Hedgehog vPatch

Imagine patching the database with no downtime, no backups.
 

To date, there are hundreds of known vulnerabilities in DBMSs across different vendors and versions.

Databases are complex applications. This complexity makes them particularly susceptible to many security vulnerabilities that provide an entry point for intruders and unauthorized users.

Exploits published on the Web enable even rookie hackers to get into the database and own it by using privilege escalation, and attack vectors such as SQL injection and buffer overflow.
Severe vulnerabilities even allow remote access by unauthenticated users, for example, those who are on remote IP addresses and have no database login credentials at all.

With so many known risks for DBMSs across so many vendors and versions, it seems unthinkable that databases would be left unpatched. Critical databases are left unpatched for months or even years, vulnerable to attacks that result in data theft, breaches of privacy and non-compliance with regulatory requirements.
Why aren’t vendor-issued security patches being deployed?
While Sentrigo recommends timely, regular deployment of vendor-issued security patches as the best way to protect corporate databases, due to the following reasons, many organizations do not patch their databases in a timely manner: 

• Patching is an update to the DBMS kernel and requires database downtime. This is often not an option in 24×7 environments, or is extremely difficult to coordinate.
• Patching requires regression testing of all applications running on top of the database.
• Many application vendors only certify their applications to run on top of specific releases of DBMSs – updates not included.
• Older, yet still used database versions are not supported by new security patches.

 
What Is Virtual Patching?
Virtual patching is a way to protect the database against exploits without actually patching the DBMS kernel. This creates a security layer around the database that, unlike vendor patching, does not require downtime or application testing.

Hedgehog vPatch protects databases in real-time against known vulnerabilities using unique virtual patching capabilities

By monitoring all actions in the database and matching them against rules that detect known exploits and vulnerabilities, virtual patching detects attempted exploits. When a match occurs, an alert is issued and the suspicious session can be terminated and the originating user quarantined for specified period, until the nature of the suspected attack is investigated.
Downloadable, Easy to Deploy Across Multiple Databases
Hedgehog vPatch is a subscription-based offering that includes two components:

• Host-based software that uses sensors to protect the DBMS with a set of protections (virtual patches) to detect and prevent attempted exploits of DBMS vulnerabilities.
• Ongoing updates for newly discovered and existing vulnerabilities, courtesy of Sentrigo’s “Red Team” — a team of security researchers who are constantly finding DBMS vulnerabilities and exploits, and devising ways of stopping them.

Hedgehog vPatch is non-intrusive, does not use native DBMS auditing or API functions and is not part of the DBMS – it directly monitors the database memory cache and has full visibility into all database activity.
Hedgehog vPatch™ Advantages

• No database downtime is required both during the initial installation as well as during the ongoing deployment of security updates.
• No impact on the application layer
• Support for older DBMS versions (e.g., Oracle 8i, 9i)

 
More details

• License/subscription and pricing
• Product comparison
• System requirements

Repscan

Vulnerability Assessment and Security Scanning for Oracle and Microsoft Databases  Per Database Instance License. 
          
By Red Database Security

With more than 3000 security verifications scanning Oracle and Microsfot databases and applications, Repscan™ by Red-Database-Security is the most comprehensive vulnerability assessment solution available.

 
 
Based on real-world Oracle Experience 
Developed by one of the world’s foremost authorities on Oracle security – Alexander Kornbrust of Red-Database-Security – Repscan provides a crystal clear picture of Oracle and Microsoft’s security level with simple remediation  instructions – at your fingertips.
 
Why Repscan?
Repscan is the only tool that can deliver 360 degree reporting on the security posture of your Oracle and Microsoft databases.
Repscan can detect database modifications, can test 100s of databases for neglected patches, insecure system configurations, weak and default passwords (database/APEX/OID/OVS passwords) and even insecure PL/SQL code and forensic traces.
Product Highlights

• Detects insecure PL/SQL-Code
• Shows the patch level of all your databases in one-click
• Finds security problems such as SQL Injections, hardcoded passwords, deprecated functions
• Detects weak or default passwords
• More than 115 Oracle/Microsoft tables checked for password information
• Detects changed database objects including root kits
• Detects altered data (including modifications of privilege and user tables)
• Discovers forensic traces from common security and hacker tools
• Complements and integrates with Sentrigo’s Hedgehog family of database activity monitoring software
  
  

Download your free limited trial-version of Repscan now!

The free limited trial-version is a great introduction to Repscan.

