Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Two Oracle Security Presentations"] [Next entry: "Hacking Oracle with a coffee machine?"]

Sentrigo Hedgehog

I promised to create a short write up on Sentrigo's Hedgehog product some time ago when Tim Hall posted an entry on his blog titled Sentrigo Hedgehog… where he discussed meeting Slavik Markovich who is the CTO of Sentrigo who make the Hedgehog products.

The upshot of Tim's post was that he suggested that someone like me ought to test and comment on the product as its an Oracle Security product and I am working in this area. As I pointed out on Tim's blog post I have a bias in relation to this product as I am on the technical advisory board of Sentrigo and my company Limited is also a partner of Sentrigo in terms of offering the product to customers here in the UK and some other areas.

It is important for me to state my relationships and position with Sentrigo first, OK disclaimer over.

So that said I want to now discuss the focus of this article. As I said in a comment Tim's blog post the focus for me is "why", i.e. why did I want to work closely with Sentrigo on the Hedgehog product in terms of being on the advisory board and also in terms of offering the product to my companies customers here in the UK and elsewhere.

The answer to this point is actually very simple, at least for me. I first heard about and subsequently saw the product around one and a half years ago when Slavik contacted me and asked if I would like to see it. I was immediatly very interested and was excited by the ideas behind the product. Most of the players in the IDS/IPS (Intrusion Detection System/Intrusion Prevention System - sometimes also refered to as virtual patching) use network sniffer based technologies and this product, HedgeHog, was new and used a completely different approach being host based and not network sniffer based.

For me there has always been an issue with network based solutions that is not easy to get around and solve. Hedgehog solves this issue in one fell swoop. Let me give an example; imagine that you are deploying a network based IDS/IPS and as part of the setup of custom rules/ policies you are required to satisfy and internal/regulatory policy that requires all access to the credit card PAN stored in the database to be audited and recorded but more importantly you must ensure that only those users authorised to read credit card details can do so; or also that no one should be able to alter the credit card table structure. Lot's of things involving credit card tables that appear to be needed more regularly in my experience of working with various customers. OK, so you install a network sniffer based solution and go to the config for policies/rules or whatever its called and you highlight the name of the credit card table and generate the rules to trap access to it, data changes or structural changes. All fine and dandy or so it seems. Now you realise that the tool is sniffing SQL or PL/SQL statements out of network packets. OK, fine you think all access to the table CREDIT_CARD will be seen. Nope, fraid not.... you realise that the application is written partly in PL/SQL and that some of the PL/SQL actually makes the access or changes to the CREDIT_CARD table on the user behalf. This is where network sniffer based solutions fail as they will only see the PL/SQL procedurte or package call.

Sentrigo Hedgehog doesn't have this issue and its one the the reasons I really like it. Hedgehog is "attached" to the data or rather the commands that alter the data or the database. This is like the Oracle technology Virtual Private Database (VPD) is one sense. VPD was one of the technologies introduced by Oracle that I really liked. I really like the idea that the security rules in the case of VPD, policies, are attached to the data they are protecting. This means nothing gets past it, unless you let it of course. Hedgehog works in a similar way. In the example above as Hedgehog is reading the access, SQL, PL/SQL and everything else from the shared memory it's extremely fast (no SQL, no overheads, no effect on the database... and more) this means that it misses nothing. In the example above the PL/SQL call in question is seen by Hedgehog but so is any SQL or further PL/SQL that the original call uses.

I like Hedgehog because of the fact that its fast, slick, exciting and also because mostly for me the security is actually "with the data". This product has great promise.

Let's not be too unfair to the network based boys. They have of course in some cases come up with solutions to this issue. I have heard some examples as follows:

"We make a privileged connection to the database and we check the dependancies on each PL/SQL procedure call and from then on we know that the credit_card table is accessed"

This is not ideal, they promote network based solutions as being non-intrusive, as being network based...... you do the math.

