2 Days Left to Save $200 on SANS Cyber Defense San Diego 2014
< Previous Question | Back to Inpusion Detection FAQ Home | Next Question >

Intrusion Detection FAQ: What is the Difference Between an IPS and a Network Based Database Activity Monitor?

Jim McMillan
November 2009

Introduction

Databases play a crucial role in many of today's corporations. They hold vital information that many of our business units rely on to perform reliably and efficiently. In the age of information, many corporations' survival depends on the integrity, availability and confidentiality of the information stored in these databases.

Information stored in databases does not only require security measures to be in place to satisfy internal needs, there are also many regulatory requirements that need satisfying. HIPAA, SOX, PCI, GLBA and other regulatory requirements are requiring many corporations to apply security measures to protect sensitive data. Despite this, databases are still an area where protective measures are lacking.

In our overall security architectures we include many measures to protect our corporate assets. Even with all these measures in place we are still losing data. Attackers tend to attack weak points in our architectures. Databases are one of these weaker points. This may be due to the fact that auditing and monitoring on the database servers typically cause a big performance hit. In many corporations database auditing and monitoring measures are not implemented because of the performance degradation.

Corporations rely on the other security measures they have implemented to protect their databases. Intrusion Prevention Systems (IPSs) are often deployed to prevent attacks against our assets, including database servers. IPSs do this by monitoring the network traffic for signatures or anomalies and acting on those things they detect. So why is this not good enough? Why do we need another product, a Database Activity Monitor, to better protect our databases? What can they provide that an IPS can't?

Database Activity Monitor (DAM)

First of all, what is a Database Activity Monitor? DAMs are technologies that were created to help augment our existing security architecture by providing gap coverage for our databases. They come in either a standalone hardware appliance or a software agent that is loaded on the same server as the database. In either form, they capture, log, analyze and alert on policy violations that occur with Structured Query Language (SQL) in real time. In addition to these features, some implementations can also have preventative policies that will stop attacks.

Network based DAMs are similar to IPSs in a way. They sit out on the network and watch the network traffic as it is routed from source to destination. But instead of watching for particular signatures or anomalies as an IPS does, the DAM is looking for packets containing SQL statements. When it finds one, it analyzes the SQL logic to make sure it is valid.

There are two primary advantages to network based DAM. One advantage is it produces no overhead on the databases or database servers. Another being its ability to be database and platform independent, it can watch many different types of databases running on various operating systems.

Database Activity Monitors are distinguished over other database monitor products by the following features:

  • Ability to monitor and audit all database activity, including administrator activity, with no performance degradation.

  • Ability to store database activity separate from the databases being monitored.

  • Ability to enforce separation of duties. Monitor all DBA activity and prevent log tampering.

  • Ability to monitor activity from various types of databases.

  • Ability to generate alerts based on policy violations.

  • Ability (in some of the products) to take actions based on policy violations.

By having the ability to monitor and understand SQL, DAMs have an advantage over IPSs. Due to this increased SQL knowledge DAMs are capable of detecting database specific attacks better and more accurately than IPSs. DAMs can understand database communication in both directions, meaning they can watch and filter incoming queries and validate the responses to those queries. This basically gives them two chances to detect malicious intentions.

Conclusion

In a defense-in-depth strategy, IPSs play an important role in our layered security architecture. But when it comes to database protection, IPSs cannot adequately monitor and provide the complete protection required. With various forms of SQL Injection, zero day, and trusted access attacks, we need something to augment our IPSs. Database Activity Monitors are just the technology to do this.

Network based DAMs differ from IPSs because they have the capability to understand SQL logic for requests and responses. DAMs provide this added technology to bridge the gaps where IPSs fall short. And they do so without degradation of performance for our databases and database servers.

Resources

AppliCure Technologies, . (n.d.). The role of each technology in the security environment. Retrieved from http://www.applicure.com/answers/Web_Application_Security/Avoiding-web-attacks.html

Citrix (2007). Application security: Why network firewalls and intrusion prevention systems aren't enough. Retrieved from http://whitepapers.techrepublic.com.com/abstract.aspx?docid=295292

Mikko, C. (2009, May 15). The next Layer of desktop security host-based intrusion prevention systems. Retrieved from http://www.productivecorp.com/p-guide/-next-layer-desktop-security-host-based-intrustion-prevention-systems

Mogull, R. (n.d.). Understanding and selecting a database activity monitoring solution. Retrieved from http://securosis.com/reports/DAM-Whitepaper-final.pdf

Sentrigo, . (2007, May). The Need for real-time database monitoring, auditing and intrusion prevention. Retrieved from http://www.rad-direct.com/datasheet/whitepaper_database_security.pdf

NitroSecurity (2008). Network-based database monitoring for protection and compliance. Retrieved from http://nitrosecurity.com/information/products/nitroview-database-monitor/

NitroSecurity (2008). Database activity monitoring. Retrieved from http://nitrosecurity.com/regulatory-compliance/database-monitoring/

Semaniuk, MJ. (2008, May 15). Database activity monitoring can be accomplished without performance overhead. Retrieved from http://www.dbta.com/Articles/Editorial/Trends-and-Applications/Database-Activity-Monitoring-Can-be-Accomplished-Without-Performance-Overhead-52025.aspx

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >