Tech Talk - Planning An InfoSphere Guardium Deployment Part 1 (Posted-V3)

Planning an InfoSphere Guardium
Deployment Part 1
Speakers: Boaz Barkai and Yosef Rozenblit
Information Management
2011 IBM Corporation
Logistics
This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
Well post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
Well try to answer questions in the chat or address them at
speakers discretion.
If we cannot answer your question, please do include your email
so we can get back to you.
When speaker pauses for questions:
Well go through existing questions in the chat
June 5, 2013
IBM InfoSphere Guardium Tech Talk
Reminder: Guardium Tech Talks
Next tech talk: Planning an InfoSphere Guardium Deployment, Part 2:

Monitoring Setup and Guidelines
Date &Time: Tuesday, July 16, 2013 at 11:30 AM Eastern
Register here: http://bit.ly/15hU7xz
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
June 5, 2013
Topics
Part 1
What Guardium deployment is all about
What teams need to be involved
What architecture options and IT infrastructure requirements need to be
considered
Part 2
What business requirements and drivers need to be understood
Monitoring deployment
How to manage the solution post deployment
Product Components
TWO Products
DAM
VA
Basic
Advanced
Basic
Advanced
Data Activity
Monitoring (DAM)
Real-time activity
monitoring for data
compliance and data
security
TWO
Deployment
Options
Stand-alone
Federated
TWO
Appliance
Options
Physical
Appliance
Software
Appliance
Vulnerability Assessment
(VA)
Database vulnerability
assessment, patch levels
analysis, configuration
assessment, and
entitlement reporting
DAM Basic
Compliance Driven
Non-Intrusive,
Compliance Workflow,
Reports, Alerts
VA Basic
Vulnerability Assessment,
Data Protection
Subscription
DAM Advanced
Security Driven
Blocking & Masking
VA Advanced
Configuration Audit
System
Entitlements Reporting
Real-Time Database Security & Monitoring

Architecture
DAT
A
Non-invasive
No DBMS changes
Minimal impact
Does not rely on traditional DBMSresident logs that can easily be disabled
by DBAs
Heterogeneous Database Support
Granular policies & monitoring

Who, what, when, how
Real-time alerting
Monitors all activities including local
access by privileged users
Prevention capabilities
Big Data Environments

InfoSphere BigInsights
Audit Data Flow Architecture

S-TAP Collector
Audit Data Flow Architecture DB Server Collector Aggregator
Management Data Flow Architecture All Appliances
Database Activity Monitoring (DAM)

Audit Levels
Privileged User Audit
o Audit only specific users and ignore all other connections; the audited users should be a finite
list of non-applicative users (meaning real people, and not application traffic); In this mode
S-TAP filters many of the sessions and only a small subset of the overall traffic is sent to the
Guardium appliance (filtering is done on the session level by STAP)
Sensitive Object Audit (a.k.a Selective Audit)

o Audit only specific database activity; a finite list of sensitive objects and/or a finite list of SQL
commands (for example, only DDL commands); in this mode S-TAP sends all the traffic to the
collector and the collector needs to inspect all SQL statements and determine if its relevant or
not
Comprehensive Audit
o Audit and log everything at least with the standard granularity (one hour), in this mode
customers may use Log Full Details but this should be done selectively on a subset of the
traffic and not on the entire data.
Note - Comprehensive with values, extrusion, or both is the most comprehensive logging
mode
10
Product Functionality ComponentsOne Unified Platform /Solution

Data Level
Access
Control
(DLAC)
Discovery &
Classification
Security
Vulnerability
Assessment
Entitlement
Reporting
Database Activity
Monitoring (DAM)
Enterprise
Integrator
Change
Audit
System
Advanced Work
Flow
Automation
Implementation Approach (DAM - High Level)
Installation &
Configuration
Monitoring
Setup & Verification
Additional
Functionality Setup
Test Cycle
Production Roll-Out
Steady
Steady State
State
Implementation Schedule (Example)
Implementation Resourcing
Customer Team (Example)
Installation & Configuration
Resources
Project Manager
Guardium administrator
(Guardium Solution Tech Lead)
DBA
(Testing)
Monitoring Setup Resources

Project Manager
Guardium administrator
(Tech Lead)
DBA
(Traffic Verification)
Database Server System Admin

(Agent Install)
Information Security
(Governance)
Network Administrator
(Review network impacts)
Auditors/Application Owners
(Monitoring requirements)
IT infrastructure
(Appliance install, VM install)
Disk storage Admin
(Backup, Archive & Restore)
Audit Process Reviewers

