Stopping Another Hannaford: Review of nFX DataOne

With increasing reports of data theft, database tampering incidents and a host of regulatory compliances leveraged at businesses, SIM (Security Information Management) solutions are becoming a required module of a datacenter's comprehensive and secure network architecture.

Edison, N.J.-based security vendor netForensics has developed a line of mid-market and enterprise-level products that are based on the nFX security methodology. nFX security is a software platform comprised of Windows, Linux and Solaris, providing security administrators with incident detection, remediation tools and reporting.

Late last year, netForensics released an enhanced version of nFX Data One, one component in their solution to focus on database threat management. Solutions such as nFX Data One could be considered for enterprises that need to address compliance issues -- issues that in many cases are as business-critical as the databases themselves.

Consider the message that Hannaford Bros. supermarket chain had to deliver last month: as many as 4.2 million customer credit card numbers had been compromised as the result of a malicious attack against its database.

nFX Data One is a SIM product that provides non-intrusive database monitoring. nFX Data One is available as a hardened Linux appliance or as a software download. Supported databases include, MSSQL, MySQL, Oracle, DB2 and Sybase. Supported Operating Systems are Red Hat, Centos, Solaris and AIX.

The Test Center took a look at the appliance version that was pre-configured with Linux. This particular model supports 50-100 databases (limited by throughput) and up to 15,000 transactions per second. The device utilizes SPAN ports on switches, network taps or hubs to replicate database traffic. For testing purposes the appliance was connected to an Intel 10/100 stackable hub. Deployed for monitoring were an Oracle 11g database on Windows Server 2008 and an MS SQL 2005 server on Windows Server 2003. Queries to both databases were executed from a client running Windows XP SP2.

Management of the device is done through the console using Secure Shell or though a browser using Webmin. Configuration of database monitoring and tracking is done though a browser. Data Collection was easy to setup; there is a data collection rule by default for each supported database. Select the database to be monitored and enter the corresponding IP address, hostname and port (which is already entered by default, based on the database type).

A particularly useful feature is the Filtering Rule Builder. The device comes with hard-coded "basic stock rules". These rules are defined by database type (for example there are basic pre- defined rules for Oracle), by regulation (rules can be set specifically based on HIPAA , Sarbanes-Oxley, PCI and others) or by solution (can be task-oriented and set for security, performance, auditing, database management or all). There is an advanced rule builder to create custom rules as well.

The management interface opens up to the Data Viewer. In this view, all database activity is monitored line-by-line. As soon as the Oracle Database Control interface was logged into with the SYS account, the activity showed up in Data Viewer. The query's record account, the username, client IP, client and server ports were all logged. Data One will log all type of queries from simple SELECT statements to permissions changes. The management utility has its own backup/restore service for disaster recovery of the full set of configuration files. A backup was initiated for test. A prompt appeared to give a backup name.

When "Backup" was selected and a backup folder name given, the system confirmed that "Backup has been created successfully" and also reported "Failed to create backup folder." Where to create that backup folder was not apparent in the management interface. Yet, the restore option was chosen and the backup data was listed. A restore was executed successfully.

nFX Data One can also be configured to connect to a reporting server. Reporting does require that SQL reporting services are running on the machine designated as the report server. Reporting can also be done using another product, nFX SIM One, or an additional module can be purchased for data one.

netForensics provides a three-tiered partner program (silver, gold and platinum) that supports resellers in all phases of implementation; from evaluation to maintenance after installation.

The software-only version of nFX Data One lists at a starting price of $4,300. Pricing is dependent on the number of databases connected and the number of transactions per second. A reporting module is available for $14,250. For the appliance, the pricing beings at $3,600, again depending on number of connected databases and transactions. Resellers receive 20-40 percent off the list price. Partners are given free training among other incentives.

This is a powerful product that runs without additional overhead to database servers. Testers encountered a few hiccups while setting up monitoring of SQL Server 2005, but the issues seemed to be more with the database software rather than with the nFX device. This is a device that is not plug and play right out of the box, but an appliance that a network security-centered VAR would have to get familiarized with to configure for optimal usage on a network.

The security benefits of nFX Data One would be worth it.