Tip

SecureSphere 2.0

SecureSphere 2.0
Imperva
Price: $25,000

Imperva's SecureSphere 2.0 combines signature- and anomaly-based detection to halt attacks on databases.

The solution employs a Linux-based Snort

    Requires Free Membership to View

sensor to passively monitor bidirectional traffic for common Web-based attacks on databases. Response actions, configured via menu selections on the Windows-based management/reporting console, include dropping the connection with a TCP reset, logging an alert and running custom scripts to extract data (sensor ID, alert type, etc.). The Snort sensor includes standard Web attack and numerous SQL/ Web server signatures (e.g. SQL UNION, DROP TABLE clauses), and you can schedule signature updates from Imperva.

The sensors initially monitor access to servers in "learn" mode to get a snapshot of "normal" activity--profiling queries issued, frequency of URL usage, patterns within URLs, etc.--for tagging and dropping traffic that falls outside the baseline. You can set acceptable variations in anomaly parameters, such as the standard deviation for learned URL behavior, to minimize false positives and the degree of deviation required to trigger an alert or response. SecureSphere also tracks session state and source IP address, so you can identify attacks coming from behind a proxy server.

More Information

Learn more about Snort

Weigh the pros and cons of signature and anomaly detection.

Native support for Microsoft SQL Server and Oracle SQL syntax enables SecureSphere to maximize its anomaly detection. It can monitor the number of parameters passed during a SQL injection attack to tag anomalous strings and can stop attacks that manipulate SQL statements, such as xp_cmdshell calls coming from remote hosts. (When we launched a UNION SELECT * FROM sysobjects query to a vulnerable URL, it recognized our attack and reset our connection.) It also stops common HTTP manipulation attacks, including cookie poisoning, cross-site scripting and buffer overflows.

SecureSphere integrates with Check Point Software Technologies' FireWall-1, communicating via native protocols to block attacks, which is no surprise given that Imperva's CEO, Shlomo Cramer, is a Check Point cofounder. The FW-1 integration is a nice feature, but take care: It's possible for attackers to overwhelm a firewall with excessive "dynamic rule modifications" generated by attacking a protected site from multiple external locations.

Deployment is straightforward. Installing the embedded database, which stores configuration and sensor-generated data, takes about 30 minutes. The boot CD and an intuitive text-based menu--a valuable resource for non-Linux users--guides users through assigning a sensor name, IP address and network interface settings. A Web-based GUI allows you to define IP addresses, port numbers and URLs for Web servers and approved SQL statements, with accompanying parameter data for SQL servers. However, MySQL and IBM DB2 RDBMS support is lacking, which is too bad given the growing use of MySQL in Internet-facing applications.

Crystal Reports is bundled; otherwise, basic reporting provides summary views of anomalies generated, offending IP addresses and common URLs attacked. Alerts can be e-mailed from the console to security managers or admins, but integration with management frameworks, such as Remedy, IBM Tivoli or HP Open-View, for assigning trouble tickets would be better.

Unfortunately, you can't write custom anomaly detection rules; that requires code changes from Imperva. Extending the rules engine would allow you to write your own--a must-have for extranet users who, for example, may need to allow partners to legitimately pass a long parameter to a URL.

Despite its limitations, Imperva's SecureSphere provides solid security with minimal installation requirements. It's an easy way to put industrial-strength protection in front of critical commerce applications.

About the Author
Peter Giannacopoulos is a contributor to Information Security magazine.

This review orginally appeared in Information Security magazine.

This was first published in August 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.