Strengths: Swift deployment, extensive database support, sophisticated policy-based security, unique S-Tap and S-Gate probes, vulnerability assessment tools
Weaknesses: May be a bit pricey for smaller enterprises
Verdict: Regulatory compliance with data protection guidelines is no longer a luxury and Guardium has the tools to keep your database auditors happy
The opening months of 2009 bode ill for database administrators. A report by IBM's ISS X-Force division has identified a massive increase in automated SQL injection attacks and concludes that this will be the predominant exploit this year.
Guardium has these attacks on its radar but goes further, as it provides a range of security measures that allow companies to audit database usage and enforce policies to prevent unauthorised access. Version 7 adds a number of features, with vulnerability assessment at the top of the list.
Assessments run tests and look for a wide range of weaknesses. Observed behaviour comes under its remit, as it pinpoints suspicious activity. A good example is the 'one user/one IP address' requirement. Guardium can spot a user logging in to the same account from different addresses and alert administrators to the fact that this account may be shared among unauthorised users.
Database configurations can be checked to see whether essential controls such as account lockouts are being applied to multiple failed login attempts. It can also test areas such as the operating system and associated file privileges. These are simple to configure and Guardium provides a huge range of predefined tests.
The solution is deployed as a well-specified Dell PowerEdge 1950 server that functions primarily as a collector. Smaller businesses will have a single collector whereas larger ones will use an aggregator that provides centralised management and audit data collection facilities for multiple, distributed collectors.
Guardium's S-Tap has distinct advantages in network monitoring. This software probe runs on the database server where it can monitor local as well as network traffic and uniquely it doesn't need database logging to be enabled, so improving performance.
The new S-Gate probe is an extension of S-Tap, which adds the ability to block unauthorised traffic and terminate user sessions. A key feature is that it only interacts with privileged user traffic such as administrators accessing database tables - application traffic is left alone.
Initial installation is a simple enough process and aided by the intuitive web interface. Access is determined by roles and root access is not permitted, thereby ensuring regulatory compliance as the reports and all data on the appliance cannot be modified. An internal audit trail is also maintained so you can see which users logged on to the appliance and what actions they carried out.
Your first task is to fire up selected database inspection engines and you can pick and choose from options such as MSSQL, Oracle, Informix, DB2 and Sybase. It can also monitor many proprietary protocols, including Oracle Bequeath.
Policies monitor databases in real-time and these can contain any number of rules. There are access rules that keep an eye on users. Rules configured to spot unauthorised activity can be used to send out alerts and terminate sessions and the S-Taps can do this at the SQL command level.
Data exiting databases is monitored by extrusion rules that can see the results of user queries and check for patterns, such as credit card numbers. The interface makes light work of query creation as it breaks them down into their component parts, making for a shallow learning curve.
We found it simple to create a rule to control system users where we could stop them from accessing specific test database tables containing credit card numbers and using particular commands. After creating the rule, we logged on to the Oracle 10G database and when we tried to select the tables described in the rule, our session was terminated immediately by the S-Gate probe.
Guardium's classification will be useful if you are not sure where sensitive information is being kept. This sends a crawler out to the databases where it can look for specific information and create policy rules that are dependent on the information found.
Guardium offers three defences against SQL injection attacks. Real-time monitoring watches out for suspicious activities, while correlation alerts keep you posted on events such as an unusual number of errors or login failures.
Baselining also plays a part and this is conducted during the first few weeks to get a clear picture of normal database usage. It suggests policy rules based on its findings and any activity considered abnormal will cause alerts.
The console can be customised and Guardium offers a range of preconfigured interfaces for data privacy regulations and compliancy guidelines. Extensive auditing tools allow reports to be reviewed and passed to other users for approval and that, once signed off, cannot be modified or removed. SQL query values in reports are not shown by default, so sensitive information can only be seen if specifically requested.
Guardium makes light work of database monitoring and provides essential tools to protect against the ever-increasing number of security threats. In practice, it's easy enough to use and although it represents a significant outlay, you have to ask yourself whether you can afford not to have it.