This article can also be found in the Premium Editorial Download "Information Security magazine: Depth charge: Survey shows big spending on defense in depth."
Download it now to read this article plus other related content.
Database security has been neglected ever since monolithic mainframes gave way to client-server systems, exposing the SQL command line. Today's n-tier Web environment and tomorrow's n-peer Web services multiply the number of attack points and reinforce the need to separate data security from application security.
Database activity can be monitored at three basic layers: attacks that target database components, such as buffer overflows in Oracle or SQL Server; SQL commands that manipulate the database format and/or data, as well as the stored procedures that automate these tasks; and attacks that target specific content within databases.
A common attack against databases is SQL injection, through which an attacker manipulates an input form to pass unauthorized commands. Web-app firewalls, like those from Sanctum, KaVaDo, Teros and NetContinuum, identify abnormal behavior and block attacks. Web scanners by Sanctum, KaVaDo and SPI Dynamics also scan and test for SQL injection conditions.
These tools watch HTTP traffic, but they don't address database communications from traditional client-server apps and/or the SQL command line (e.g., SQL*Plus in Oracle). A few vulnerability assessment tools focus on the database, such as Application Security's AppDetective, NGSSoftware's NGSSQuirreL, Internet Security Systems' Database Scanner and NetIQ's VigilEnt Security Agents, but they don't provide active real-time monitoring.
New database IDSes can act as intelligent, real-time monitors that inspect data streams and detect inappropriate activity. Regular IDSes can monitor for attacks, but not with the same depth of a purpose-built database IDS.
For instance, Imperva's SecureSphere 2.0 actively monitors network traffic for database streams and identifies attacks with Snort and commercial IDS signatures. It gathers and retains database "state" information. SecureSphere employs auto-learning techniques to establish a baseline of activity for identifying deviations.
IPLocks' IPLocks-Database Security Audit System, when configured to run continuously, is a near real-time monitor of configurations and logs. It identifies changes to privileges and metadata, and it looks at content and user behavior to identify unauthorized activity.
Guardium's SQL Guard passively monitors SQL streams and acts like a security event manager by aggregating and correlating information to build an activities record. It creates database logs without the performance hit to the database itself, leveraging this information to understand, for example, what an individual user is doing when accessing multiple databases.
Other players in the space include Lumigent's Entegra and Application Security's AppRadar.
We are taught in Security 101 to "follow the data" for a reason--data is the heart of our CIA concerns. Many products address "data security," but these solutions are giving real meaning to the term "database security."
PETE LINDSTROM, CISSP, is research director at Spire Security.
This was first published in April 2004