Application Security DbProtect
Strengths: Strong documentation, extremely affordable, great assessment tools.
Weaknesses: Inconsistent database support across sensor types, and tedious deployment.
Verdict: We’re torn on this one. The product is good at what it does, but the limited MySQL support is strange. Obviously, MySQL shops will want to avoid everything but the vulnerability monitoring module, but everyone else could made good use of this tool.
Focusing solely on database security, DbProtect from Application Security is an affordable database security product which, given the right environment, could be very beneficial to administrators.
Product installation was reminiscent of a Snort deployment, in that a central console is first installed - which contains the management interface and analysis engine - with sensor nodes to follow. Starting with the console, the product documentation stated that 64-bit Windows Server 2003 R2 or later with 8 GB RAM and 20 GB of disk space were required, although Application Security recommends 100GB as the analytics engine can use a great deal of space generating reports. MS SQL 2005 or later was also required, but Express editions are not supported, so non-Microsoft shops will be looking at an extra expenditure. That said, the product relies on a number of other components. The installer scanned our fresh Windows Server 2008 system and was able to install its own required components. However, we did have to upgrade the target platform to 12 GB RAM and 75 GB of drive space before installation was successful. The host-based sensor deployment was a manual process - we had to logon to each of our database servers and install the sensor, then register that sensor to the console. We initially had trouble connecting our sensors to the console, until we determined that we needed to disable IPv6 support on the network interfaces of the involved systems. All in all, it took a couple of hours to get everything installed and communicating properly.
Supporting Microsoft SQL, Oracle, DB2 and Sybase (notably, MySQL is absent), DbProtect functions primarily as a database intrusion detection system (IDS), with a few intrusion prevention systems (IPS) features built into its Active Response system - configurable automated actions triggered by policy violations. While disabled by default, the IPS features allow for connection termination or database user account locking, as well as the triggering of user-specified events. The product uses a modular deployment methodology featuring a central console with both host- and network-based sensors available for gathering data. The host-based sensors appear to be much more mature, as the number and type of databases supported by the network-based sensors is more limited. Check the product documentation carefully, however, as some database products require one or the other; for example, MS SQL shops will need to install a host-based sensor on their database server as the network sensor is not supported, but older versions of Oracle require the use of a network sensor.
We were quite pleased with the DbProtect documentation. A number of manuals were available, including installation, administrator's, sensor configuration and user's guides. Each was a well-crafted PDF with numerous screen shots and plenty of bookmarks and hyperlinks, which made navigation easy.
For the package reviewed here, the retail cost is $5,100, which includes the vulnerability, rights and activity monitoring modules. Each of those is available for purchase separately - with Vulnerability Monitoring and Rights Management available at $1,500 each, and Activity Monitoring available at $2,100. Support starts at 20 percent of the license fee for standard eight-hours-a-day/five-days-a-week assistance renewable on a yearly basis.