(Review Guardium monitoring results)
Installation & Configuration Activities

1.
1. Planning
Planning Session
Session -Installation
Installation &
&
Configuration
Configuration

Analyze
Analyze Requirements
Requirements

Identify
Database
Identify Database
servers
servers in
in scope
scope

Discuss
Discuss Data
Data centers,
centers,
locations
and
network
locations and network
considerations
considerations

Discuss
Discuss Installation
Installation of
of
the
the appliances
appliances (process,
(process,
steps
and
requirements)
steps and requirements)

Discuss
Discuss Basic
Basic
configuration
configuration of
of the
the
appliances
appliances

Discuss
Discuss Deployment
Deployment
plan
plan of
of the
the Guardium
Guardium
appliances
appliances

Discuss
Discuss Installation
Installation of
of
the
S-TAP
(process,
the S-TAP (process,
steps
steps and
and requirements)
requirements)

Discuss
Discuss Basic
Basic
configuration
configuration of
of the
the
STAP
STAP
2.
2. Appliance
Appliance
Installation
Installation
3.
3. GIM,
GIM, S-TAP
S-TAP agent
agent
Installation
Installation
4.
4. Operations
Operations
Setup
Setup

Rack
Rack and
and connect
connect
each
each Guardium
Guardium
appliance
appliance to
to power
power
and
and network
network

Configure
Configure each
each
Guardium
appliance
Guardium appliance
with
with Basic
Basic
Configuration
Configuration
parameters.
parameters.

Verify
Verify systems
systems are
are on
on
the
the network
network

(If
(If applicable)
applicable) Register
Register
all
Guardium
all Guardium
appliances
appliances to
to the
the
Central
Central Manager
Manager

Review
Review and
and complete
complete
basic
configuration
basic configuration of
of
each
each appliance
appliance

Install
Install Ignore
Ignore Session
Session
Policy
Rule
Policy Rule

Install
Install GIM,
GIM, S-TAP
S-TAP
agents
on
database
agents on database
servers
servers

Verification
Verification that
that the
the
GIM,
S-TAP
are
GIM, S-TAP are
registered
registered with
with
collector
collector

Configure
Configure S-TAP
S-TAP
agents
to
capture
agents to capture
traffic.
traffic.

Verify
Verify S-TAP
S-TAP traffic
traffic is
is
captured
by
the
captured by the
collector
collector

Setup
Setup Aggregation
Aggregation

Setup
Setup Archiving
Archiving

Setup
Setup Purging
Purging

Setup
Setup System
System
Backup
Backup

Self
Self Monitoring
Monitoring Setup
Setup
Installation & Configuration Planning Session

Installation & configuration sessions are held with customers/project team prior to
deployment. These sessions address all installation and configuration topics and involve all
relevant stakeholders. Outcome of meetings is deployment plan document, project plan and
an understanding by resources tasks, responsibilities and technical details of the deployment.
Pre Requisites
oInventory with list of database servers, DBMS types, OS types, Server locations, CPU/PVU
in scope for the deployment
Topics covered in session:
oData center environments (Non-Prod, Prod)
oDeployment plan, timelines, milestones and phases
oInstallation of the appliances (process, steps and requirements)
oBasic configuration of the appliances
oInstallation of the GIM & S-TAP agents (process, steps and requirements)
oConfiguration of the GIM & S-TAP agents
oCentral Management functionality and setup
oAggregation process and plan
oBackup, Archiving & Purging process and plan
oContingency plan
oDeployment plan, responsibilities, timelines and milestones
Outcome
oDeployment Document & Project Plan
Appliance Deployment Consideration

Location (Where to locate the Appliance)
o Collector should be placed in the same datacenter where the DB servers reside
o Aggregator Can be placed anywhere as long as there is network connectivity with the collectors
o Central Manager Can be placed anywhere as long as there is adequate network, usually located where
most of the appliances or users reside. Network latency could affect performance
Configuration (Collector, Aggregator/Central manager)

o HW vs. Virtual appliance
o Management port configuration
Single port (Single IP)

