tech talk - planning an infosphere guardium deployment part 1 (posted-v3)

7/23/2019 Tech Talk - Planning an InfoSphere Guardium Deployment Part 1 (Posted-V3)

http://slidepdf.com/reader/full/tech-talk-planning-an-infosphere-guardium-deployment-part-1-posted-v3 1/48

© 2011 IBM Corporation

Information Management

Planning an InfoSphere GuardiumDeployment – Part 1

Speakers: Boaz Barkai and Yosef Rozenblit





IBM InfoSphere Guardium Tech TalkJune 5, 2013

Logistics This tech talk is being recorded. If you object, please hang up and

leave the webcast now.

We’ll post a copy of slides and link to recording on the Guardium

community tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.

We’ll try to answer questions in the chat or address them at

speaker’s discretion. – If we cannot answer your question, please do include your email

so we can get back to you.

When speaker pauses for questions: – We’ll go through existing questions in the chat





IBM InfoSphere Guardium Tech Talk

Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Planning an InfoSphere Guardium Deployment, Part 2:

Monitoring Setup and Guidelines

Speakers: Boaz Barkai and Yosef Rozenblit

Date &Time: Tuesday, July 16, 2013 at 11:30 AM Eastern

Register here: http://bit.ly/15hU7xz

June 5, 2013





TopicsPart 1

• What Guardium deployment is all about

• What teams need to be involved

• What architecture options and IT infrastructure requirements need to beconsidered

Part 2

• What business requirements and drivers need to be understood

• Monitoring deployment

• How to manage the solution post deployment






Product ComponentsTWO Products

DAM VA

TWODeployment

Options

•Basic

•Advanced

•Basic

•Advanced

Stand-alone Federated

TWOApplianceOptions

PhysicalAppliance

SoftwareAppliance

Vulnerability Assessment(VA)

Database vulnerabilityassessment, patch levels

analysis, configurationassessment, and

entitlement reporting

VA – BasicVulnerability Assessment,

Data ProtectionSubscription

VA – Advanced

Configuration AuditSystem

Entitlements Reporting

Data ActivityMonitoring (DAM)

Real-time activitymonitoring for data

compliance and datasecurity

DAM – Basic

Compliance DrivenNon-Intrusive,

Compliance Workflow,Reports, Alerts

DAM – Advanced

Security Driven

Blocking & Masking






Real-Time Database Security & MonitoringArchitecture

• Non-invasive

• No DBMS changes

•

Minimal impact• Does not rely on traditional DBMS-

resident logs that can easily be disabledby DBAs

• Heterogeneous Database Support

• Granular policies & monitoring• Who, what, when, how

• Real-time alerting

• Monitors all activities including localaccess by privileged users

• Prevention capabilities

Big Data Environments

DATA

InfoSphere BigInsights





Audit Data Flow Architecture –S-TAP Collector





Audit Data Flow Architecture -DB Server Collector Aggregator





Management Data Flow Architecture -All Appliances





Database Activity Monitoring (DAM) –Audit Levels

• Privileged User Audito Audit only specific users and ignore all other connections; the audited users should be a finite

list of non-applicative users (meaning – real people, and not application traffic); In this mode

S-TAP filters many of the sessions and only a small subset of the overall traffic is sent to theGuardium appliance (filtering is done on the session level by STAP)

• Sensitive Object Audit (a.k.a Selective Audit)o Audit only specific database activity; a finite list of sensitive objects and/or a finite list of SQL

commands (for example, only DDL commands); in this mode S-TAP sends all the traffic to thecollector and the collector needs to inspect all SQL statements and determine if it’s relevant ornot

• Comprehensive Audito Audit and log everything at least with the standard granularity (one hour), in this mode

customers may use ‘Log Full Details’ but this should be done selectively on a subset of thetraffic and not on the entire data.

