Scribd Logo
Importer

Bienvenue sur Scribd !

  • Attachment 14940535 2 4 - S-GATE - Presentation

    Transféré par

    nguyenthanhdatpl_403
    162 vues14 pages
    S Gate

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    S Gate

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    162 vues14 pages

    Attachment 14940535 2 4 - S-GATE - Presentation

    Transféré par

    nguyenthanhdatpl_403
    S Gate

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 14

    InfoSphere™ Optim™ & Guardium® Technology Ecosystem

    InfoSphere™ Guardium® Technical Training

    S-GATE

    Information Management

    © 2011 IBM Corporation


    Information Management

    Agenda

     What is S-GATE?
     S-GATE Modes
     S-GATE Configuration
     S-GATE Actions
     Using S-GATE Actions in Security Rules
     Functionality Considerations

    2 © 2011 IBM Corporation


    Information Management

    What is S-GATE?

    ■ Data may be leaked using privileged user accounts or compromised application


    user accounts → Rogue connections need to be terminated
    ■ S-GATE provides database protection via S-TAP
    ■ Provides extra layer of protection for sensitive information
    ■ S-GATE is a separately licensed option
    ■ Termination actions are only available as part of S-GATE
    ■ S-GATE has two activity modes:
    – Open Mode
    – Closed Mode (S-TAP Firewall Mode)

    3 © 2011 IBM Corporation


    Information Management

    Open Mode
    Collector
    3b
     S-TAP passes requests to the
    database server without any delay.
     In this mode latency is not
    Data Server
    expected.
     If a terminate action is triggered, the 2b
    triggering request usually will not S-TAP
    be blocked, but additional requests
    from that session will be. K-TAP A-TAP

     Suitable for limiting potential leaks DBMS


    through application user accounts.
    4b 3a

    4a
    1 2a
    Application User

    4 © 2011 IBM Corporation


    Information Management

    Closed Mode (S-TAP Firewalling)


    Collector
    3

     S-TAP holds the database


    responses and waits for a verdict on
    each request before releasing its Data Server
    response.
     In this mode latency is expected. 2
    S-TAP
     Assures that rogue requests will
    be blocked. K-TAP A-TAP
     Suitable for monitoring privileged DBMS
    users as latency is not a concern.
    4 6

    7
    1 5
    Privileged User

    5 © 2011 IBM Corporation


    Information Management

    S-GATE Configuration

    Configured through guard_tap.ini configuration file


    or Guardium GUI
    ■ firewall_installed=1: Indicates that the S-GATE is
    installed
    ■ firewall_default_state=0: This specifies whether
    the S-GATE starts in open (0) or closed (1) mode
    ■ firewall_timeout=xx: Sets the timeout period
    before the S-GATE assumes that the collector has
    failed (value in seconds)
    ■ firewall_fail_close=0: If the S-GATE times out,
    this specifies whether the S-GATE should kill the
    connection or let it through

    6 © 2011 IBM Corporation


    Information Management

    S-GATE Configuration

    7 © 2011 IBM Corporation


    Information Management

    S-GATE Actions

    ■ S-GATE ATTACH
    – Intended for use in open mode
    – Starts firewalling for the session
    – Latency will be observed

    ■ S-GATE TERMINATE
    – Drops the reply of the request,
    which will terminate the sessions
    – Has effect only when the session is
    attached or in closed mode by
    default
    ■ S-GATE DETACH
    – Intended for use in closed mode
    – Stops firewalling for the session
    – No more latency will be observed
    S-TAP TERMINATE

    – Instructs S-TAP to terminate the session
    – The triggering request will not be blocked (unless session is attached), but this prevents
    additional requests from that session.
    – Behaves the same as S-GATE TERMINATE if the session is in closed mode

    8 © 2011 IBM Corporation


    Information Management

    Using S-GATE Actions in Security Rules

     All sessions start in the default mode


    ➔ Open Mode or Closed Mode

    ■ The mode can be changed for each session

    ➔ S-GATE ATTACH or S-GATE DETACH

    ■ The session will be terminated if it makes a request that triggers a rule with
    termination action

    ➔ S-GATE TERMINATE, S-TAP TERMINATE

    9 © 2011 IBM Corporation


    Information Management

    Using S-GATE Actions in Security Rules

    ■ Default open mode assumes all sessions are safe. No delay observed by default
    – S-TAP TERMINATE is used if an exception occurs or if sensitive data is extruded.
    For example if numbers matching credit card pattern is being extracted then S-TAP
    TERMINATE is applied to the session
    – S-GATE ATTACH is used if the session shows signs of rogue behavior. For
    example if session is connected past working hours then S-GATE ATTACH is
    applied and session is in closed mode. Session will observe delays and is ready for
    S-GATE TERMINATE
    – S-GATE TERMINATE is used to terminate the session if more severe violations
    occur after S-GATE ATTACH was applied. For example if sensitive customer
    information is accessed then S-GATE TERMINATE is applied to the session

    ■ Default closed mode assumes all sessions are rogue. Delay observed by default.
    – S-GATE DETACH is used when a session is deemed to be safe. For example if
    the database session user is part of the trusted users groups then S-GATE
    DETACH is applied to the session. Open mode scenarios will apply from this point
    on
    – S-GATE TERMINATE can be applied without S-GATE ATTACH since sessions are
    already in closed mode. The above S-GATE TERMIANTE scenario is applicable
    10 © 2011 IBM Corporation
    Information Management

    Functionality Considerations

    Supported Rules and Actions

    S-TAP TERMINATE S-GATE TERMINATE

    Access Rule

    Exception Rule

    Extrusion Rule

    Rules support multiple actions

    11 © 2011 IBM Corporation


    Information Management

    Questions?
    imte.optim.guardium@ca.ibm.com

    12 © 2011 IBM Corporation


    Information Management

    S-TAP and S-GATE Terminate – Lab

    13 © 2011 IBM Corporation


    InfoSphere™ Optim™ & Guardium® Technology Ecosystem

    InfoSphere™ Guardium® Technical Training

    S-GATE

    Information Management

    © 2011 IBM Corporation

    Vous aimerez peut-être aussi