Databases have a tremendous amount of built-in security to protect data. What they lack is the ability to defend their underlying code and engines from external attacks and internal misuse.
Guardium's SQL Guard is part of the emerging class of security devices that sit in front of databases, monitoring traffic for illegal and malicious activity. Its robust features maintain detailed audit logs and can alert security managers at the first sign of trouble.
Built on a Linux appliance, SQL Guard supports all leading database implementations: Oracle, IBM, Sybase and Microsoft. Its passive monitoring won't impede database performance, though Guardium rates throughput at 400 requests per second. It captures traffic type, source, requests and user names to determine whether the activity is authorized and for forensic analysis in the event of a breach.
Check out these five tips on secure database development.
SQL Guard can be deployed inline (i.e., preventative mode) to block sessions, commands and traffic from watch list users or any traffic that triggers filtering rules. While there's always potential for false positives to block legitimate traffic, our testing found its automated blocking accuracy near perfect.
Similar to a firewall, SQL Guard's filtering rules alert security managers to traffic from defined sources and users or to traffic that includes particular commands, such as excessive logons, one-user/one-IP, clients executing administrative commands, SQL overflows and SQL injection attacks.
SQL Guard is actually a suite of three modules: HealthGuard, PolicyGuard and AuditGuard.
HealthGuard continuously monitors and assesses database-bound traffic, proactively rating threat levels to the database through an assortment of utilities. The intelligence gathered by the module is fuel for the rest of the suite.
PolicyGuard offers policy-generation tools, real-time policy alerts and automated policy enforcement. Security managers can use it to define acceptable use within their environment, such as access restrictions to the database code after hours. Any policy violation results in an alert via the SQL Guard interface, scheduled reports or e-mail alerts.
AuditGuard is a must-have for enterprises that fall under government regulations such as HIPAA and Sarbanes-Oxley. It offers granular tracking and reporting of all database activities; the reports are easy to customize and generate through the Web-based Java interface.
It's this interface that puts SQL Guard in a league of its own. One click can dissect SQL commands and render how and what data is being accessed within the database and who's changing it. Its ability to monitor entire user sessions is impressive, and its forensics tools, which can track the path of a suspicious user, trace attacks, gather evidence and recover deleted data, are alone worth the cost of deployment.
A useful feature is SQL Guard's single-click access for viewing all SQL commands and prominent "watch lists" to monitor suspicious IP addresses.
SQL Guard's hierarchical architecture is especially helpful in large, complex database deployments covering multiple implementations and types of databases. By dispersing appliances throughout the network in front of databases or DMZ-like subnets housing databases (each configured to pass traffic through an encrypted link back to the root platform), this hierarchy lets individual DBAs monitor particular systems while the security manager views collected data and correlates enterprise-wide trends.
Guardium's SQL Guard is a perfect addition for enterprises responsible for maintaining the security of multiple databases, but lacking the authority, time or skill set to continuously assess and reconfigure them.
About the author
James C. Foster is the deputy director for Global Security Solution Development at CSC. Foster has also worked for Guardent (acquired by Verisign), Foundstone (acquired by McAfee) and the Department of Defense.
This article originally appeared in our sister publication Information Security magazine.