– Note - Comprehensive with values, extrusion, or both is the most comprehensive loggingmode

10





Product Functionality Components-One Unified Platform /Solution

Database ActivityMonitoring (DAM)

SecurityVulnerabilityAssessment

Data Level

AccessControl

(DLAC)

EntitlementReporting

Discovery &Classification

Advanced Work

FlowAutomation

EnterpriseIntegrator

ChangeAudit

System





Implementation Approach (DAM - High Level)

Installation &Configuration

MonitoringSetup & Verification

AdditionalFunctionality Setup

Production Roll-Out

Test Cycle

Steady StateSteady State





Implementation Schedule – (Example)





Implementation Resourcing –Customer Team (Example)

Installation & ConfigurationResources

Project Manager

Guardium administrator(Guardium Solution Tech Lead)

DBA(Testing)

Database Server System Admin

(Agent Install)

Network Administrator(Review network impacts)

IT infrastructure(Appliance install, VM install)

Disk storage Admin

(Backup, Archive & Restore)

Monitoring Setup Resources

Project Manager

Guardium administrator(Tech Lead)

DBA(Traffic Verification)

Information Security

(Governance)

Auditors/Application Owners(Monitoring requirements)

Audit Process Reviewers(Review Guardium monitoring results)





1. Planning Session -Installation &Configuration

Analyze Requirements

Identify Databaseservers in scope

Discuss Data centers,locations and networkconsiderations

Discuss Installation ofthe appliances (process,

steps and requirements) Discuss Basic

configuration of theappliances

Discuss Deploymentplan of the Guardiumappliances

Discuss Installation ofthe S-TAP (process,steps and requirements)

Discuss Basicconfiguration of theSTAP

1. Planning Session -Installation &Configuration

Analyze Requirements

Identify Databaseservers in scope

Discuss Data centers,locations and networkconsiderations

Discuss Installation ofthe appliances (process,steps and requirements)

Discuss Basicconfiguration of theappliances

Discuss Deploymentplan of the Guardiumappliances

Discuss Installation of

the S-TAP (process,steps and requirements)

Discuss Basicconfiguration of theSTAP

2. ApplianceInstallation

Rack and connect

each Guardiumappliance to powerand network

Configure eachGuardium appliancewith BasicConfiguration

parameters. Verify systems are on

the network

(If applicable) Registerall Guardiumappliances to the“Central Manager”

Review and completebasic configuration ofeach appliance

Install “Ignore Session”Policy Rule

2. ApplianceInstallation

Rack and connect

each Guardiumappliance to powerand network

Configure eachGuardium appliancewith BasicConfigurationparameters.

Verify systems are onthe network

(If applicable) Registerall Guardiumappliances to the“Central Manager”

Review and completebasic configuration ofeach appliance

Install “Ignore Session”Policy Rule

3. GIM, S-TAP agentInstallation

Install GIM, S-TAP

agents on databaseservers

Verification that theGIM, S-TAP areregistered withcollector

Configure S-TAP

agents to capturetraffic.

Verify S-TAP traffic iscaptured by thecollector

3. GIM, S-TAP agentInstallation

Install GIM, S-TAP

agents on databaseservers

Verification that theGIM, S-TAP areregistered withcollector

Configure S-TAP

agents to capturetraffic.

Verify S-TAP traffic iscaptured by thecollector

4. OperationsSetup

Setup Aggregation

Setup Archiving Setup Purging

Setup SystemBackup

Self Monitoring Setup

4. OperationsSetup

Setup Aggregation

Setup Archiving Setup Purging

Setup SystemBackup

Self Monitoring Setup

Installation & Configuration Activities





Installation & configuration sessions are held with customers/project team prior todeployment. These sessions address all installation and configuration topics and involve allrelevant stakeholders. Outcome of meetings is deployment plan document, project plan andan understanding by resources tasks, responsibilities and technical details of the deployment.

