Guardium components and topology

IBM Training
IBM Training © 2023 IBM Corporation
Objectives Define the data sources Guardium can
use for active and passive monitoring
Diagram the methods Guardium can
use to monitor database traffic
Identify the basic functions of
aggregation, central management, and
load balancing
Guardium data sources

3
Guardium protection

Guardium can protect data no matter Protect data in cloud environments

where it exists
• On-premises
• Cloud platforms
• Hybrid multicloud
Guardium
Centralized policy enforcement and
management
Hardware or software
Protect data in on-premises environments
Data sources for active
and passive monitoring
Use agents to monitor sources with
sensitive data in real time
Use agentless to monitor sources that
are safer or don’t contain sensitive data
S-TAP: Agent-based for real-
time monitoring of on-premises
data sources
E-TAP: Agent-based, proxy
solution for real-time monitoring
of cloud data sources
Universal Connectors:
Agentless passive monitoring for
cloud and on-premises data
sources
Streaming APIs: Agentless
passive monitoring for cloud
data sources
S-TAP
S-TAP, a lightweight agent, copies S-TAP copies and sends to
Guardium collector
information to Guardium collector
Agent
The Sniffer can send
Guardium collector performs resource- Guardium
control signals to S-TAP

intensive processing Guardium Analysis Engine

analyzes, parses, and logs
data to internal repository

Additionally, sniffer sends control

DB Server
signals to the S-TAP agent responds with
appropriate
Client requests information
The database client can communicate information
from DB Server
with the database server, but all
communications are intercepted by the
S-TAP agent
Database Client
S-TAP architecture
Data server
K-TAP (Kernel Tap)
Application/User level
• Kernel module hooks into Local
client/server communication application/user

• Monitors DBMS network port

S-TAP
A-TAP (Application Tap) DBMS

• Monitors communication at K-TAP A-TAP

application level
Collector
• Dependent on K-TAP Shared memory

Db2 Exit
Network layer
• Installed on DBMS Kernel level
Network
• Requires less configuration Application/User
External S-TAP External
tap
External
tap
External
Agent capabilities when Load tap Database
User activity
S-TAP can’t be installed balancer Docker service

Support DBaaS,
container environments
Guardium E-Tap host
Autodeploy and scale Docker On-
premises
with Kubernetes E-Tap 1
host
E-Tap 2
Certified on Docker and Client
Load
balancer E-Tap 3
Red Hat OpenShift (On premises
or cloud)
Cloud host

All elements can be on-premises,

in the cloud, or a combination Collector
Universal connector
Get data from wide range of data Identifies, parses received events,
sources converts to standard Guardium format,
and forwards to Guardium collector
• Support for many universal connectors
such as MongoDB, MySQL, Amazon S3
• Can develop plugins for other data sources

Guardium collector
Policy enforcement

Universal Analytics
connector

Alert & audit

Streaming APIs Almost all the Use APIs to
functions automate
available in GUI deployment and
are also exposed configuration
through APIs settings

Define Integrate with Use REST API Extract focused

datasources, external systems functions to information from
populate groups, such as AWS and populate groups Guardium by
set up inspection Azure and re-install using the
engines policies online_report
and quick_search
APIs
Capturing data traffic
Integrating Guardium

Databases Event management

Existing IT infrastructure Guardium

Third-party tools
Guardium monitoring options
Agent-based

01000111 01110101 01100001 01110010 01100100 01101001 01110101 01101101…

Agent
Sniffer
Guardium
Guardium

Proxy-based
01000111 01110101
Server …
Agent (proxy) 01000111 01110101 01100001 01110010 …
Client
01000111 01110101
… Docker
Sniffer
Guardium Guardium

Agentless
Native
Audit Universal
Logs connector Sniffer
Guardium
Agent-based monitoring

01000111 01110101 01100001 01110010 01100100 01101001 01110101 01101101…

Agent Sniffer
Guardium Guardium
Captured data
Lightweight probe Sessions: Who or what Parses and analyzes
that makes a copy talks to the database traffic received from
of the database Requests: What data is agents
traffic requested and who
accesses it Controls agents
Designed to have based on policies
minimal impact on Errors: What exceptions
the performance of occurred
the database Result sets: What data is
returned to the client
from a request
Agent-proxy monitoring

01000111 01110101
Server …
Agent (proxy) 01000111 01110101 01100001 01110010 …
01000111 01110101
Client … Docker Sniffer
Guardium Guardium
Captured data
Lightweight proxy Sessions: Who or What is Parses and analyzes
that makes a copy talking to the database traffic received from
of the database agents
traffic Requests: What data is
being requested and Who Controls agents
No impact on is accessing it based on policies
database server
Errors: What exceptions
Lightly impacts lag have occurred

Result sets: What data is

being returned to the
client from a request
Sniffer breakdown: Agent or proxy-based

Sniffer
0100 SELECT * FROM Verb: SELECT
0111 1 2 3 4
contacts; Object: contacts
0110

