Imperva SecureSphere Review

Imperva SecureSphere ReviewRecently I took part in a training session on Imperva SecureSphere® and I must say I was impressed with the architecture, features and overall philosophy behind this product.

Here are 10 reasons I liked Imperva SecureSphere, an awesome Web Application Firewall or should I say Business Application Firewall for obvious reasons which I will present below.

Note : I am not affiliated with Imperva , and this is not a paid review .

1. Dual Approach on Web Application Security : WWW + SQL
There are several Web Application Firewalls   available on the market and apparently Imperva is the only one who approaches Application Security the right way, as a multi-tier structure. Therefore, Imperva offers IPS-like protection both on presentation layer (HTTP traffic) and data layer (SQL Traffic). 

The ability to monitor and block both HTTP and SQL traffic provides defense in depth and unmatched end-to-end user accountability (from browser to database).

2. Architecture / Extremely Flexible Deployment 
SecureSphere is offered as a hardened appliance withstanding impressive traffic values up to 2Gbps and 36,000 HTTP Transactions / sec. or 200,000 SQL Transactions / sec. 

The Architecture of a SecureSphere solution is modular and scalable:

I liked the fact that there is a Management server and “enforcement points“in the form of Web Application Firewalls and Database Security Gateways. Yes, it looks similar to a CheckPoint architecture, and there is a good reason for this .

The deployment options blew me away because I was used only to reverse proxy and transparent proxy web application firewall. Well, Imperva offers a wide range of deployment scenarios which should fit any network requirement:

  • Transparent Bridge (Layer 2)
  • Router/NAT (Layer 3)
  • Reverse Proxy (Layer 7)
  • Non-inline sniffer
  • Transparent Proxy (Layer 7).

3. Positive Security Model / Dynamic Profiling
The positive security model is definitely not something new, especially in web application firewall design. But what I found to be very interesting about Imperva’s approach was the semantic breakdown of both HTTP and SQL requests. Finally HTTP requests or SQL queries can be tokenized and each token can be fed to a correlation engine. Suddenly data has a meaning and actions can be taken based on the meaning of tokens.

One of the drawbacks of the positive security model is the taming (or should I say training 🙂 of the Firewall / IPS, etc. Lots of time spent on teaching a machine the difference between normal and ab-normal.

Imperva tackled this time & resource consuming action by implementing a dynamic profiling functionality. Every new application is automatically set into “Learning” mode until a certain number of requests (in the order of thousands) or days have elapsed. At that point, based on the data gathered so far, the system defines a profile of acceptable requests and locks the application in “Protection” mode. Defining what is “normal” or “acceptable” is done by a statistical correlation of all values recorded for each token, much like a Gauss bell normal distribution.

At any future point in time the application lockdown can be removed by an administrator and tokens can be modified.

4. HTTPS/SSL Inspection Passive decryption or termination
One of the common shortcomings of web application firewalls / IPS is the inability to look inside a SSL encrypted data stream without breaking the SSL connection between browser and web server.

Imperva SecureSphere acts as a transparent, passive SSL terminator and it can either store a copy of the web server’s private key or can it leverage the key management & encryption to an existing HSM unit.

5. Imperva Application Defense Center (ADC)
Whenever one buys such a complex security solution, it’s a good feeling to know that the product is actively supported and improved by a dedicated R&D team. Think of ISS (IBM) X-Force.

Imperva’s own R&D uber hacker team is called Application Defense Center (ADC) and its leader is Amichai Shulman, Imperva’s CTO.

I was told that the average time elapsed since a zero day vulnerability disclosure and a full signature release is 3 to 5 days. And we are talking multiple layer vulnerabilities: Network, Operating Systems, Protocol Anomalies (Http and Sql), Database Platforms, Web Application Platforms, etc.

6. Enterprise Ready Features

I call this set of features “Enterprise-Ready Features” because I’ve come to understand that it’s not enough for a product to be the best in its class, it has to fit in nicely within an established network and it has to be easy to manage, deploy and upgrade. Yeah, 21st century corporate bull requirements 🙂

So here they are Imperva SecureSphere’s Enterprise-Ready features

  • High Availability
    • IMPVHA (Active/Active, Active/Passive) – proprietary protocol
    • Fail open interfaces (bridge mode only)
    • VRRP
    • STP and RSTP
  • Alerting various monitoring and security event management systems trough  SNMP, Syslog, Email,
  • Integrated graphical reporting
  • Real-time dashboard.
  • Pre-defined and custom correlation rules incorporate all security elements to detect complex, multi-stage attacks.