•Pre RequisitesoInventory with list of database servers, DBMS types, OS types, Server locations, CPU/PVUin scope for the deployment

•Topics covered in session:oData center environments (Non-Prod, Prod)

oDeployment plan, timelines, milestones and phasesoInstallation of the appliances (process, steps and requirements)oBasic configuration of the appliancesoInstallation of the GIM & S-TAP agents (process, steps and requirements)oConfiguration of the GIM & S-TAP agentsoCentral Management functionality and setupoAggregation process and planoBackup, Archiving & Purging process and planoContingency planoDeployment plan, responsibilities, timelines and milestones

•OutcomeoDeployment Document & Project Plan

Installation & Configuration Planning Session





Appliance Deployment Consideration

17

Location (Where to locate the Appliance)

o Collector – should be placed in the same datacenter where the DB servers reside

o Aggregator – Can be placed anywhere as long as there is network connectivity with the collectors

o Central Manager – Can be placed anywhere as long as there is adequate network, usually located wheremost of the appliances or users reside. Network latency could affect performance

Configuration (Collector, Aggregator/Central manager)

o HW vs. Virtual appliance

o Management port configuration

• Single port (Single IP)

• Dual port (Dual IP)

• High Availability (Port bonding)

o Registration (Central management registration)

o Backup Archive options (Central management configuration distribution)

o Patching to latest GPU (Central management patch distribution)

o Redundant Power Supply (HW Appliance)

o Dual Raid Hard Drives (HW Appliance)

Sizing (How many appliances are required)

o Sizing Considerations – PVU/CPU, datacenter locations, database server location, aggregator to collectorratio, contingency and redundancy, with V9 you can always add/purchase additional appliances or installinstances if needed.

There are multipleoptions to consider but

it comes down to aFEW simple decisions





DB to Collector Sizing

Database Activity Monitoring Sizing Guide

Vulnerability Assessment Sizing Guide

InfoSphere Guardium V9.0 > InfoSphere Guardium > Installing > IBM InfoSphere Guardium Software ApplianceInstallation Guide > Step 1. Assemble the following before you begin





Collector to Aggregator Ratio

• Ratio of collector/aggregator is not dependent on number of collectorso Rule of thumb is 8/1 ratio which evolved to address a SAFER ratio which usually applies more to the mid

size and smaller customers.

• Primarily ratio considerationso Type of monitoring Amount of data capturedo On-line retention Length of time logged data is kept on-line on the aggregator

• Secondary ratio considerations may includeo Your internal needs. i.e. the need to separate aggregation based on security enclaves, applications ,

data centers, etc… (we will not consider this today)

• Conclusion if you are planning to only monitor privileged users/insiders and retain ~30 dayson-line you can calculate ratio like this:o Number of collectors * GByte per collector per day* days required for retention < aggregator database sizeo Example: 12 collectors * 0.5GB per-day * 30 days = 180 GB aggregator storage

Note: We do not recommend to MAX out the aggregator database (600GB disk ~ 300GB for database)





Collector to Aggregator Ratio (Continued)

• Keep in mind that customers that monitoring privileged users do not know up front what toexpect…

o (a) GRANULARITY of LOGGING is unknown (b) and their privileged user practices (weatheror not they include massive updates @ times to fix data that need to be logged)

oWe always start with a plan that includes a SAFE Ratio based on parameters discussed. Wealso do not recommend to MAX out the aggregator database (600GB disk ~ 300GB fordatabase) when planning ratio.

oAs we implement final monitoring setup & LEARN activity patterns we adjust retention periodsor RATIO.

• Another consideration is to increase the aggregator database size by expanding DB





Guardium Installation Manager (GIM)

• Install & upgrade agents and their configuration

Software Tap (S-TAP)

• Monitors database traffic

Discovery Agent• Discovers new database instances & configuration changes

Configuration Audit System (CAS)

• Track and alert on changes at the OS level (files, permissions, environment variables,

registry entries, etc.)

Guardium Agent Types





S-TAP new install

• DB instance and listener restart is required on Windows and AIX platforms to be able tomonitor all types of traffic.

• No DB instance restart is needed for any other platform.• No server reboot is needed for any platform.

S-TAP upgrade

• No DB instance restart or server reboot is needed for any platform (starting in v8.0)

S-TAP full uninstall• Server reboot is needed for all platforms to complete a full uninstall process (unloadkernel module / driver).

