Hacker school: Beating the hackers starts with knowing what you're up against

Ethical hacker shares ideas on proactive data security


Securing a network or a database can be a Herculean task, but with increasing reports of data theft, database tampering incidents and a host of regulatory compliance leveraged at businesses, Security Information Management (SIM) solutions are becoming a required module of every data center's comprehensive and secure network architecture.

Edison, N.J.-based security vendor netForensics Inc. has developed a line of midmarket and enterprise-level products that are based on the nFX security methodology. nFX security is a software platform comprised of Windows, Linux and Solaris providing security administrators with incident detection, remediation tools and reporting.

Late last year, netForensics released an enhanced version of nFX Data One, a component in its solution to focus on database threat management.

Products such as nFX Data One could be considered for enterprises that need to address compliance issues, which in many cases are as business-critical as the databases themselves. Consider the jarring message that supermarket chain Hannaford Bros Co., Scarborough, Maine, delivered last month: As many as 4.2 million customer credit-card numbers had been compromised as the result of a malicious database attack.

NFX Data One is a SIM product that provides nonintrusive database monitoring and is available as a hardened Linux appliance or as a software download. Supported databases include MS SQL, MySQL, Oracle, DB2 and Sybase. Supported operating systems are Red Hat, Centos, Solaris and AIX.

The Test Center looked at the appliance version that was preconfigured with Linux. This particular model supports 50 to 100 databases (limited by throughput) and up to 15,000 transactions per second. The device utilizes SPAN ports on switches, network taps or hubs to replicate database traffic.

For testing purposes, the appliance was connected to an Intel 10/100 stackable hub. Deployed for monitoring were an Oracle 11g database on Windows Server 2008 and an MS SQL 2005 server on Windows Server 2003. Queries to both databases were executed from a client running Windows XP SP2.

Management of the device is done through the console using Secure Shell or through a browser using Webmin. Configuration of database monitoring and tracking is done through a browser. Data Collection was easy to set up; there is a data collection rule by default for each supported database.

A particularly useful feature is the Filtering Rule Builder. The device comes with hard-coded "basic stock rules." These rules are defined by database type, by regulation or by solution. There's an Advanced Rule Builder to create custom rules as well.

The management interface opens up to the Data Viewer, where all database activity is monitored line-by-line. As soon as the Oracle Database Control interface was logged into with the SYS account, the activity showed up in Data Viewer. The query's record account, the user name, client IP, client and server ports were all logged. Data One will log all types of queries from simple SELECT statements to permissions changes.

The management utility has its own backup/restore service for disaster recovery of the full set of configuration files. A backup was initiated for tests. A prompt appeared to give a backup name. When "Backup" was selected and a backup folder name given, the system confirmed that "Backup has been created successfully" and also reported "Failed to create backup folder." Where to create that backup folder was not apparent in the management interface. Yet the restore option was chosen and the backup data was listed. A restore was executed successfully.

Overall, this is a powerful product that runs without additional overhead to database servers. It's not plug-and-play out of the box, but an appliance that a network security-centered VAR would have to get familiarized with to configure for optimal usage on a network.

-Samara Lynn