Dual port (Dual IP)
High Availability (Port bonding)
o Registration (Central management registration)
o Backup Archive options (Central management configuration distribution)
o Patching to latest GPU (Central management patch distribution)
There are multiple

options to consider but
it comes down to a
FEW simple decisions
o Redundant Power Supply (HW Appliance)

o Dual Raid Hard Drives (HW Appliance)
Sizing (How many appliances are required)

o Sizing Considerations PVU/CPU, datacenter locations, database server location, aggregator to collector
ratio, contingency and redundancy, with V9 you can always add/purchase additional appliances or install
instances if needed.
17
DB to Collector Sizing
Database Activity Monitoring Sizing Guide
Vulnerability Assessment Sizing Guide
InfoSphere Guardium V9.0 > InfoSphere Guardium > Installing > IBM InfoSphere Guardium Software Appliance
Installation Guide > Step 1. Assemble the following before you begin
Collector to Aggregator Ratio

Ratio of collector/aggregator is not dependent on number of collectors
o Rule of thumb is 8/1 ratio which evolved to address a SAFER ratio which usually applies more to the mid
size and smaller customers.
Primarily ratio considerations
o Type of monitoring Amount of data captured

o On-line retention Length of time logged data is kept on-line on the aggregator
Secondary ratio considerations may include

o Your internal needs. i.e. the need to separate aggregation based on security enclaves, applications ,
data centers, etc (we will not consider this today)
Conclusion if you are planning to only monitor privileged users/insiders and retain ~30 days
on-line you can calculate ratio like this:
o Number of collectors * GByte per collector per day* days required for retention < aggregator database size
o Example: 12 collectors * 0.5GB per-day * 30 days = 180 GB aggregator storage
Note: We do not recommend to MAX out the aggregator database (600GB disk ~ 300GB for database)
Collector to Aggregator Ratio (Continued)

Keep in mind that customers that monitoring privileged users do not know up front what to
expect
o (a) GRANULARITY of LOGGING is unknown (b) and their privileged user practices (weather
or not they include massive updates @ times to fix data that need to be logged)
o We always start with a plan that includes a SAFE Ratio based on parameters discussed. We
also do not recommend to MAX out the aggregator database (600GB disk ~ 300GB for
database) when planning ratio.
o As we implement final monitoring setup & LEARN activity patterns we adjust retention periods
or RATIO.
Another consideration is to increase the aggregator database size by expanding DB
Guardium Agent Types
Guardium Installation Manager (GIM)
Install & upgrade agents and their configuration

Software Tap (S-TAP)
Monitors database traffic

Discovery Agent
Discovers new database instances & configuration changes
Configuration Audit System (CAS)
Track and alert on changes at the OS level (files, permissions, environment variables,
registry entries, etc.)
Guardium Agents Change Control

S-TAP new install
DB instance and listener restart is required on Windows and AIX platforms to be able to
monitor all types of traffic.
No DB instance restart is needed for any other platform.
No server reboot is needed for any platform.
S-TAP upgrade
No DB instance restart or server reboot is needed for any platform (starting in v8.0)
S-TAP full uninstall
Server reboot is needed for all platforms to complete a full uninstall process (unload
kernel module / driver).
Other agents (GIM, Discovery, CAS) install/upgrade/uninstall
No DB instance restart or server reboot is needed for any platform.
GIM & S-TAP Installation & Configuration Options

Guardium Install Manager (GIM)
Recommended to always use GIM for S-tap deployment
Point GIM agents to Central manager
(up to 3000 can also point to other appliances)
There are multiple options

to consider but it comes
down to a FEW simple
decisions
Software Tap agent (S-TAP)

Install Options
o Interactive , Silent , GIM (Preferred)

o Under root or Guardium user account
Configuration Options
o
o
o
o
o
o
o
o
o
Data Capture types- Local and/or Network, Exclude Traffic, Exclude Results
Cluster Aware Support migrating, floating, unavailable databases
Prevention Block activity or terminate connection
Encryption Communicate encrypted to collector (TLS)
Basic Send traffic to one collector (no failover)
Failover Send traffic to one collector and failover to one or more collectors as needed
Load Balancing Send traffic across multiple collectors
GRID (Load balancer such as , f5 , Cisco, GSS.)
Redundancy Send traffic to more than one collector
23
S-TAP configuration Options

1. Basic
2. Failover
24
3. Load Balancing
4. Grid

(Continued)
Configuration Updates & Software Upgrade
Operations - Backup, Archiving & Purge

Databases
Collectors
Central Manager
&
Aggregators
3rd Party
Archival
Storage
S-TAPs
Database Activity
Daily Archive & Monthly
Backups
Guidelines
System Backup
Configuration Backup
Export Data (Aggregation)
1st DAY OF MONTH