Other agents (GIM, Discovery, CAS) install/upgrade/uninstall• No DB instance restart or server reboot is needed for any platform.

Guardium Agents – Change Control





GIM & S-TAP Installation & Configuration Options

23

Guardium Install Manager (GIM)

• Recommended to always use GIM for S-tap deployment

• Point GIM agents to Central manager

(up to 3000 – can also point to other appliances)

Software Tap agent (S-TAP)

• Install Options

o Interactive , Silent , GIM (Preferred)

o Under root or Guardium user account

• Configuration Options

o Data Capture types- Local and/or Network, Exclude Traffic, Exclude Results

o Cluster Aware – Support migrating, floating, unavailable databases

o Prevention – Block activity or terminate connection

o Encryption – Communicate encrypted to collector (TLS)

o Basic – Send traffic to one collector (no failover)

o Failover – Send traffic to one collector and failover to one or more collectors as needed

o Load Balancing – Send traffic across multiple collectors

o GRID (Load balancer such as , f5 , Cisco, GSS….)

o Redundancy – Send traffic to more than one collector

There are multiple options

to consider but it comesdown to a FEW simple

decisions





1. Basic

4. Grid2. Failover

3. Load BalancingS-TAP configuration Options

24





Guardium Installation Manager (GIM)





Configuration Updates & Software Upgrade

Guardium Installation Manager (GIM) –(Continued)





Databases

S-TAPs

Collectors Central Manager&

Aggregators

3rd PartyArchivalStorage

Database Activity

Daily Archive & MonthlyBackups

System Backup 1st DAY OF MONTH 1st DAY OF MONTH

Configuration Backup N/A WEEKLY (CM only)

Export Data (Aggregation) DAILY N/A (unless 2nd level aggregation)

Import Data (Aggregation) NEVER DAILY

Archive Logged Data DAILY NEVER / AS NEEDED

Archive Audit Result Sets N/A DAILY

Purge Data DATA OLDER THAN14 days

DATA OLDER THAN30 days

Guidelines

Operations - Backup, Archiving & Purge





Operations - Process Scheduling - Illustration





Operations – Appliance ManagementConfiguration Distribution





31 IBM InfoSphere Guardium Tech Talk

Information, training, and community

InfoSphere Guardium YouTube Channel – includes overviews and technical demos

InfoSphere Guardium newsletter

developerWorks forum (very active)

Guardium DAM User Group on Linked-In (very active)

Community on developerWorks (includes content and links to a myriad of sources, articles,

etc)

Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come) Technical training courses (classroom and self-paced)

New! InfoSphere Guardium Virtual User Group. Open,

technical discussions with other users.

Send a note to [email protected] if interested.






Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Planning an InfoSphere Guardium Deployment, Part 2:

Monitoring Setup and Guidelines Speakers: Boaz Barkai and Yosef Rozenblit

Date &Time: Tuesday, July 16, 2013 at 11:30 AM Eastern

Register here: http://bit.ly/15hU7xz





Thank You!





Additional Content





Self Monitoring





Solution Self Monitoring and Maintenance

• Monitor Guardium appliances availability through SNMP polling.• Utilize pre-built and custom alerts within Guardium to monitor different components of the

solution

o Inactive S-TAP alerto Enterprise no traffic alerto Disk space and Database disk space alertso Sniffer performance/restart alerto High CPU utilization alerto Processes (Export, Import, Archive, Backup) failure alert





Operations

Enterprise Dashboards





Central Management – Enterprise Buffer Usage





Central Management - Operational DashboardReal-time enterprise units utilization

39





Central Management - Operational DashboardReal-time enterprise units utilization

40





Central Management – Agents ManagementPredefined Reports

41





S-TAP/Monitoring Alert

Central Management – Agents ManagementPredefined Alerts

42





Central Management – Agents ManagementAgents installation and updates using GIM

43





Central Management – Agents ManagementAgents configuration using GIM

44

I f ti M t





Central Management – Appliance ManagementConfiguration Distribution






Thank You!

tech talk - planning an infosphere guardium deployment part 1 (posted-v3)

Documents