DbProtect Installation Guide - · PDF fileDbProtect Installation Guide Application Security,...
Transcript of DbProtect Installation Guide - · PDF fileDbProtect Installation Guide Application Security,...
DbProtect 6.2Installation GuideLast Modified December 5, 2010
Application Security, [email protected]
DbProtect Installation Guide
ContentsIntroduction 4About DbProtect: The Enterprise Solution for Database Security 4Intended Audience 5DbProtect Components 6Networking, Port, and Firewall Considerations 9Data Repository 11Customer Support 12
Planning Your DbProtect Installation 13DbProtect Installation Checklist 13DbProtect Version Compatibility Matrix 14
Minimum System Requirements 17DbProtect Suite System Requirements 17Scan Engine System Requirements 18Sensor System Requirements 20Typical Deploymnet: Recommended System Requirements 70
Licensing 76
Installing the DbProtect Components 79Installing the DbProtect Suite Components 79Installing Scan Engines 87Installing, Starting/Stopping, and Reconfiguring the Sensors 89
Your Initial DbProtect Login 152Logging In to the Console 152DbProtect Console Login Troubleshooting 156
Application Security, Inc. 2
DbProtect Installation Guide
Uninstalling the DbProtect Components 161Uninstalling the DbProtect Suite Components 161Uninstalling and Unregistering a Sensor 162Uninstalling and Unregistering a Scan Engine 165
Installation Troubleshooting 167
Appendices 176Appendix A: Installing/Uninstalling Sensors in a SQL Server Cluster 176Appendix B: Installing and Configuring a Host-Based Sensor for Oracle to Monitor Oracle Databases on an Oracle RAC 187Appendix C: Modifying the Sensor Listener Port Number 189Appendix D: Network Ports Used by DbProtect 190Appendix E: Working with Oracle DDL Triggers (for Host-Based Sensors for Oracle In-stalled on *nix Platforms Only) 191Appendix F: Modifying the "Log On As" User for the DbProtect Sensor and DbProtect Message Collector Services 195Appendix G: DB2 Administrative Client Driver Installation 196Appendix H: DbProtect Log Files 197Appendix I: Using App DSN, the Repair ODBC Utility 205Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor Logins 207Appendix K: Required Client Drivers for Audits 208Appendix L: Required Audit Privileges 219Appendix M: Auditing SQL Server (Using Windows Authentication) Against a Machine on a Different or Untrusted Domain 280Appendix N: Troubleshooting the Java Run Time Environment (JRE) Security Settings on Internet Explorer 6 and 7 282Appendix P: Monitoring Multiple Instances on a DB2 Server 286Appendix Q: Monitoring Oracle Databases in an Oracle Fail Safe Environment: Sensor and Cluster Configuration Steps 287Appendix R: Configuring Your Host-Based Sensor (Installed on a *nix Platform) to Start Automatically Upon System Reboot 291Appendix S: DbProtect Requirements for Sybase ASE 293
Application Security, Inc. 3
Chapter 1 Introduction
About DbProtect: The Enterprise Solution for Database Security
DbProtectisadatabasesecurity,riskandcomplianceapplicationdesignedtomeettheneedsofcompanieswithlargeheterogeneousdatabaseenvironments.DbProtectssITriskmanagementframework,securitycontrols,continuouscontrolsmonitoring,andgovernancefordatabasesmakeittheleadingsolutiononthemarkettoday.
DbProtectisacentrallymanagedenterprisesolutionthatusesaprovenmethodologyforinformationassurance.ItisbuiltontheindustrysleadingandmostcomprehensivedatabasesecurityknowledgebasecalledSHATTERwhichaccuratelyidentifiesvulnerabilities,risks,andactualthreats.
DbProtectaccomplishesthefollowingtosecureenterprisedata:
DISCOVERYIdentifiesandlocatatesalldatabasesonagivensystem
CLASSIFICATIONIdentifiesriskstobusinessanddevelopmentpolicies
ASSESSMENTAnalyzesdatabasestructuresforsecurityrisks,anddetermineswhatprivilegeshavebeenassignedtousers
PRIORITIZATIONCreatesaplantomitigaterisks
FIXExecutestheplanandfixestheviolations
5
MONITORINGAppliescompensatingcontrolswhereafixcannotbeapplied
TheDbProtectplatformprotectsenterpriseorganizationsaroundtheworldfrominternalandexternalthreats,whilealsoensuringthatthoseorganizationsmeetorexceedregulatorycompliancerequirements.Atitscore,DbProtectisbuiltontoolsdevleopedfromtheSHATTERKnowledgebase,including:AssetManagement;PolicyManagement;VulnerabilityManagement;RightsManagement;Configuration&PatchManagement;Audit&ThreatManagement;andAnalytics&Reporting.
Intended Audience
ThisguideisintendedforpersonsresponsiblefordaytodayusageofDbProtect.Typically,thoseresponsibleforinstallingDbProtectmaintainoneof(oracombinationof)thefollowingroles:
System Administrators
SystemAdministratorsmaintainandoperateacomputersystemand/ornetwork.Theirdutiesvaryfromoneorganizationtoanother.Systemadministratorsareusuallychargedwithinstalling,supporting,andmaintainingserversorothercomputersystems,andplanningforandrespondingtoserviceoutagesandotherproblems.Otherdutiesmayincludescriptingorlightprogramming,projectmanagementforsystemsrelatedprojects,supervisingortrainingcomputeroperators,andhandlingcomputerproblemsbeyondtheknowledgeoftechnicalsupportstaff.
