As more and more enterprise users migrate traditional business systems to virtualized environments or cloud platforms provided by cloud service providers, the risk of data leaks and tampering becomes more severe, and the protection against data security and retrospective audit is becoming increasingly difficult. The main reason is that the traditional database audit solution is the traffic of the audit database mirroring through the bypass analysis target, while the virtualized environment or cloud platform is difficult to mirror or mirror because of internal virtual switch (Vswitch) traffic. As a result, traditional database audit solutions are not sufficient to address the database audit needs of virtualization and cloud platforms.
First, we analyze the pros and cons of a traditional database audit solution in a few typical scenarios in a virtualized and cloud-based environment:
Scenario One: The virtual host of the application and the database is on the same physical machine
For applications and databases on the same physical machine, the application and database interaction process through the internal vswitch traffic forwarding, traffic does not pass through the host host card of the physical machine, so the traditional mirror traffic can not be mirrored at all, as shown in:
First, we analyze the pros and cons of a traditional database audit solution in a few typical scenarios in a virtualized and cloud-based environment:
Scenario One: The virtual host of the application and the database is on the same physical machine
For applications and databases on the same physical machine, the application and database interaction process through the internal vswitch traffic forwarding, traffic does not pass through the host host card of the physical machine, so the traditional mirror traffic can not be mirrored at all, as shown in:
The drawbacks of this solution are also obvious:
1, open traffic broadcast although most vswitch support, but this way is like the early hub, TCP communication capacity will be significantly reduced, seriously affect the overall network transmission delay and reliability;
2, DB Audit can collect all virtual machine traffic, and other virtual machines will also collect all traffic, these traffic must contain a lot of unencrypted sensitive data such as user name, password, etc., it is assumed that these virtual machines have a machine is hacked or illegal use, this will bring great security problems.
Scenario Two: Virtual hosts for applications and databases are randomly allocated on a host in a virtualized cluster
This scenario is actually a combination of scene one and scene two, most of the customers in order to avoid a single hardware failure, basically using a virtual cluster to achieve enterprise virtualization, when encountering a single hardware failure, virtual opportunity in the entire hardware virtualization resource pool automatically migrated, the specific migration to which physical host is not determined, Therefore, the traditional mirroring method does not determine which switch the virtual host is on at the moment, as shown in:
Therefore, in this scenario also can not do mirroring, only the virtualization cluster all the host traffic is mirrored, this drawback is also very obvious:
1, when the emergence of business and DB in the migration to the same physical machine, there is no traffic, in fact, no data audit, this time there is a serious leakage audit;
2, the virtual cluster involves a lot of machines, traffic is very large, the network may be more complex, the traditional image method is difficult to configure in practice, it is difficult to implement;
For more information, please contact CCNA rUK qq.2881064153
Discussion on database auditing technology in virtualization and cloud environment (i)