Escolar Documentos
Profissional Documentos
Cultura Documentos
Lesson 1: Lesson 9:
Server and Service Discovery Database Profiling
Lesson 2: Lesson 10:
Database Auditing Database Security
Lesson 3: Lesson 11:
Agents and External Sources Agents Monitoring Rules
Lesson 4: Lesson 12:
Data Discovery & Classification Enrichment
Lesson 5: Lesson 13:
Audit Policies Tuning
Lesson 6: Lesson 14:
Managing Audit Data User Rights Management
Lesson 7: Lesson 15:
Vulnerability Assessment Universal User Tracking
Lesson 8:
Risk Evaluation Management & Mitigation
Lesson 11:
Agents Monitoring Rules
Lesson 11: Objectives
Host-based Agents
Local mode: Lightweight agent intercepts local database activity
Inter-Process Communication (IPC):
Bequeath, shared memory, named pipes,…
TCP loopback
Global mode: intercepts network traffic from physical NICs
Forwards intercepted data back out to the Gateway
Network-based Gateway
Analysis of events captured by agents
Offloads processing effort by the agent from the database OS
Agent only does light-weight processing
Limited agent-side protocol parsing
Agent Monitoring Rules
Challenge
Smart Agents have the potential for consuming resources on the
database
Solution: use Agent monitoring rules selectively
Monitoring Rules
Define the information that an agent sends back to the Gateways
Reduces network congestion caused by Global Agents
Improve Agent and Gateway performance
Reduces unnecessary data in SecureSphere
Excludes trusted sessions based on defined criteria
Blocking
Agent terminates connection if blocking required
Agent Monitoring Rules
Enhanced Agent-Based Rules
Challenge Solution
Smart Agents Simple attributes analyzed
by the Agent directly
Low resource demand
Increase resource demand
on database host Networking frame header
IP
Port
… big problem for DBAs
Process name
… big problem for
Backup script
application owners
Advanced attributes
analyzed by Gateway
Session sent to Gateway
until decision returned
Agent Monitoring Rules: Configuration Steps
Notice Monitoring
Rules can also be
applied from Agent
configuration
Settings tab
Enable Blocking
Off by default
Initial Modes:
Inline / Sniffing
*WARNING*
Block Inline
Connection On
Timeout
Exclusion Architecture
DB Session Starts
Agent
Match
Criteria
Data
Agent Data
Gateway
GW Match
Criteria
Data
Ignore Session
New Feature: OS User Chaining
Why?
Complete the security options
Need the option available
Not often implemented
Challenges
Agent performance
Not a mini-Gateway
Need configuration options
Global-mode limitation
Physical NIC monitored by pcap
No “direct” blocking ability
MX Followed Action session RST
Local Blocking: Solution
DB Session Starts
Data
Data
GW
Analysis
Agent Data Gateway
Block
Session
Terminated
Blocking Architecture: Inline
DB Session Starts
Hold traffic
Data
OK
Release traffic
Problems
Inline introduces significant latency
Sniffing can miss the malicious traffic
Solution
Decide per session
Agent monitoring rules
Move a session to inline / sniffing
Variety of attributes
Agent default mode
Ease of management
Enable blocking per Agent
Rules and Settings
Blocking Examples
DB Session Starts
Data
Data Is the user
Data DBA?
Move to inline
Hold traffic
Agent Data Gateway
OK
Release traffic
Hold traffic
Data
Block
Session
Terminated
Agent Monitoring Rules: Inline by Default
DB Session Starts
Hold traffic
Data
OK
Release traffic
Hold traffic
Data
Agent OK Gateway
Release traffic
Non-DBA user
Move to sniffing
Data
Data
Data
How to Make Blocking Work