SecureSphere 2.0

SecureSphere 2.0

SecureSphere 2.0
Imperva
Price: $25,000

Imperva's SecureSphere 2.0 combines signature- and anomaly-based detection to halt attacks on databases.

The solution employs a Linux-based Snort

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

sensor to passively monitor bidirectional traffic for common Web-based attacks on databases. Response actions, configured via menu selections on the Windows-based management/reporting console, include dropping the connection with a TCP reset, logging an alert and running custom scripts to extract data (sensor ID, alert type, etc.). The Snort sensor includes standard Web attack and numerous SQL/ Web server signatures (e.g. SQL UNION, DROP TABLE clauses), and you can schedule signature updates from Imperva.

The sensors initially monitor access to servers in "learn" mode to get a snapshot of "normal" activity--profiling queries issued, frequency of URL usage, patterns within URLs, etc.--for tagging and dropping traffic that falls outside the baseline. You can set acceptable variations in anomaly parameters, such as the standard deviation for learned URL behavior, to minimize false positives and the degree of deviation required to trigger an alert or response. SecureSphere also tracks session state and source IP address, so you can identify attacks coming from behind a proxy server.

More Information

Learn more about Snort

Weigh the pros and cons of signature and anomaly detection.

Native support for Microsoft SQL Server and Oracle SQL syntax enables SecureSphere to maximize its anomaly detection. It can monitor the number of parameters passed during a SQL injection attack to tag anomalous strings and can stop attacks that manipulate SQL statements, such as xp_cmdshell calls coming from remote hosts. (When we launched a UNION SELECT * FROM sysobjects query to a vulnerable URL, it recognized our attack and reset our connection.) It also stops common HTTP manipulation attacks, including cookie poisoning, cross-site scripting and buffer overflows.

SecureSphere integrates with Check Point Software Technologies' FireWall-1, communicating via native protocols to block attacks, which is no surprise given that Imperva's CEO, Shlomo Cramer, is a Check Point cofounder. The FW-1 integration is a nice feature, but take care: It's possible for attackers to overwhelm a firewall with excessive "dynamic rule modifications" generated by attacking a protected site from multiple external locations.

Deployment is straightforward. Installing the embedded database, which stores configuration and sensor-generated data, takes about 30 minutes. The boot CD and an intuitive text-based menu--a valuable resource for non-Linux users--guides users through assigning a sensor name, IP address and network interface settings. A Web-based GUI allows you to define IP addresses, port numbers and URLs for Web servers and approved SQL statements, with accompanying parameter data for SQL servers. However, MySQL and IBM DB2 RDBMS support is lacking, which is too bad given the growing use of MySQL in Internet-facing applications.

Crystal Reports is bundled; otherwise, basic reporting provides summary views of anomalies generated, offending IP addresses and common URLs attacked. Alerts can be e-mailed from the console to security managers or admins, but integration with management frameworks, such as Remedy, IBM Tivoli or HP Open-View, for assigning trouble tickets would be better.

Unfortunately, you can't write custom anomaly detection rules; that requires code changes from Imperva. Extending the rules engine would allow you to write your own--a must-have for extranet users who, for example, may need to allow partners to legitimately pass a long parameter to a URL.

Despite its limitations, Imperva's SecureSphere provides solid security with minimal installation requirements. It's an easy way to put industrial-strength protection in front of critical commerce applications.

About the Author
Peter Giannacopoulos is a contributor to Information Security magazine.

This review orginally appeared in Information Security magazine.

This was first published in August 2005

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top