Published: 01 Mar 2005
Database security products promise an extra measure of security for your most valuable assets. Are they worth the price?
The crown jewels are at risk: intellectual property, customer ID information and financial records encased in corporate databases. If they're vulnerable, so are your company's finances and reputation. And regulatory compliance failure, triggered by a serious breach or audit that reveals lax database security, can bring heavy fines and/or jail time.
Perimeter defenses alone, such as firewalls, IPSes and Web app shields, can't ensure security in the face of Web-based attacks that exploit myriad database configuration vulnerabilities and insecure front-end Web code.
Your best strategy against these attacks is to harden their target: Properly configured databases will stand strong against most attacks. Moreover, the landscape is changing. Industry database leaders Oracle and Microsoft are beefing up security in new versions of 10.g and SQL Server, respectively, which are better configured out of the box than their predecessors and have much easier native encryption options.
But, database security doesn't end with your initial configuration. Ongoing vigilance is required because even good DBAs make mistakes and malicious or ill-informed users alter configurations. Regular vulnerability scanning and testing, and continuous monitoring for unauthorized change will help keep your databases hardened against attacks. There are number of scanning and IDS/monitoring tools that address these needs.
Database Vulnerability Scanning
If you're in charge of security, chances are you don't have direct, high-privilege access to the database; you need to secure it from the outside. As with network VA, you have two general options: scanners and penetration testing.
Network scanners, like open-source Nessus and eEye Digital Security's Retina Network Security Scanner, may tell you if your database patches are up to date, but they won't find database-specific vulnerabilities, such as sloppy configurations that leave you open to deep SQL manipulation, injection or directory traversal attacks.
To do that, you'll have to turn to one of the handful of database VA scanners, or to professional pen testers who specialize in attacking databases.
Database-specific vulnerability assessment tools take a much more granular look at the database's configuration and the vulnerabilities associated with poor configurations than network VA scanners.
U.K.-based Next Generation Security Software's flagship database scanner, NGSSquirrel, has database-specific versions for SQL Server, Oracle and DB2, as well as DominoScan II for Lotus Domino. Each includes specific checks that target insecure configurations, patch levels, default user accounts, underlying platform vulnerabilities and even some Web-based interface vulnerabilities.
Application Security's AppDetective includes modules for Oracle, SQL Server, DB2, Sybase, Lotus Domino and MySQL. AppDetective performs application discovery, tests that identify database-specific vulnerabilities and configuration-related audits. Application Security also offers a console product, AppSecIncConsole, to manage its suite of security products.
Safety-Lab's Shadow Database Scanner is an open-source, ActiveX-based tool that allows programmers direct access to modify its functionality. As an open-source product, its advantage over commercially products is that it enables security consultants and admins alike to easily customize the tool for target environments. The downside is the lack of technical support.
|DB Vendors Beef Up Security|
It supports Oracle, SQL Server, DB2, Lotus Domino, MySQL and MiniSql.
These tools will find most common vulnerabilities and configuration problems, and are cheap enough to be cost-effective. But they're still limited. Professional penetration testing services are more thorough, using powerful tools and manual techniques to dig into databases, rooting out both obvious and hidden holes; however, these services are expensive and invasive.
Auditing and Intrusion Detection
Scanners and pen tests give you a good snapshot of your database security posture, but there are no guarantees that change won't creep in and attackers won't try to exploit new or previously undetected vulnerabilities.
Several database IDS and auditing products can maintain a continuous vigil on databases, logging and alerting on attacks, suspicious activities and all changes that violate security policies. Their comprehensive logging and reporting capabilities are designed to meet both auditing and regulatory requirements.
Guardium's SQL Guard monitors and analyzes potentially unsafe and malicious traffic for Oracle, SQL Server, sybase and DB2 It monitors and logs all user activity. Its unique hierarchy-based, three-tiered approach--audit, health and policy--allows you to passively audit your environment against about a dozen categories of tests.
SQL Guard's standout feature is its user activity logging and drill-down capabilities. From the management interface, you can select any of your database users and click through a tree of activities. Audit features include SQL account creation details, administrator-level queries and newly created stored procedures. SQL Guard is also a valuable tool for incident response and data collection, allowing you to search activity based on users, commands and time of day.
IPLocks offers comprehensive security monitoring for Oracle, SQL Server, DB2, Sybase, Teradata Database and Hitachi's HiRDB. It flags configuration vulnerabilities, and issues alerts, detailed reports and trend analyses. It monitors user activity and flags suspicious behavior and changes to access privileges, roles and schemas/tables/ elements.
Lumigent Technologies' Entegra monitoring and auditing tool is available for SQL Server and Oracle. Entegra records all data accessed, enabling you to track user activity and database changes. The Web-based GUI allows you to drill down on specific database activities.
Application Security's AppRadar is an intrusion detection product identifies complex application-layer attacks against SQL Server. Application Security says version 2.0, scheduled for release this month, adds support for Oracle, granular activity monitoring and built-in HIPAA and Sarbanes-Oxley policies.
Some may say that the obvious answer to database security is encryption. But encryption doesn't obviate the need for secure configuration, diligent testing and continuous monitoring.
Encrypting and decrypting data to meet real-time business/transaction needs requires serious hardware: multiprocessor systems and accelerators that require gobs of memory, either in purpose-built appliances or software products on high-end servers. Key management can be a major headache and may be a full-time job. What's more, Microsoft and Oracle are building stronger native encryption capabilities that will put the squeeze on encryption vendors (see "DB Vendors Beef Up Security").
Vulnerabilities, poor system and application configurations, industry regulations and day-to-day security challenges aren't going away. Technological advances aside, your best bet is to formulate strong operating policies, purchase technology that has the highest ROI, create internal response teams that consistently work together on a range of daily security operations--including database compromises, and secure and standard configurations--and conduct semiannual user account reviews.
The majority of database security risks can be remedied through proper configuration, perimeter protections (that you most likely have already implemented) and DBA training. That may make it hard to justify the additional spending for most bolt-on database-specific security products, especially given the promises of Oracle and Microsoft's embedded security features.
Nevertheless, if publicly available databases are your company's lifeblood, these tools will add an extra layer of defense that offers real value.