Published: 01 Oct 2007
Guardium SQL Guard 6.0
REVIEWED BY JAMES C. FOSTER
Price: Starts at $50,000
In an industry flush with products for securing the network perimeter, Guardium's SQL Guard 6.0 serves as an important addition for monitoring and managing connections to and from a wide variety of enterprise database products.
SQL Guard continues to address one of the most typical database audit failure points. Most auditors will not issue a "pass" if you leverage a database's native logging features because they are owned and controlled by the groups you are trying to monitor (for example, DBAs should not be responsible for configuring and monitoring DBAs). SQL Guard ensures a system of checks and balances between the security and database engineering teams.
The solution consists of local database agents, network-based appliances to passively gather traffic or to actively work as a firewall, and aggregation servers that collect and analyze data.
The preconfigured Linux-based 1U Dell appliances can be plugged directly into the span port on a switch that controls traffic to the databases. The administrative account is created during installation, along with a series of default user roles--common users, administrators, DBAs, security, application developers, auditors, network engineering--that can be used to create other accounts.
Passively collecting network traffic is as easy as running a sniffer; installing agents will require admin credentials and console-level access.
The classification feature helps you identify potentially sensitive information on a live database. You can create rules based on SQL Guard's Perl Compatible Regular Expression (PCRE) engine to search for data, specific permissions, or even conduct a catalog search. The results can be categorized and assigned additional rules for protection.
You can create any number of levels of classification depending on the complexity of your environment or business (low, medium, high, or severe, critical, sensitive, compliance, etc.).
Guardium has all of the bases covered here. Reports are grouped and labeled under three tabs for templates, custom reports and alerts. Templates include high-level or technical information on database activities, sensitive object usage, data markup language exceptions, overall performance and permanent schema changes.
The strong custom reporting is built atop a SQL querying engine.
The new incident management dashboard provides a clear-cut summary on policy violations and incidents. It permits you to quickly dig deep into the incident, via a click, to identify the timestamp, source/destination IP, user, full SQL string, technical incident specifics and more. The breadth of information is impressive.
In addition to monitoring database connections, 6.0 has added application layer monitoring, providing JD Edwards, Oracle, PeopleSoft, SAP and Siebel filters.
Alerts are triggered in one of two ways: statistical or real time. Both save the same type and amount of data; however, one is merely logged into the back-end Guardium database and the other is logged and then passed to one of four notification mechanisms.
Organizations looking to monitor databases in real time will be best served leveraging SQL Guard's integration capabilities as opposed to its console. SQL Guard can easily integrate with SIEM or aggregation platforms via SMTP, SNMP, syslog, or a custom Web-based Java class.
SQL Guard has evolved from an impressive technology to an enterprise-class data security product that should be on every organization's radar.
Testing methodology: We tested a Guardium G2000 appliance testing a lab that contained DB2 8 and Oracle 9i and 10g on Linux 2.6, Informix 7 on AIX 5.3, SQL Server 2000 and 2005 on Windows Server 2003, and Sybase 15 on Sun Solaris 9.