Also i have heard that agents are deployed, this means in those cases that Hedgehog now has a massive advantage. Hedgehog is designed from the ground up to access the data not through the database and is host based and is fast. Any network based solution that requires and agent, SQL based? is slower and also removes their argument that there are no host based requirements.

One other good example I would like to give before we move on and look at the Hedgehog install is that you could take a different approach (the cheaper approach in some senses) and use Oracle's built in solutions such as core database audit or Fine Grained Audit (FGA). What happens when you want to audit actions against a core table such as USER$ that holds password hashes? - you cannot!, Oracle says, "cannot audit a warm start table".. also its not an IDS/IPS solution unless you build the rest of the infrastructure yourself.

I would also say that if we involve products such as Oracle's own Database vault, often championed by people as the ultimate Oracle security product we have to consider its true use which for me is to protect against conflicts of interest, often referred to as CoI and to provide Segregation of duties, again refered to as SoD. These are good uses for Database Vault but as Database Vault uses VPD at its core and as we know I like products where the security is attached to the data its protecting then conceveably we could also use Hedgehog to provide similar SoD and CoI functions without the complex license and product stack. Certainly its not as clean to terminate sessions from Hedgehog instead of VPD's neat way of altering SQL but we can think of ways of doing SoD and CoI using the rules of Hedgehog. It would be an interesting use for HedgeHog.

Hedgehog also has another great use/feature. This is its virtual patching technology. This comes into play when its not possible for a customer to apply a CPU quickly after its release. Hedgehog allows a technology called "virtual patching" to be used instead. Whilst I would never recommend replacing security patches with software such as Hedgehog completely its obvious to see the immense value of virtual patching where you cannot patch straight away or maybe cannot patch because you are stuck on an old version. The same issues apply as before with the networked solutions but for virtual patching. Other "players" use network based technolgies and the same strengths that Hedgehog brings with its insistance to be connected right to the data is obvious for the same reasons as discussed above.

OK, let's have a look at the product. There is an excellent 30 page pdf installation guide that should be read before installation but if you are like me, you will try and install first and resort to the guide to fix any issues that could have been avoided if you did read it..:-)

Sentrigo have cleverly thought of these lazy people smile like me and have provided two nice short but comprehensive video walk throughs of the install and also for creating customised rules. Here is a look at the installation tutorial:

Installation tutorial for Sentrigo Hedgehog

And the custom rules tutorial is here (BTW: click on the images to get a bigger image):

Hedgehog custom rules tutorial

I just wanted to include a quote here from the install guide as it will serve us well in assessing whether Sentrigo Hedgehog does what it says. The 30 page installation guide first content section reads:

"Hedgehog is an easy-to-deploy software solution that monitors the database and protects it from both internal and external threats.

Hedgehog provides full visibility into database user activity and can issue alerts or terminate suspicious activities based on pre-defined rules and custom rules."

Hedgehog is supported on a number of platforms and also supports SQL Server databases and Oracle databases from 8.1.7 and above. The product has two components, well three really. The server which can be installed on Windows or Linux/Unix and the sensors that attach to the database to actually provide the real time monitoring and functionallity. The third component is that you talk to the server via a browser.

The installation process starts with registering and downloading the software from the Sentrigo website, I have to say the registration is not onerous and is much simpler than some other products I have downloaded. One of the key advantages that I have not mentioned yet about Hedgehog is that if you downloaded the full enterprise solution the 14 day trial period once up doesnt freeze or lock out the software, it reverts to the free version. Yes, Sentrigo are the only company offering a free version of a database IDS/IPS solution, this is great news in its own right.