Agent Snif Analyzer Parser Logger

Organizes Decodes raw Normalizes Writes processed

received traffic activity activity to disk based
traffic on the policy, which
(sessions Extracts SQL Breaks down defines what to
and order SQL into its collect
within Applies policy parts such as
sessions) rules Command,
Object, Verb,
and Field
Agentless, Universal Connector monitoring

Native
Audit Universal
Logs Connector Sniffer
Guardium
Captured data
Database writes or Sessions: Who or what Pulls, or receives from Push,
pushes logs to storage talks to the database logs from data source

Can impact performance Requests: What data is Transforms the logs into a
because database does requested and who universal format that the
more work accesses it Sniffer understands

Can impacts storage Errors: What exceptions

requirements and costs occurred
Sniffer breakdown: Agentless

Sniffer
Data
Verb: SELECT
stream 1 2 3 4
Object: contacts
or
universal Snif Analyzer Parser Logger
connector

Organizes Applies policy Normalizes Writes processed

received traffic rules activity activity to disk or
(sessions and sends to ingestion
order within Breaks down pipeline based on
sessions) SQL into its parts the policy, which
such as defines what to
Normally JSON Command, collect
docs Object, Verb,
and Field
Universal connector framework and plugins
Aggregation and central
managers
Aggregators Aggregates

Manages

Appliance dedicated to serve as central

repository of filtered/summarized audit
data from multiple collectors Reports pull
from Aggregator
Similar hardware and software
configuration as a collector Aggregator
Collectors send data on a scheduled basis
Centralized repository means you can
audit enterprise wide
Querying for reports performed on the Collector H1 Collector H4
aggregator relieves collectors from
performance impact of running complex
reports
Collectors can be dedicated to monitoring Collector H2 Collector H3
and policy enforcement tasks 21
Central manager Aggregates

Manages

Collector and aggregator status

Detailed enterprise S-TAP view
Central patch management
Aggregator
Unified security policy pushed out to all
managed collectors
Centralized users/roles/permissions
and groups management Central
Collector H1 Collector H4

manager
Centralized report and audit process
definition
Collector H2 Collector H3
Guardium configurations (1 of 3)

Aggregator &
central manager

Collector H1 Collector H4

Aggregates

Manages
Collector H2 Collector H3
Guardium configurations (2 of 3)

Aggregator &
central manager

Aggregator

H1 Collector H4 Collector

Aggregates S1 S2
Collector Collector
Manages H2 Collector H3 Collector
Sales databases
Human Resources databases
Guardium configurations (3 of 3)
Central manager

HR aggregator
Sales aggregator

H1 Collector H4 Collector

S1 S2
Aggregates Collector Collector

Manages Sales databases H2 Collector H3 Collector

Human Resources databases

Enterprise load balancing using central manager
Dynamic load balancing available in
centrally managed environments
Automates load balancing
Eliminates
• Evaluating collector load before assigning a
new S-TAP agent
• Defining failover managed units as part of a
post-installation S-TAP configuration
• Manually relocating S-TAP agents

MU 1 Periodic full load collection

Load Load Map
Change tracker
Changes to load balancing factors Balancer MU 1 = loaded
MU n = vacant
MU n
Periodic full load collection

Change tracker
Central manager 26
Summary

Define the data sources Guardium can

use for active and passive monitoring
Diagram the methods Guardium can
use to monitor database traffic
Identify the basic functions of
aggregation, central management, and
load balancing
Thank you

© Copyright IBM Corporation 2023. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is
subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and ibm.com are trademarks of IBM Corp.,
registered in many jurisdictions worldwide. Amazon Web Services, AWS, and AWS Kinesis are trademarks of Amazon.com, Inc. or its
affiliates. Azure and Windows are trademarks of the Microsoft group of companies. Docker and the Docker logo are trademarks or
registered trademarks of Docker, Inc. in the United States and/or other countries..Hadoop is a trademarks of the Apache Software
Foundation in the United States and/or other countries..The registered trademark Linux® is used pursuant to a sublicense from the Linux
Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis..MongoDB’s U.S. pending and registered
trademarks includes MONGODB. Oracle is a registered trademarks of Oracle and/or its affiliates. Red Hat®, JBoss®, OpenShift®, Fedora®,
Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks or registered trademarks of Red Hat, Inc.
or its subsidiaries in the United States and other countries. ServiceNow is a trademark of ServiceNow, Inc., or its affiliates or licensors, in
the United States and/or other countries. Splunk is a registered trademark of Splunk Inc. in the United States and other countries. UNIX is a
registered trademark of The Open Group in the United States and other countries.Venafi is a registered trademark of Venafi, Inc. Other
product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available at
https://www.ibm.com/legal/copytrade.
All names and references for organizations and other business institutions used in this deliverable’s scenarios are fictional. Any match with
real organizations or institutions is coincidental. All names and associated information for people in this deliverable’s scenarios are fictional.
Any match with a real person is coincidental.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in
preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security
approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most
effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the
malicious or illegal conduct of any party.