Scribd
Upload
706 views14 pages

Attachment 14940535 2 4 - S-GATE - Presentation

S Gate

Uploaded by

nguyenthanhdatpl_403
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
706 views14 pages

Attachment 14940535 2 4 - S-GATE - Presentation

S Gate

Uploaded by

nguyenthanhdatpl_403
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

InfoSphere™ Optim™ & Guardium® Technology Ecosystem

InfoSphere™ Guardium® Technical Training

S-GATE

Information Management

© 2011 IBM Corporation


Information Management

Agenda

 What is S-GATE?
 S-GATE Modes
 S-GATE Configuration
 S-GATE Actions
 Using S-GATE Actions in Security Rules
 Functionality Considerations

2 © 2011 IBM Corporation


Information Management

What is S-GATE?

■ Data may be leaked using privileged user accounts or compromised application


user accounts → Rogue connections need to be terminated
■ S-GATE provides database protection via S-TAP
■ Provides extra layer of protection for sensitive information
■ S-GATE is a separately licensed option
■ Termination actions are only available as part of S-GATE
■ S-GATE has two activity modes:
– Open Mode
– Closed Mode (S-TAP Firewall Mode)

3 © 2011 IBM Corporation


Information Management

Open Mode
Collector
3b
 S-TAP passes requests to the
database server without any delay.
 In this mode latency is not
Data Server
expected.
 If a terminate action is triggered, the 2b
triggering request usually will not S-TAP
be blocked, but additional requests
from that session will be. K-TAP A-TAP

 Suitable for limiting potential leaks DBMS


through application user accounts.
4b 3a

4a
1 2a
Application User

4 © 2011 IBM Corporation


Information Management

Closed Mode (S-TAP Firewalling)


Collector
3

 S-TAP holds the database


responses and waits for a verdict on
each request before releasing its Data Server
response.
 In this mode latency is expected. 2
S-TAP
 Assures that rogue requests will
be blocked. K-TAP A-TAP
 Suitable for monitoring privileged DBMS
users as latency is not a concern.
4 6

7
1 5
Privileged User

5 © 2011 IBM Corporation


Information Management

S-GATE Configuration

Configured through guard_tap.ini configuration file


or Guardium GUI
■ firewall_installed=1: Indicates that the S-GATE is
installed
■ firewall_default_state=0: This specifies whether
the S-GATE starts in open (0) or closed (1) mode
■ firewall_timeout=xx: Sets the timeout period
before the S-GATE assumes that the collector has
failed (value in seconds)
■ firewall_fail_close=0: If the S-GATE times out,
this specifies whether the S-GATE should kill the
connection or let it through

6 © 2011 IBM Corporation


Information Management

S-GATE Configuration

7 © 2011 IBM Corporation


Information Management

S-GATE Actions

■ S-GATE ATTACH
– Intended for use in open mode
– Starts firewalling for the session
– Latency will be observed

■ S-GATE TERMINATE
– Drops the reply of the request,
which will terminate the sessions
– Has effect only when the session is
attached or in closed mode by
default
■ S-GATE DETACH
– Intended for use in closed mode
– Stops firewalling for the session
– No more latency will be observed
S-TAP TERMINATE

– Instructs S-TAP to terminate the session
– The triggering request will not be blocked (unless session is attached), but this prevents
additional requests from that session.
– Behaves the same as S-GATE TERMINATE if the session is in closed mode

8 © 2011 IBM Corporation


Information Management

Using S-GATE Actions in Security Rules

 All sessions start in the default mode


➔ Open Mode or Closed Mode

■ The mode can be changed for each session

➔ S-GATE ATTACH or S-GATE DETACH

■ The session will be terminated if it makes a request that triggers a rule with
termination action

➔ S-GATE TERMINATE, S-TAP TERMINATE

9 © 2011 IBM Corporation


Information Management

Using S-GATE Actions in Security Rules

■ Default open mode assumes all sessions are safe. No delay observed by default
– S-TAP TERMINATE is used if an exception occurs or if sensitive data is extruded.
For example if numbers matching credit card pattern is being extracted then S-TAP
TERMINATE is applied to the session
– S-GATE ATTACH is used if the session shows signs of rogue behavior. For
example if session is connected past working hours then S-GATE ATTACH is
applied and session is in closed mode. Session will observe delays and is ready for
S-GATE TERMINATE
– S-GATE TERMINATE is used to terminate the session if more severe violations
occur after S-GATE ATTACH was applied. For example if sensitive customer
information is accessed then S-GATE TERMINATE is applied to the session

■ Default closed mode assumes all sessions are rogue. Delay observed by default.
– S-GATE DETACH is used when a session is deemed to be safe. For example if
the database session user is part of the trusted users groups then S-GATE
DETACH is applied to the session. Open mode scenarios will apply from this point
on
– S-GATE TERMINATE can be applied without S-GATE ATTACH since sessions are
already in closed mode. The above S-GATE TERMIANTE scenario is applicable
10 © 2011 IBM Corporation
Information Management

Functionality Considerations

Supported Rules and Actions

S-TAP TERMINATE S-GATE TERMINATE

Access Rule

Exception Rule

Extrusion Rule

Rules support multiple actions

11 © 2011 IBM Corporation


Information Management

Questions?
[email protected]

12 © 2011 IBM Corporation


Information Management

S-TAP and S-GATE Terminate – Lab

13 © 2011 IBM Corporation


InfoSphere™ Optim™ & Guardium® Technology Ecosystem

InfoSphere™ Guardium® Technical Training

S-GATE

Information Management

© 2011 IBM Corporation

You might also like