regulation requirements such as PCI.
SecureSphere includes over 350 security tests to identify security issues such as unpatched database software, default user accounts, and vulnerable database objects and configuration issues to mention a few.
SecureSphere can be installed and implemented in one of two modes: sniffer, i.e., passive offline mode, or inline via transparent bridging. An additional Management Gateway is available to help manage multiple appliances. Inline appliances have the ability to protect databases from attacks and unauthorized access via a comprehensive suite signatures and analysis techniques.
Physically installing a single Gateway appliance is straightforward, as it can be deployed with negligible impact to network or database environment. Sniffer mode only requires configuration of a mirror port on a network switch. Inline mode, which is recommended, requires no changes other than plugging in Ethernet cables.
No database administration or engineering experience is expected or required during the installation; all you need is an IP address and the type of database ( Oracle, Microsoft SQL Server, DB2, Sybase and Informix are supported).
One of the most impressive features is Imperva's Dynamic Profiling technology which discovers database structure, users, executed SQL queries, and stored procedures. With minimal additional human logic and intervention in setting up audit policies, the appliances will create an activity baseline. This baseline will then be leveraged to determine normal versus anomalistic behavior and can generate security alerts on known threats or out-of-band activity.
Reporting takes minutes to configure once the policies and alerts are set and configured.
Similar to most other enterprise applications or appliance solutions, you'll start looking for management efficiencies after you have implemented about three or four. The optional MX Management Server allows you to manage multiple appliances, create centralized reporting, and log events from a single location. The hierarchical, object-based policy structure enables enterprises and ASPs to manage and audit hundreds to thousands of databases. SecureSphere can integrate its logs via SNMP, syslog, email, or direct database access for consumption and correlation by SIEMs, ticketing systems, or enterprise tools like HP Openview.
A real-time dashboard serves as the nexus of the SecureSphere Gateway, providing system status and tactical information on security events. We were able to monitor attacks and access being blocked in real-time via policies that we created. For instance, we stated that users could not log into the database from external IPs that were not part of the VPN Group. The email alert followed up with a "block" action worked as advertised.
Role-based user management enables you to create and define administrative and read-only privileges at the user and group level for individual objects, policies, and reports. There is no set limitation to the number of users, groups, or roles that you can create.
You can even track specific user sessions, as users connect through applications, rather than directly to the database. SecureSphere's Universal User Tracking combines several mechanisms to include source IP and session information to accurately correlate users to specific changes to applications or your databases.
SecureSphere offers passive and active technologies for vulnerability assessment. Active assessments require DB credentials to log in and retrieve information from the target database, searching for configuration errors, unsafe practices, OS versions, appropriate user privilege levels, etc.
Our testing revealed platform configuration issues such as default installation accounts and weak password policy settings as opposed to software vulnerabilities.
Passive assessments analyze captured traffic via a sniffer to understand how the database is being utilized. It can identify issues such as account sharing or two individuals logging into the database simultaneously from different sources.
Testing methodology: We tested a SecureSphere Database Security Gateway G4 appliance in a lab that contained Microsoft SQL Server 2005 on Windows Server 2003, Oracle 9i on Windows 2000 Server, and Oracle 10g on Sun Solaris 8 and 9.
This was first published in March 2008