Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • DBsec 8.0 Lesson 11 Agents Monitoring Rules-R1.2

    Enviado por

    Adibi
    23 visualizações25 páginas
    This document discusses agent monitoring rules in database security. It covers: - Creating rules to selectively define what information agents send to gateways to reduce resource usage - Configuring exclusion criteria and match conditions for rules - Applying rules to agents to monitor or block traffic - Setting an agent's default connection mode to inline or sniffing and moving sessions between modes using rules The goal is to optimize agent and gateway performance using selective monitoring while maintaining security through blocking if needed.

    Descrição original:

    Imperva

    Título original

    DBsec 8.0 Lesson 11 Agents Monitoring Rules-r1.2

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PPTX, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    This document discusses agent monitoring rules in database security. It covers: - Creating rules to selectively define what information agents send to gateways to reduce resource usage - Configuring exclusion criteria and match conditions for rules - Applying rules to agents to monitor or block traffic - Setting an agent's default connection mode to inline or sniffing and moving sessions between modes using rules The goal is to optimize agent and gateway performance using selective monitoring while maintaining security through blocking if needed.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PPTX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    23 visualizações25 páginas

    DBsec 8.0 Lesson 11 Agents Monitoring Rules-R1.2

    Enviado por

    Adibi
    This document discusses agent monitoring rules in database security. It covers: - Creating rules to selectively define what information agents send to gateways to reduce resource usage - Configuring exclusion criteria and match conditions for rules - Applying rules to agents to monitor or block traffic - Setting an agent's default connection mode to inline or sniffing and moving sessions between modes using rules The goal is to optimize agent and gateway performance using selective monitoring while maintaining security through blocking if needed.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PPTX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 25

    8.

    0 DB Security & Compliance Administration

     Lesson 1:  Lesson 9:
    Server and Service Discovery Database Profiling
     Lesson 2:  Lesson 10:
    Database Auditing Database Security
     Lesson 3:  Lesson 11:
    Agents and External Sources Agents Monitoring Rules
     Lesson 4:  Lesson 12:
    Data Discovery & Classification Enrichment
     Lesson 5:  Lesson 13:
    Audit Policies Tuning
     Lesson 6:  Lesson 14:
    Managing Audit Data User Rights Management
     Lesson 7:  Lesson 15:
    Vulnerability Assessment Universal User Tracking
     Lesson 8:
    Risk Evaluation Management & Mitigation
    Lesson 11:
    Agents Monitoring Rules
    Lesson 11: Objectives

     Confirm an Agent is installed and registered to the


    Gateway by viewing the Agents workbench
     Create a new Agent Monitoring Rule and apply it to an
    Agent
     Configure the rule to exclude specific items from
    monitoring by adding match criteria for
    Source/Destination IP/Port, Process details, and time of
    day
     Configure an Agent to block traffic
    Agents Architecture
    Recall: Agent Goals

     Complete audit coverage


     Close gaps in network audit
     Minimize database performance
    impact
     Scalability
     Management
     Network congestion
     Security
     Balance needs
     Sniffing mode agent rules
     Inline mode agent rules
    Components of Complete Coverage

     Host-based Agents
     Local mode: Lightweight agent intercepts local database activity
     Inter-Process Communication (IPC):
     Bequeath, shared memory, named pipes,…
     TCP loopback
     Global mode: intercepts network traffic from physical NICs
     Forwards intercepted data back out to the Gateway
     Network-based Gateway
     Analysis of events captured by agents
     Offloads processing effort by the agent from the database OS
     Agent only does light-weight processing
     Limited agent-side protocol parsing
    Agent Monitoring Rules

     Challenge
     Smart Agents have the potential for consuming resources on the
    database
     Solution: use Agent monitoring rules selectively
     Monitoring Rules
     Define the information that an agent sends back to the Gateways
     Reduces network congestion caused by Global Agents
     Improve Agent and Gateway performance
     Reduces unnecessary data in SecureSphere
     Excludes trusted sessions based on defined criteria
     Blocking
     Agent terminates connection if blocking required
    Agent Monitoring Rules
    Enhanced Agent-Based Rules

     Challenge  Solution
     Smart Agents  Simple attributes analyzed
    by the Agent directly
    