Network Administrators
NetworkAdministratorsareresponsibleforthemaintenanceofthecomputerhardwareandsoftwarethatcomprisesanetwork.Thisnormallyincludesthedeployment,configuration,maintenanceandmonitoringofactivenetworkequipment.Networkadministrationcommonlyincludesactivitiesandtaskssuchasnetworkaddressassignment,assignmentofroutingprotocolsandroutingtableconfiguration,aswellasconfigurationofauthenticationandauthorizationdirectoryservices.Anetworkadministratorsdutiesoftenalsoincludemaintenanceofnetworkfacilitiesinindividualmachines,suchasdriversandsettingsof
Application Security, Inc.
Intended Audience
personalcomputers,aswellasprintersandsoon.NetworkadministratorsarealsoresponsibleforthesecurityofthenetworkandforassigningIPaddressestothedevicesconnectedtothenetworks.
Database Administrators
DatabaseAdministrators(DBAs)areresponsiblefortheenvironmentalaspectsofadatabase.Ingeneral,theseinclude:
Recoverabilitycreatingandtestingbackups Integrityverifyingorhelpingtoverifydataintegrity Securitydefiningand/orimplementingaccesscontrolstothedata Availabilityensuringmaximumuptime Performanceensuringmaximumperformance Developmentandtestingsupporthelpingprogrammersandengineerstoefficientlyutilizethedatabase
TheroleofaDBAhaschangedaccordingtothetechnologyofdatabasemanagementsystems(DBMSs),aswellastheneedsofthedatabaseowners.
Application Security, Inc. 6
7
DbProtect Components
ThefollowingdiagramillustrateshowDbProtectcomponentsinteractandshowswhichstandardlisteningportsmustbeopeninorderforDbProtecttowork.
Console
TheConsoleisthewebbrowserbased,graphicalcomponentofDbProtectthatallowsyoutonavigatetothevariousfeaturesofDbProtect.
TheDbProtectConsoleconsistsofthefollowingcomponents.
DbprotectSetup:supportfilesthatenableDbProtectupgradesandremoval.
Application Security, Inc.
DbProtect Components
DbProtectEnterpriseServicesHost:anapplicationserverthatmanagesremoteconnectionstothesystemandvariousservicesthatperformDbProtectfunctions. DbProtectConsoleManagementServer:thebrowserbasedgraphicalinterface. DbProtectEnterpriseServices:servicesthatimplementsupportforvariousfeaturesvisibleintheGUI. DbProtectNamingandDirectoryService:aservicelocatordirectory. DbProtectMessageCollector:aservicethatcollectsandstoresalertsfromsensors. DbProtectAnalytics:aservicethatperformsreportingfunctions. DbProtectAnalyticsContent:acollectionofreportsanddashboards. DbProtectVAPolicyEditor:vulnerabilityassessmentpolicyeditingmodule. DbProtectDocumentationandContent:includesthisguideandotherreferencedocumentation. DbProtectScanEngineProxy:aloadbalancingserviceforScanEngines.
Scan Engines
ScanEnginesarenetworkbasedservicesthatdiscoverdatabaseapplicationswithinyourinfrastructureandassesstheirsecuritystrengthbyrunningpenetrationtests,auditsanduserrightsreviews.
DbProtectScanEngineconsistsofthefollowingcomponents.
DbProtectScanEngineHost:anapplicationserverthatmanagesvariousservicesthatconnecttotargetdatabases. DbProtectScanEngine:aservicethatperformsdatabasediscoveryandvulnerabilityassessmentfunctions. DbPRotectRightsManagementService:aservicethatperformsuserrightsreviews.
Sensors
Sensorsmonitoryourdatabaseforvariousevents,suchasintrusionattemptsorauditingofnormalusage.Sensorssendalertswhentheydetectaviolationofrules,
Application Security, Inc. 8
9
andamonitoredeventoccurs.TwotypesofSensorsareavailable:Networking,Port,andFirewallConsiderationsandNetworkBasedSensors.
Host-Based Sensors
Thetablebelowlistsallsupportedhostbaseddatabase/OScombinations.
DB OS
SQLSERVER WINDOWS
DB2 LINUX
SOLARIS
AIX
WINDOWS
ORACLE LINUX
SOLARIS
AIX
HPUX
WINDOWS
SYBASE SOLARIS
AIX
Application Security, Inc.
Networking, Port, and Firewall Considerations
Network-Based Sensors
NetworkbasedSensorsallowyoutomonitorWindowsbasedSybase,Oracle,andDB2onthenetwork.Thetablebelowlistssupporteddatabase/OScombinations,andlinksyoutotheinstallationsteps.
Networking, Port, and Firewall ConsiderationsDbProtectrequiresvariousnetworking,port,andfirewallconditions.
Networking Considerations
Networkconnectivityisrequiredforvariousservicestocommunicatewitheachother.Forexample,theConsolemustbeabletocommunicatewiththeScanEnginesandSensors,and,optionally,withSNMPandSyslogsystems.Whilethesystemhassomefaulttolerancebuiltin,youshouldinstallitonserversconnectedtothenetworkcontinuously.
Inaddition,thefollowingnetworkingrequirementsapplyspecificallytonetworkbasedSensors:
ThenetworkbasedSensormachinemustbeonthesameLocalAreaNetwork(LAN)asthedatabasemachine(s)thatitismonitoring,orotherwisehaveaccesstonetworktrafficgoingto/comingfrome