N/A
1st DAY OF MONTH
WEEKLY (CM only)
Import Data (Aggregation)
DAILY
NEVER
N/A (unless 2nd level aggregation)
Archive Logged Data
DAILY
NEVER / AS NEEDED
DATA OLDER THAN

14 days
DATA OLDER THAN

30 days
Archive Audit Result Sets

Purge Data
N/A
DAILY
DAILY
Operations - Process Scheduling - Illustration
Operations Appliance Management

Configuration Distribution

Information, training, and community

InfoSphere Guardium YouTube Channel includes overviews and technical demos
InfoSphere Guardium newsletter
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
Community on developerWorks (includes content and links to a myriad of sources, articles,

etc)
Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
Technical training courses (classroom and self-paced)
New! InfoSphere Guardium Virtual User Group. Open,

technical discussions with other users.
Send a note to bamealm@us.ibm.com if interested.
31
Reminder: Guardium Tech Talks
Next tech talk: Planning an InfoSphere Guardium Deployment, Part 2:

Monitoring Setup and Guidelines
Date &Time: Tuesday, July 16, 2013 at 11:30 AM Eastern
Register here: http://bit.ly/15hU7xz
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Thank You!
Additional Content
Self Monitoring
Solution Self Monitoring and Maintenance

Monitor Guardium appliances availability through SNMP polling.
Utilize pre-built and custom alerts within Guardium to monitor different components of the
solution
o Inactive S-TAP alert
o Enterprise no traffic alert
o Disk space and Database disk space alerts
o Sniffer performance/restart alert
o High CPU utilization alert
o Processes (Export, Import, Archive, Backup) failure alert
Operations
Enterprise Dashboards
Central Management Enterprise Buffer Usage
Central Management - Operational Dashboard

Real-time enterprise units utilization
39
Central Management - Operational Dashboard

Real-time enterprise units utilization
40
Central Management Agents Management

Predefined Reports
41

Predefined Alerts
S-TAP/Monitoring Alert
42

Agents installation and updates using GIM
43

Agents configuration using GIM
44
Central Management Appliance Management



Thank You!

Tech Talk - Planning An InfoSphere Guardium Deployment Part 1 (Posted-V3)

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Tech Talk - Planning An InfoSphere Guardium Deployment Part 1 (Posted-V3)

Transféré par

Droits d'auteur :

Formats disponibles

Planning an InfoSphere Guardium

2011 IBM Corporation

IBM InfoSphere Guardium Tech Talk

2011 IBM Corporation

Reminder: Guardium Tech Talks

Next tech talk: Planning an InfoSphere Guardium Deployment, Part 2:

IBM InfoSphere Guardium Tech Talk

2011 IBM Corporation

IBM InfoSphere Guardium Tech Talk

2011 IBM Corporation

IBM InfoSphere Guardium Tech Talk

2011 IBM Corporation

Real-Time Database Security & Monitoring

Granular policies & monitoring

Big Data Environments

Audit Data Flow Architecture

2011 IBM Corporation

Audit Data Flow Architecture DB Server Collector Aggregator

2011 IBM Corporation

Management Data Flow Architecture All Appliances

2011 IBM Corporation

Database Activity Monitoring (DAM)

Sensitive Object Audit (a.k.a Selective Audit)

2011 IBM Corporation

Product Functionality ComponentsOne Unified Platform /Solution

2011 IBM Corporation

Implementation Approach (DAM - High Level)

2011 IBM Corporation

Implementation Schedule (Example)

2011 IBM Corporation

Monitoring Setup Resources

Database Server System Admin

Audit Process Reviewers

2011 IBM Corporation

Installation & Configuration Activities

2011 IBM Corporation

Installation & Configuration Planning Session

2011 IBM Corporation

Appliance Deployment Consideration

Configuration (Collector, Aggregator/Central manager)

Single port (Single IP)

There are multiple

o Redundant Power Supply (HW Appliance)

Sizing (How many appliances are required)

Vulnerability Assessment Sizing Guide

Collector to Aggregator Ratio

Primarily ratio considerations

o Type of monitoring Amount of data captured

Secondary ratio considerations may include

2011 IBM Corporation

Collector to Aggregator Ratio (Continued)

2011 IBM Corporation

Guardium Agent Types

Guardium Installation Manager (GIM)

Install & upgrade agents and their configuration

Monitors database traffic

Discovers new database instances & configuration changes

Configuration Audit System (CAS)

2011 IBM Corporation

Guardium Agents Change Control

2011 IBM Corporation

GIM & S-TAP Installation & Configuration Options

There are multiple options