You are on page 1of 14

InfoSphere™ Optim™ & Guardium® Technology Ecosystem

InfoSphere™ Guardium® Technical Training

S-GATE

Information Management

© 2011 IBM Corporation

Information Management Agenda  What is S-GATE?  S-GATE Modes  S-GATE Configuration  S-GATE Actions  Using S-GATE Actions in Security Rules  Functionality Considerations 2 © 2011 IBM Corporation .

Information Management What is S-GATE? ■ Data may be leaked using privileged user accounts or compromised application user accounts → Rogue connections need to be terminated ■ S-GATE provides database protection via S-TAP ■ Provides extra layer of protection for sensitive information ■ S-GATE is a separately licensed option ■ Termination actions are only available as part of S-GATE ■ S-GATE has two activity modes: – Open Mode – Closed Mode (S-TAP Firewall Mode) 3 © 2011 IBM Corporation .

4b 3a 4a 1 2a Application User 4 © 2011 IBM Corporation .  If a terminate action is triggered.  In this mode latency is not Data Server expected. but additional requests from that session will be. the 2b triggering request usually will not S-TAP be blocked. K-TAP A-TAP  Suitable for limiting potential leaks DBMS through application user accounts.Information Management Open Mode Collector 3b  S-TAP passes requests to the database server without any delay.

2 S-TAP  Assures that rogue requests will be blocked.  In this mode latency is expected.Information Management Closed Mode (S-TAP Firewalling) Collector 3  S-TAP holds the database responses and waits for a verdict on each request before releasing its Data Server response. 4 6 7 1 5 Privileged User 5 © 2011 IBM Corporation . K-TAP A-TAP  Suitable for monitoring privileged DBMS users as latency is not a concern.

this specifies whether the S-GATE should kill the connection or let it through 6 © 2011 IBM Corporation .Information Management S-GATE Configuration Configured through guard_tap.ini configuration file or Guardium GUI ■ firewall_installed=1: Indicates that the S-GATE is installed ■ firewall_default_state=0: This specifies whether the S-GATE starts in open (0) or closed (1) mode ■ firewall_timeout=xx: Sets the timeout period before the S-GATE assumes that the collector has failed (value in seconds) ■ firewall_fail_close=0: If the S-GATE times out.

Information Management S-GATE Configuration 7 © 2011 IBM Corporation .

– Behaves the same as S-GATE TERMINATE if the session is in closed mode 8 © 2011 IBM Corporation . but this prevents additional requests from that session. which will terminate the sessions – Has effect only when the session is attached or in closed mode by default ■ S-GATE DETACH – Intended for use in closed mode – Stops firewalling for the session – No more latency will be observed S-TAP TERMINATE ■ – Instructs S-TAP to terminate the session – The triggering request will not be blocked (unless session is attached).Information Management S-GATE Actions ■ S-GATE ATTACH – Intended for use in open mode – Starts firewalling for the session – Latency will be observed ■ S-GATE TERMINATE – Drops the reply of the request.

Information Management Using S-GATE Actions in Security Rules  All sessions start in the default mode ➔ Open Mode or Closed Mode ■ The mode can be changed for each session ➔ S-GATE ATTACH or S-GATE DETACH ■ The session will be terminated if it makes a request that triggers a rule with termination action ➔ S-GATE TERMINATE. S-TAP TERMINATE 9 © 2011 IBM Corporation .

Information Management Using S-GATE Actions in Security Rules ■ Default open mode assumes all sessions are safe. The above S-GATE TERMIANTE scenario is applicable 10 © 2011 IBM Corporation . No delay observed by default – S-TAP TERMINATE is used if an exception occurs or if sensitive data is extruded. Delay observed by default. For example if the database session user is part of the trusted users groups then S-GATE DETACH is applied to the session. – S-GATE DETACH is used when a session is deemed to be safe. For example if numbers matching credit card pattern is being extracted then S-TAP TERMINATE is applied to the session – S-GATE ATTACH is used if the session shows signs of rogue behavior. Session will observe delays and is ready for S-GATE TERMINATE – S-GATE TERMINATE is used to terminate the session if more severe violations occur after S-GATE ATTACH was applied. For example if session is connected past working hours then S-GATE ATTACH is applied and session is in closed mode. Open mode scenarios will apply from this point on – S-GATE TERMINATE can be applied without S-GATE ATTACH since sessions are already in closed mode. For example if sensitive customer information is accessed then S-GATE TERMINATE is applied to the session ■ Default closed mode assumes all sessions are rogue.

Information Management Functionality Considerations Supported Rules and Actions S-TAP TERMINATE S-GATE TERMINATE Access Rule Exception Rule Extrusion Rule Rules support multiple actions 11 © 2011 IBM Corporation .

optim.Information Management Questions? imte.ibm.guardium@ca.com 12 © 2011 IBM Corporation .

Information Management S-TAP and S-GATE Terminate – Lab 13 © 2011 IBM Corporation .

InfoSphere™ Optim™ & Guardium® Technology Ecosystem InfoSphere™ Guardium® Technical Training S-GATE Information Management © 2011 IBM Corporation .