DATABASE SECURITY
REVIEWED BY JAMES C. FOSTER
Price: Just under $AUD60,000 for the Enterprise Edition
Symantec Database Security (SDS) helps alleviate the operational and technical challenges of auditing, assessing and monitoring database traffic in real time. Policies can be utilised to catch internal application and database abuse in combination with policies to monitor external attacks and malicious use.
SDS 3.1 supports Microsoft SQL Server, Oracle, Sybase and IBM DB2.
| Installation/Configuration | B+ |
SDS is a software-based solution that monitors clear text SQL traffic off the box, which minimizes the performance hit on the database. (Additionally, you can use a standalone module, Host Collector, for monitoring local database traffic.)
The SPAN port on a switch containing the database to be monitored is the ideal location for this type of solution. Installation is straightforward and only takes a couple of minutes by entering IP address, DNS servers, time zone, and whether you want to permit SSH. It was nice to see that SSH is required for remote administration--if you select "No SSH," you have to manage your box locally or through a serial port.
| Management/Monitoring | B |
SDS' slick Web-based interface is intuitive, with graphic-intense toolbars and rich menus; the speed and response time was good. This is where you create monitoring policies, view reports, analyze incidents and continually "train" the system via the Adaptive Learning module. Larger organizations will leverage SDS' additional integration capabilities for real-time alerts via syslog, SNMP, XML and email output streams.
There is no LDAP and Active Directory integration.
Policies can be created manually or by using the Adaptive Learning module, which sniffs and stores all SQL queries to and from the database. It can then provide counts on the common and anomalous queries to the target system and can easily identify common access sources, average traffic patterns, and even errant system administrators. Data leakage rules can also be created to alert administrators when credit card, Social Security or other potentially sensitive information is being sent to specific users. You'll need database expertise to craft complex policies.
SDS accurately clocked all of our queries during adaptive mode; however, it would be nice to see more security intelligence. For instance, when it sniffed our SQL query containing an attack string going after all username entries in the database, it would have been nice to see a warning message or some sort of alert. To fully utilize this module, you will need both database admin savvy and an understanding of database attacks.
| Reporting | C+ |
The cadre of reports was good, including templates for incidents, and executive and trend reports. Of particular interest was the SQL injection report template; it included all relevant information to include source and target IP for attacks, attack event information, SQL data and timestamps. This data could be more useful for large investigations if it could be saved or exported to PCAP.
The downside for us was that reports could only be saved in HTML and XML. We were shocked to see that reports could not be saved in CSV or PDF.
| Verdict |
Because of its interface and Adaptive Learning technologies, Symantec's Database Security can offer enterprise clients a viable option for monitoring and securing their production-grade databases.
Testing methodology: We tested a Symantec Database Security soft appliance, monitoring the following databases for both network and local activities: IBM DB2 on AIX, Oracle 10gR2 on Solaris 10, Oracle 10g on HP-UX, and Microsoft SQL Server 2005 on Windows Server 2003.