This includes: 

• Scanning 2 databases at a time

• Checking 50% of insecure passwords

The full-version of Repscan with complete features and functionality includes:   

• Testing of known vulnerabilities
• Testing of known backdoors
• Creating Hedgehog rules (Granular user-defined policies)
• Generating SQL Fix scripts
• Various reports (PCI, Installed Software, Forensic, Findbackdoor)
   
  To find out more about the full version, contact us: sales@sentrigo.com

 
Repscan further provides: 

• Small XML-based reports that can be easily integrated into 3rd party reporting tools
• Database browser allows interactive review by security personnel without deep database knowledge
• Discovery tools identify databases and tables with sensititive information
• Security updates allowing you to remain current and identify recently discovered vulnerabilities and weaknesses. (Requires subscription) 
• Quick, easy installation: import database connections from tnsnames.ora files or adding database names manually.
• Scalability: scan simple, single database installations – up to hundreds of databases from a single location.

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup.

Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades. Annual support renewal: $ 1495

License: Single node license . Allows for installation of one node in production
environment. Additional nodes in non-production environment for development and testing are allowed.

Support: Standard support – first year. 8/5 business day support by phone, email and web, automated updates, all upgrades.

Support upgrade and renewal options:
Upgrade to Premium support (24/7) first year: $595 
Standard support renewal one year : $1,495
Premium support renewal one year: $1,995

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup.

Includes 1 year 24/7 business day support by phone, email and web, automated updates, all upgrades. 

License: Single node license . Allows for installation of one node in production
environment. Additional nodes in non-production environment for development and testing are allowed.

Support upgrade and renewal options:
Premium support renewal one year: $1,995

Perfect for companies who with high traffic volumes who also want the comfort of instant backup for their security.

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup, active/active clustering with policy synchronization.

License: Two node license. Allows for installation of one master node and one
slave node in production environment. Additional nodes in non-production environment for development and testing are allowed.

Unlike most traditional web application firewall appliances, Profense cluster nodes run side by side, sharing the traffic load and providing instant backup for each other.

These nodes “self balance” so no additional hardware is required for high volume environments, giving you performance you’d have to pay a minimum of 50% more for with traditional solutions.

Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades.

Support and upgrade options:

Upgrade to Premium support (24/7) first year: $845
Standard support renewal one year : $1,995 
Premium support renewal one year: $2,495

Perfect for companies who with high traffic volumes who also want the comfort of instant backup for their security.

Unlike most traditional web application firewall appliances, Profense cluster nodes run side by side, sharing the traffic load and providing instant backup for each other.

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup, active/active clustering with policy synchronization.
License: Two node license .

Allows for installation of one master node and one slave node in production environment. Additional nodes in non-production environment for
development and testing are allowed.

These nodes “self balance” so no additional hardware is required for high volume environments, giving you performance you’d have to pay a minimum of 50% more for with traditional solutions.

Includes 1 year 24/7 business day support by phone, email and web, automated updates, all upgrades.
Premium support renewal one year: $2,495

Features include Auto mode with instant protection and adaptive learning, positive and negative filtering, load balancing with session persistence, acceleration, automated learning.

License: Single node license. Allows for installation of one node in production environment. Additional nodes in non-production environment for development and testing are allowed.

Includes 1 year Web and email based technical support, automated updates.

Support upgrade and renewal options:
Upgrade to Standard Profense version, standard first year: $300
Basic support renewal one year: $995
Standard support renewal one year: $1,250

Hedgehog Standard

Your Introduction to Database Activity Monitoring

Hedgehog Standard™ is perfect for growing organizations that require activity monitoring for a handful of mission critical databases. Hedgehog Standard brings enterprise-level security to the database. It’s completely free to download and use.

Using the same ground-breaking technology as Hedgehog Enterprise, it provides visibility in real-time into all database activity and alerts on suspicious activity.

Product Highlights:
 

• Granular user-defined rules, inspecting activity based on SQL statements, database objects being accessed, IP address, user, date & time ranges, application used to access the database, and more
• Real-time monitoring and alerting – available for one database at a time, with sorting and filtering by severity level, time, rule triggers, etc.
• Audit trail of generated alerts and events, facilitates regulatory database compliance with PCI DSS, SOX, HIPAA and privacy notification laws
• Free web-based support (phone support is available as an option)

  For a comparison of the two products, click here.

