How to Evaluate

Pick the Right Tool for the Job

Evaluation Copy

Evaluation copies of IPLocks are available. Please email our sales support staff to obtain an evaluation copy. Please be sure to specify whether you are interesting Vulnerability Assessment, Security & Compliance, or both.

Evaluation Criteria for IPLocks Armour

The landscape for database Vulnerability Assessment runs the gamut from home-grown collections of DBA scripts to IPLocks, an enterpise product with coverage for a wide range of databases. The tables below describe key features that should be in your evaluation criteria.

Vulnerability Coverage

Support for Multiple Databases	Most businesses use databases from multiple vendors. The most common enterprise databases are: Oracle Microsoft SQL Server IBM DB2 Sybase ASE
Test for Default Accounts	Databases and business applications like SAP and Peoplesoft have default user accounts and passwords. Some default accounts have very high privilege levels that can severely compromise database security.
Penetration Tests	Users often create weak passwords. It is imperative to identify accounts with weak passwords so they can be replaced with stronger passwords.
Database Configuration Settings	Some database features, such as the ability to run external procedures, are a security risk. Test databases to identify if any configurations pose a security risk and decide if those risks are necessary or if the configuration should be changed.
Database Patch Levels	Datbase vendors periodically release patches that contain important bug fixes, many of which improve security. Maintaining correct patch levels is an important component of overall security.
Periodic Updates to Vulnerability Tests	New vulnerabilities are discovered regularly and new fix patches released. It is important that vulnerability tests be update periodically to keep current with issues. Quarterly updates are good, since this is consistent with database vendor security updates.

Automation

Discover All Databases on a LAN/WAN	Before you can scan a database, you must know it exist so the first step in a vulnerability assessment project is to find all your databases. Scanning for databases on a LAN is relatively easy as bandwidth is response time is fast and there are typically no intermediate firewalls or tunneling issues. The real test for database discovery is if databases can reliably be discovered across different subnets and on a WAN.
Discover All Databases Using Irregular Ports	The major databases all have well-known port numbers. But, if database discovery processes only recognize well-known ports, many databases may be missed. Products should support the ability to first scan on well-known ports, then scan on all ports to discover additional databases.
Schedule Database Vulnerability Scans	Businesses typically schedule database maintenance windows during odd hours so maintenance has minimum impact on applications and users. Many DBAs will want to schedule vulnerability scans to occur within these pre-planned maintenance windows. Additionally, scans should be run periodically. Good scheduling tools will enable periodic scans to be scheduled for each database or type of database. For example, production databases may be scanned monthly, while development databases are scanned quarterly.
Support for Script-based Automation	Many IT tasks are automated with scripts. Vulnerability assessment tools should support the preferred work methods of DBAs, whether those be application or script based.

Customization

Edit Pre-Packaged Policies	Many vulnerabilty assessment tools provide pre-defined policies with pre-defined severity levels and remediation recommendations. Many companies have strict internal policies about database changes which are inconsistent with vendor-supplied policies. It is critical that companies can selectively turn policies on or off, edit severity levels, and supplement remediation recommendations.
Create Policies from Scratch	Pre-packaged policies are good, but every business has unique requirements that can not be anticipated by software vendors. Custom policies enable businesses to meet their needs without relying on vendor-provided product changes or expensive professional services.
Multiple Report Output Options (PDF, CSV, HTML)	Multiple output options help meet differing business requirements. While PDF reports are good for management review and sign-off, they aren't very useful for importing into other applications. It is important that VA tools support different options to meet all your business needs.
Customers Can 'Brand' Reports	Besides producing more professional looking reports, branding, by placement of corporate icons and business unit identification, is useful for internal and external audit processes. For service provides, branded reports are a necessity to keep your name in front of the client's eye.
Customers Can Create New Reports from Scratch	Like policies, pre-packaged reports are good, but again, every business has unique requirements that can not be anticipated by software vendors. Custom reports enable businesses to meet their needs without relying on the vendor.

Enterprise Compatibility

Import Lists of Databases	DBAs often maintain lists of databases for use with script-based processes. The ability to import lists is a big time-saver.
Fast Scans	No one wants to wait all day for results. When you have a large number of databases, fast scans are even more critical. If scans take too long, it may be impossible to test all databases in the timeframe required. Scans, even across a WAN, should take no more than five (5) minutes.
Trend Reports	Each scan provides a point-in-time analysis of your databases, but how can you tell if things are better or worse? With trend reports. Trend reports show whether security is being maintained, improved, or worsened over time. They can also help pinpoint specific areas of concern, like a new version.
Web Application with Browser-based Access	A web application is incredibly convenient. The two main benefits are that only one deployment has to be maintained. That means one list of databases, one list of policies, one place for reports. Users can access the vulnerablity assessment application from anywhere, whether at their desk or through the company VPN.
Agent-less deployment	Agent-based solutions have two major drawbacks. First, they can be a pain to deploy and maintain since the agent has to be distributed to every server you want to check. Second, agents compromize the very thing they supposed to help -- security. Agents compromise security because they need open ports for communication and are subject to attack as well.
Scale to Large Number of Servers	Large organizations may have tens of thousands of databases. Critical or confidential data may be in any one of them. Centralized vulnerability assessment enables analysis and reporting on all servers to provide a complete picture of databases security.