     Low resource demand
     Increase resource demand
    on database host  Networking frame header
     IP
     Port
     … big problem for DBAs
     Process name
     … big problem for
     Backup script
    application owners
     Advanced attributes
    analyzed by Gateway
     Session sent to Gateway
    until decision returned
    Agent Monitoring Rules: Configuration Steps

    1. Create Global Object


    “Agent Monitoring Rule”
    2. Exclude from Monitoring
    3. Define Match Criteria
     “Agent…” = local
    processing
     All others = Gateway
    processing
    4. Apply to
     Indicates supported
    ability next to Agent name
    5. Save
    Settings Tab

     Notice Monitoring
    Rules can also be
    applied from Agent
    configuration
    Settings tab
     Enable Blocking
     Off by default
     Initial Modes:
    Inline / Sniffing
     *WARNING*
    Block Inline
    Connection On
    Timeout
    Exclusion Architecture

    DB Session Starts

    Agent
    Match
    Criteria

    Data

    Agent Data
    Gateway
    GW Match
    Criteria
    Data

    Ignore Session
    New Feature: OS User Chaining

     Remote Agent monitors


    database activity by
    local users
     Identity changes tracked
    as “bob-alice-charlie”
     Use in security, data
    enrichment and audit
    policies
     Not available for
    Windows database
    servers
    Agent Session Blocking
    Local Blocking

     Why?
     Complete the security options
     Need the option available
     Not often implemented
     Challenges
     Agent performance
     Not a mini-Gateway
     Need configuration options
     Global-mode limitation
     Physical NIC monitored by pcap
     No “direct” blocking ability
     MX Followed Action session RST
    Local Blocking: Solution

     Gateway analyzes the traffic from the agent


     Uses regular security policies already enabled/applied to Site
     Gateway tells Agent to block if violation occurs
     Agent terminates the session of block request
     2 operational modes
     Similar to Gateway
     Inline
     Traffic is delayed until approved by the Gateway
     Ensures blocking accuracy and timeliness
     Sniffing
     Traffic passes anyway, blocking is done after the fact
     Ensures minimal latency experienced
    Blocking Architecture: Sniffing

    DB Session Starts

    Data

    Data
    GW
    Analysis
    Agent Data Gateway

    Block

    Session
    Terminated
    Blocking Architecture: Inline

    DB Session Starts

    Hold traffic
    Data
    OK
    Release traffic

    Agent Hold traffic Gateway


    Data
    Block
    Session
    Terminated
    Agent Monitoring Rules

     Problems
     Inline introduces significant latency
     Sniffing can miss the malicious traffic
     Solution
     Decide per session
     Agent monitoring rules
     Move a session to inline / sniffing
     Variety of attributes
     Agent default mode
     Ease of management
     Enable blocking per Agent
    Rules and Settings
    Blocking Examples

     Default Connection Mode:  Default Connection Mode:


    Sniffing Inline
     Privileged users monitoring  Privileged users monitoring
     Take a close look at DBAs  Take a close look at DBAs
     Do not delay application traffic  More critical than application delay
     Solution #1  Solution #2
     Default = sniffing  Default = inline
     For specific database users  For most users (non-DBAs) move
    (DBAs) move to inline mode to sniffing mode
     Latency for DBAs after log in  Early latency for all users
    processed by Gateway  Guaranty security applied to DBAs
     No latency for non-DBA users  no race condition
    Agent Monitoring Rules: Sniffing by Default

    DB Session Starts

    Data
    Data Is the user
    Data DBA?
    Move to inline
    Hold traffic
    Agent Data Gateway
    OK
    Release traffic
    Hold traffic
    Data
    Block
    Session
    Terminated
    Agent Monitoring Rules: Inline by Default

    DB Session Starts
    Hold traffic
    Data
    OK
    Release traffic

    Hold traffic
    Data
    Agent OK Gateway
    Release traffic
    Non-DBA user
    Move to sniffing
    Data
    Data
    Data
    How to Make Blocking Work

    1. Regular Security Policy: Block


     Build and apply normal Gateway
    security policies to Site objects
     Set server group in active mode
     Configure “Followed Action” if
    need to block “Global” external
    traffic
    2. Install Agents v7.5 or higher
    3. Enable blocking on Agent
    4. Set inline mode (optional)
     Agent default mode
     Agent monitoring rules
    Questions?

    Você também pode gostar