Hedgehog IDentifier
End-User Accountability in Databases Sentrigo’s Hedgehog IDentifier is a unique solution to application end-user identification in pooled-connection environments that obscure individual user accountability. Hedgehog IDentifier ties database actions with the end-users who initiate them, enabling the enforcement of security policy on individuals and satisfying regulatory compliance requirements.
Product highlights

• Accurate identification of individual end-user activity in the database
• Satisfies regulatory compliance requirements for individual accountability (including Sarbanes-Oxley, PCI DSS and HIPAA)
• Real-time alerting and prevention capabilities based on individual user actions
• No change required to applications or DBMS

Application End-User Identification
Auditors want to know “who did what” on the database, while corporate security policy often requires limiting access to data based on user identity. More often than not, however, users connect to the database via applications that use pooled connections, making it impossible to figure out which user performed which action on the database, let alone enforce security policy based on user identity.
The Solution: Hedgehog IDentifier
Hedgehog IDentifier passes the application user ID along to the database and associates every action with the application end-user who performed it. Unlike other methods that use correlation and are not 100% reliable, Hedgehog IDentifier is a software component installed on the application server, which extracts the actual user ID information and passes it through the connection to the database.

Hedgehog IDentifier allows users to identify application user IDs, user IP address and URL, and by using the Hedgehog Enterprise rules engine, it can issue alerts and limit access to database objects based on those parameters.

When deploying Hedgehog IDentifier, no changes to either the applications themselves or to the DBMSs are required.
Sentrigo customers use Hedgehog IDentifier to:

• Monitor, track and audit “who is doing what” in the database
• Comply with regulations that mandate controlling individual access to sensitive data
• Enforce security policy on end-users rather than on applications and maintain accountability

Hedgehog IDentifier is an add-on to Hedgehog Enterprise. It supports JavaEE application servers such as IBM WebSphere, BEA WebLogic, JBoss and Apache Tomcat, as well as .NET application servers.

Hedgehog IDentifier is available for download when you download Hedgehog Enterprise

Hedgehog Enterprise
Database Activity Monitoring and Intrusion Prevention
Hedgehog Enterprise™ is optimal for organizations that require breach prevention, end-user identification, virtual patching, integration with your existing security infrastructure, IT governance and operate with enterprise-wide database deployment.

Sentrigo’s Hedgehog Enterprise is a scalable database activity monitoring and intrusion prevention solution. Database breaches and the theft of sensitive data leave enterprises exposed to risk and can do irreparable harm at great cost.

Hedgehog Enterprise provides full visibility into all database activity including local privileged access, protects the database in real-time with actionable alerts and prevention capabilities, and allows enterprises to enforce security policy and comply with regulatory requirements, such as PCI DSS, Sarbanes-Oxley, SAS 70 and HIPAA.
Product Highlights

• Real-time alerting and prevention of attacks and data theft
• In depth protection of sensitive data at the object level
• Virtual Patching - predefined rules that addresses known and newly discovered DBMS vulnerabilities that serve as a stop-gap until vendor-issued security patches are deployed.  Virtual patches are available as an option to Hedgehog Enterprise, on a subscription basis.
• Central management able to handle deployments from a single database to thousands of databases
• No degradation in database performance

 
Real-Time Activity Monitoring

Hedgehog gives the IT security professional full visibility of user activity on all monitored databases. Hedgehog either issues alerts about abnormal user activity or stops it in its tracks. Policies are enforced based on a variety of parameters, including:

• Specific database objects
• SQL statements
• Application user ID (Requires Hedgehog IDentifier™)
• Source IP address
• Applications used
• Etc.

 
Easing the Burden of Regulatory Compliance

Hedgehog simplifies and accelerates the process of complying with standards and regulations such as Sarbanes-Oxley (SOX), PCI DSS, SAS 70, HIPAA, GLBA and privacy breach notification laws. Wizard-driven processes and reports help meet key requirements, including access to sensitive data, privileged user behavior and segregation of duties.
Uninterrupted Operations

Hedgehog’s patent-pending host-based technology is uniquely capable of monitoring privileged user access without impacting performance, without relying on native DBMS auditing or logs and with no need for DBMS downtime.
More details