7. Data Base Security Assessment
I have been using SCUBA, Imperva’s Free Database Vulnerability Scanner for a while and it proved efficient in a few assignments. Little did I know that SecureSphere Database Security Gateway uses a 50 times larger database vulnerability scanner whenever a new database systems is included for monitoring / protection.

It just seems very logic for a Database IPS / Firewall to have inside knowledge about the configuration, patch level, roles, and data of the systems it’s supposed to defend. It all comes down to the big importance of data profiling

8. Correlation Across Layers
One important evaluation criteria for any Firewall / IPS is the way it handles false positives and false negatives. Regardless of the layer it works on (network, application); the firewall should not block any legitimate request. Tough requirement to meet, especially when one has to cover multiple OSI layers (network, transport, presentation, application)!

Imperva has developed an internal correlation engine named Correlated Attack Validation (CAV) which tracks and correlates multiple events to accurately identify and block sophisticated attacks.

This is one example of blocking an attack which uses HTTP Request Smuggling  evasion technique:

Imperva SecureSphere Review

9. SQL queries AND response
Many database monitoring and audit solutions will log the SQL queries but I’m not sure how many would think of logging the SQL response as well thus leaving one open door for insider threats.

The sheer volume of data can render this logging unusable, but Imperva has managed to deploy a very simple and effective solution: it stores the audit logs (SQL request and response) as flat files and this has little to no effect on traffic inspection.

10. Universal User Tracking
Accountability and non- repudiation are two cornerstone requirements for any solid security management system but it’s been very difficult to implement them because the way most web application work:

  • Phase 1: The user logs into the web application using his username / token, etc. –
  • Phase 2: The user clicks on a link which translates into a series of SQL queries to be passed to the database layer.
  • Phase 3: The application server initiates a database connection using a generic application user.
  • Phase 4: The database executes the query and returns the data to the application server which in turn presents the data to the user.

Somewhere between phase 2 and 4, the chain of accountability has been broken and there is no direct link between an user and the SQL query run on the database.

This is where Imperva’s Universal User Tracking kicks in: it makes users accountable for their actions – even when they access data through business applications. To identify application IDs, a dedicated SecureSphere interface monitors application user sessions and correlates those sessions with specific database transactions.

Conclusions
Imperva SecureSphere represents an advanced business application security control which has taken the concept of Firewall & IPS to the application layer with great results.
Just like CheckPoint in 1993 changed  the network firewall forever, I wouldn’t wonder if 15 year later Imperva establishes itself as a reference in Activity Monitoring, Audit and Security for Business Applications and Databases.

However, take my review with a grain of salt as I didn’t test the product myself. .. Yet 🙂 I plan to set-up a head to head  clash between an automatic web attack suite and an automatic web firewall . Now that’s going to be fun 🙂



Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback. Print This Post Print This Post

5 Responses to “Imperva SecureSphere Review

  • 1
    Ory Segal
    October 22nd, 2007 06:44

    Nice Post.

    Here are a few comments:

    1) I don’t think you can call HTTP “presentation layer”. This term is reserved (see OSI layer model). In addition, you can’t refer to SQL as the data layer (for the same reasons)

    2) “Positive Security Model”, together with “Signatures” in the same post, sounds like an oxymoron to me. Positive security means that you define what is allowd. Negative security means that you define what is blocked (aka Signatures).

    Other than that, Imperva is cool.

  • 2
    Dragos Lungu
    October 22nd, 2007 07:06

    1) Yes Ory you are right , HTTP it’s not a presentation layer.I thought of SQL as “data layer” in a 3 tier application design. Don’t ask why I mixed it all up 🙂

    2) The positive security model is used in the process of profiling the application; From what I’ve seen, Imperva can detect an attack on multiple layers,including web server layer where signatures are essential in weeding out the obvious attacks like CodeRed & such.

    Thanks for your comments !

  • 3
    Ory Segal
    October 22nd, 2007 10:01

    Hi

    Regarding #2, I guess most products that claim they do Positive Security have to add some signatures from time to time, mainly as a safety net, as well as for satisfying customers who want to feel they are getting their bang for the buck (for their maintenance fees 🙂

  • 4
    links for 2007-10-23 « Where Is All This Leading To?
    October 22nd, 2007 17:23

    […] Imperva SecureSphere Review (tags: ids inline imperva security reviews) […]

  • 5
    Good News from ArcSight and Imperva | Dragos Lungu Dot Com
    March 11th, 2008 15:14

    […] sweet news :  I love Imperva’s SecureSphere Web Application and Database Firewall and it’s great to know that Information Security […]


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge