Imperva's SecureSphere 2.0 combines signature- and anomaly-based detection to halt attacks on databases.
The solution employs a Linux-based Snort sensor to passively monitor bidirectional
traffic for common Web-based attacks on databases. Response actions, configured via menu selections on the Windows-based management/reporting console, include dropping the connection with a TCP reset, logging an alert and running custom scripts to extract data (sensor ID, alert type, etc.). The Snort sensor includes standard Web attack and numerous SQL/ Web server signatures (e.g. SQL UNION, DROP TABLE clauses), and you can schedule signature updates from Imperva.
The sensors initially monitor access to servers in "learn" mode to get a snapshot of "normal" activity--profiling queries issued, frequency of URL usage, patterns within URLs, etc.--for tagging and dropping traffic that falls outside the baseline. You can set acceptable variations in anomaly parameters, such as the standard deviation for learned URL behavior, to minimize false positives and the degree of deviation required to trigger an alert or response. SecureSphere also tracks session state and source IP address, so you can identify attacks coming from behind a proxy server.
Native support for Microsoft SQL Server and Oracle SQL syntax enables SecureSphere to maximize its anomaly detection. It can monitor the number of parameters passed during a SQL injection attack to tag anomalous strings and can stop attacks that manipulate SQL statements, such as xp_cmdshell calls coming from remote hosts. (When we launched a UNION SELECT * FROM sysobjects query to a vulnerable URL, it recognized our attack and reset our connection.) It also stops common HTTP manipulation attacks, including cookie poisoning, cross-site scripting and buffer overflows.
SecureSphere integrates with Check Point Software Technologies' FireWall-1, communicating via native protocols to block attacks, which is no surprise given that Imperva's CEO, Shlomo Cramer, is a Check Point cofounder. The FW-1 integration is a nice feature, but take care: It's possible for attackers to overwhelm a firewall with excessive "dynamic rule modifications" generated by attacking a protected site from multiple external locations.
Deployment is straightforward. Installing the embedded database, which stores configuration and sensor-generated data, takes about 30 minutes. The boot CD and an intuitive text-based menu--a valuable resource for non-Linux users--guides users through assigning a sensor name, IP address and network interface settings. A Web-based GUI allows you to define IP addresses, port numbers and URLs for Web servers and approved SQL statements, with accompanying parameter data for SQL servers. However, MySQL and IBM DB2 RDBMS support is lacking, which is too bad given the growing use of MySQL in Internet-facing applications.
Crystal Reports is bundled; otherwise, basic reporting provides summary views of anomalies generated, offending IP addresses and common URLs attacked. Alerts can be e-mailed from the console to security managers or admins, but integration with management frameworks, such as Remedy, IBM Tivoli or HP Open-View, for assigning trouble tickets would be better.
Unfortunately, you can't write custom anomaly detection rules; that requires code changes from Imperva. Extending the rules engine would allow you to write your own--a must-have for extranet users who, for example, may need to allow partners to legitimately pass a long parameter to a URL.
Despite its limitations, Imperva's SecureSphere provides solid security with minimal installation requirements. It's an easy way to put industrial-strength protection in front of critical commerce applications.
About the Author
Peter Giannacopoulos is a contributor to Information Security magazine.
This was first published in December 2005