• License/subscription and pricing
• Product comparison
• System requirements

Astaro Software ASL 10 Users 1 Year Web Subscription

Astaro Software ASL 10 Users 1 Year Gold Maintenance Subscription

Hardware Appliance with 4 10/100 ports, HDD + Base License for 10 users  The Astaro Security Gateway 110 is designed to provide complete, but easy-to-use protection for small businesses, branch and remote offices with up to 10 users. Its compact size and economical price make it a perfect fit for any small office environment. The 110 hardware appliance can be upgraded to an Astaro Security Gateway 120, supporting up to 50 users at any time. This section details the security applications available, technical information and deployment scenarios.
Spec:

Equipped with 4 separately manageable Network Ports, a fast 1.5 GHz Intel-compatible CPU and an integrated hard drive the ASG 110 offers a complete and easy-to use solution to protect small networks against the endless number of viruses, spam and hackers that threaten to compromise networks of all sizes today. By offering a Firewall throughput of up to 200 Mbit/s it can easily exceed the performance of standard branch office internet connections. The gateway can be deployed for up to 10 users.

 
 Support Options:
Web Support
Included free-of-charge with every Astaro Security Gateway base license. Web support offers a 72 hour “bring in” hardware replacement (during the

Standard Support
Included with every Network, Web or Mail Security subscription purchased. Standard support offers a 24 hour “bring in” hardware replacement,
automatic software updates as well as technical 10*5 support via Astaro partners.

Premium Support
An optional support upgrade which can be purchased for 1, 3 or 5 years. Premium support offers a 24 hour upfront hardware replacement, software updates as well as technical 24*7 support via Astaro engineers – beginning with activation-key entry within the MyAstaro-Portal.

Hardware Appliance with 4 10/100 ports, HDD + Base License for 10 users  The Astaro Security Gateway 110 is designed to provide complete, but easy-to-use protection for small businesses, branch and remote offices with up to 10 users. Its compact size and economical price make it a perfect fit for any small office environment. The 110 hardware appliance can be upgraded to an Astaro Security Gateway 120, supporting up to 50 users at any time. This section details the security applications available, technical information and deployment scenarios.
Spec:

Equipped with 4 separately manageable Network Ports, a fast 1.5 GHz Intel-compatible CPU and an integrated hard drive the ASG 110 offers a complete and easy-to use solution to protect small networks against the endless number of viruses, spam and hackers that threaten to compromise networks of all sizes today. By offering a Firewall throughput of up to 200 Mbit/s it can easily exceed the performance of standard branch office internet connections. The gateway can be deployed for up to 10 users.

 
 Support Options:
Web Support
Included free-of-charge with every Astaro Security Gateway base license. Web support offers a 72 hour “bring in” hardware replacement (during the

Standard Support
Included with every Network, Web or Mail Security subscription purchased. Standard support offers a 24 hour “bring in” hardware replacement,
automatic software updates as well as technical 10*5 support via Astaro partners.

Premium Support
An optional support upgrade which can be purchased for 1, 3 or 5 years. Premium support offers a 24 hour upfront hardware replacement, software updates as well as technical 24*7 support via Astaro engineers – beginning with activation-key entry within the MyAstaro-Portal.

The Astaro Security Gateway 625 is designed to provide protection for larger enterprises. Based on high quality Intel-compatible server systems, including Dual IntelTM Xeon Multi-Core processors and redundant highspeed hard disks, it provides optimal performance and reliability even for the most demanding environments. This section details the security applications available, technical information and deployment scenarios.

Spec:

Equipped with 10 gigabit-speed copper ports and 8 SFP GBIC ports, the Astaro Security Gateway 625 provides maximum deployment flexibility, making it the ideal choice even for data center environments. Redundant RAID controlled hard disks and hot-swappable power supplies offer maximum reliability and availability.

Two Intel Quad-Core Xeon CPUs, 18 PCI-Express gigabit-speed network ports, and two 15K rpm SAS hard disks offer firewall throughput rates of more than 9 Gbps. By using Astaro’s “One-Click Clustering” technology, even full gigabit UTM-throughput can be achieved without requiring external load balancers.

Support Options:

Web Support

Included free-of-charge with every Astaro Security Gateway base license. Web support offers a 72 hour “bring in” hardware replacement (during the

Standard Support

Included with every Network, Web or Mail Security subscription purchased. Standard support offers a 24 hour “bring in” hardware replacement, automatic software updates as well as technical 10*5 support via Astaro partners.

Premium Support

An optional support upgrade which can be purchased for 1, 3 or 5 years. Premium support offers a 24 hour upfront hardware replacement, software updates as well as technical 24*7 support via Astaro engineers – beginning with activation-key entry within the MyAstaro-Portal.