Download the software and then run the installer. On Windows this is a simple double click and then accept the security message from the OS:

Run The Hedgehog installer

. Then you can run the wizard:

Run the Hedgehog wizard

Next choose a username for the server and choose a strong password:

Set username

The next step is to choose the ports to communicate with the server and also for the sensors to communicate to and from the server. The server provides httsp and http connections to access the console:

Choose ports

OK, now its installing:

Hedgehog server installing

Once complete you should choose to run the server as the server guides you through installing the sensors:

Server Install Complete

. One slight issue I had was that the server was not accessible by default:

Hedgehog console not found

This was easily fixed as i remembered the tutorials suggestion to use for a local console on the server. works

The next step in the process to get Hedgehog up and running is to install the license:

Install License

License download

Upload license and login

. So now we have a running licensed server, the next step is to install one o more sensors. As I am using an Oracle database and Linux i chose that sensor. I could obviously install multiple sensors on multiple databases/servers (not Sentrigo servers). I particularly liked the install of the whole product as the sensor, install is easy, ftp the file, chmod it and then install / run it. The server then finds the sensor automatically and you need to accept it. The first step is to go to the install sensor page:

Install Hedgehog sensor

Next copy the sensor install file to the server. This is easy and i used WinSCP which is an excellent free product.

Copy the Hedgehog sensor

Follow all the instructions on the page and you should end up like this:

Sensor Installed

The next steps are to edit the cobnfig file on the server and change the IP address of the Sentrigo sensor and then finally start the sensor.

Edit config

Start Sensor

If you now go back to the console the sensor is automatically found but you need to approve it:

found the sensor

OK, its now installed. I have to say that the quote above was right, the install was very easy and it was particularly easy even if you don't read the installation guide as i intentionally didn't do. I like to find out how easy it is, it would also have been a valid test to follow the instructions I guess but it installed easily without needing them, this is a good sign for a peice of software. I also am reasonably sure i could have installed it without seeing the tutorials as well. Maybe someone else can let me know how easy it is without reading anything first.

The software on installation is slick and very easy to find your way around. There is a top menu bar for all the things you need, Alerts to see and deal with, databases and sensors, rules to change, include, set, create and of course normal security of the server and console and finally an array of reports that can be generated. Quite usefully and usually something missing from other products is the ability to report on the configuration/policies themselves. This is really useful as often you want to know what is set up and take it away in a document form.

There are two major groups of rules, these are the builtin or predefined rules and the second set are the custom rules that you can generate yourself. The pre-defined rules cover a lot of issues such as use of default users, evidence of assessment tools, a whole array of exploits both specific and generic. There are around 140 rules predefined and you can subscribe to get more in real time.

An interesting section of the software is the compliance page that provides wizards to allow hedgehog to be configured for PCI, SoX and SAS-70. This is really slick and easy to use.

Here is a look at the dashboard:

Hedgehog Dashboard

One of the most important aspects is the ability to create policy rules to your own internal needs. That is you can take your own policies/regulatory requirements and easily map them to Sentrigo policies and rules. The custom rules are created via a wizard and can be easily editied afterwards. There is a good tutoral as I mentioned at the beginning, comprehensive help and user manuals and also a customer portal including a nice array of downloadable documents and forums.

There is a large array of choices that can be used in the rules, such as time, ip address, host, object, basically you name it its probably there. You can also apply boolean logic to rules to combine them and also use regular expressions. The outcome of the rules is also controlled in that you can specify how its alerted (many types), the severity and also whether the session is terminated or also whether any other subsequent rules are checked. You can also use the advanced section to even run a SQL, PL/SQL script if necessary. I wanted to test the custom rules so i created a very simple one to test access to SCOTT.EMP just for illustration:

Create Custom Rule

New Rule

Finally select some data from SCOTT.EMP to test it!

Select from SCOTT.EMP

OK, this worked easily. Of course I could have created a much more complex rule and even rules dependant on multiple circumstances but I wanted to create something simple to show that once enabled it checks in real time and creates alerts:

Alerts Screen

So there it is, I am excited by this product which is why I agreed to be closer related to it in terms of selling it through my own company and also in terms of the advisory board position. The product is fast, slick, easy to use and can monitor activity in real time and if necessary act as an IPS and block access/activity. If anyone has any questions then please let me know, also please feel free to download a free 14 day trail copy of the enterprise edition and see how easy it would be configure and use in your own organisations.