The virtual platform and the traditional network environment coexist, the application server and the database server to carry on the database audit in the hybrid cloud platform, must differentiate from the traditional deployment way, this paper takes the vsphere virtual platform as an example, carries on the discussion to the database audit on the hybrid virtualization platform deployment.
I. Limitations of traditional database audit products under the virtualization platform
Virtualization can address the most pressing challenges facing it: a sprawling infrastructure that forces it to use 70% of its budget for maintenance, leaving little resources for business development innovation.
This difficulty stems from the architecture of today's x86 servers: Their design allows them to run only one operating system and application at a time. This way, even small data centers have to deploy a large number of servers, and each server has a capacity utilization of only 5% to 15%, which is inefficient in terms of standards.
Virtualization software solves this problem by enabling multiple operating systems and applications to run on a single physical server, the "host". Each fully-functioning virtual machine (VM) is isolated from other virtual machines and can use the host computing resources as needed.
Before the implementation of virtualization, many units already have a certain information base, in the existing hardware and software network under the conditions of the introduction of virtualization, that is, some application systems deployed in the virtualized environment, the other parts are still traditional application and database server network environment. The database audit under the virtualization platform is the essential equipment to realize the security compliance, while the traditional database auditing technology has some limitations under the new virtualization platform.
second, the audit principle of traditional database audit products
The traditional database audit product accesses traffic through the switch mirror database, and logs the database activity on the network in real time through the SQL protocol analysis. There are many restrictions on port mirroring:
The deployed node location must support port mirroring and have an idle port as the observation port.
If the above conditions are met, the database security auditing device can be deployed using bypass mode for port mirroring.
The deployment point for Port mirroring bypass mode can be deployed on each department egress switch or on a database front-end switch and is recommended for deployment in the database front-end.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/B2/wKioL1VQbnPxsY2XAAC6mVHkkBM022.jpg "style=" float: none; "title=" Cloud Platform Database Security series (ii) database audit-1 "alt=" wkiol1vqbnpxsy2xaac6mvhkkbm022.jpg "/>
Third, the model of database server under the virtualization platform
(1) Application virtualization, but the database is not virtualized.
In this case, the database and the application on the virtualization platform are connected to the service through the switch, and the database access can set up the traffic image on the switch and output it to the auditing device.
(2) Application Virtualization, the database is also virtualized, but under two hosts.
If the two hosts, the application and the database can also be mirrored in the exchange device traffic, the implementation of database operations audit.
(3) Application Virtualization, the database is also virtualized, application and database under a host.
At this time, the application to the database access is not through the network hardware devices, the traditional database audit can not be used in the switch mirror traffic to achieve database access Protocol analysis.
Thus, in both cases (1) and (2) the traditional database audit products are compatible, and in the Model (3) The network traffic is transferred within the virtual platform and cannot be obtained through physical switches.
Iv. The database audit solution for virtualized platform mode
(1) Software Edition database Audit products
The Hybrid virtualization platform management system that enterprise users might use is as shown.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6C/B7/wKiom1VQbPvzNJ1pAACnlL7UnA4552.jpg "title=" Cloud Platform Database Security series (ii) database audit-2 "style=" Float:none; "alt=" wkiom1vqbpvznj1paacnll7una4552.jpg "/>
After experimenting with the VMware virtualization platform, the An Huaqin and database Security Labs get the following practical results.
Database audit as an application installed in the virtual machine, through the virtual platform SoftSwitch, network traffic mirroring, the database audit products into the virtual environment of the deployment diagram as shown, under the virtual environment, running three sets of application Systems APP1, APP2, APP3, and its corresponding background database DB1 , DB2, DB3. Dbaudit is a virtual machine that deploys a database audit product, and all devices communicate via vsphere distributed switch for network communication.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/B2/wKioL1VQbnSD5iz3AAFhp8FKnoE187.jpg "title=" Cloud Platform Database Security series (ii) database audit-3 "style=" Float:none; "alt=" wkiol1vqbnsd5iz3aafhp8fknoe187.jpg "/> Location map of ESXi in the entire vsphere virtual environment
The lab environment of An Huaqin and database Security Labs is built in vsphere as follows:
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6C/B7/wKiom1VQbPyw4JvgAADAUkrSrWY029.jpg "title=" Cloud Platform Database Security series (ii) database audit-4 "style=" Float:none; "alt=" wkiom1vqbpyw4jvgaadaukrsrwy029.jpg "/>
On the vsphere distributed switch, you can mirror the network traffic to the target database by using port mirroring, mirroring the data acquisition port of the Dbaudit audit server. In the described environment, the Dbaudit Audit server can obtain traffic to access three database virtual machines as long as the configuration port2,port5 and PORT7 data is mirrored to PORT8.
The Dbaudit Audit server works by mirroring Port 8 for data acquisition. At the same time, the virtual device through Port 9, provide external access and management, users can configure and manage the Dbaudit.
If other virtual machines are separated into separate segments via vsphere distributed switch, each network segment is disconnected from each other, and a single set of database audits must be deployed in each network segment, rather than sharing a set in different network segments.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/B7/wKiom1VQbP2zZHm6AAD2C3E5NIo448.jpg "title=" Cloud Platform Database Security series (ii) database audit-5 "style=" Float:none; "alt=" wkiom1vqbp2zzhm6aad2c3e5nio448.jpg "/>
(2) through the database local agent
The local agent is installed on the database server virtual machine in the virtualization platform, and the traffic is sent to the hardware's database audit product through the local agent.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6C/B7/wKiom1VQbP6SC2deAAD1NOk9s-Y827.jpg "title=" Cloud Platform Database Security series (ii) database audit-6 "style=" Float:none; "alt=" wkiom1vqbp6sc2deaad1nok9s-y827.jpg "/>
(3) Compare the pros and cons of these two approaches:
Mode (1) need to install the software on the operating system of the database, which causes stability failure;
Mode (2) will cause network traffic increase, network topology is complex, security system vulnerabilities. (for example, writing data out of the database server is prohibited in the usual firewall security policy.) )
v. Concluding remarks
An Huaqin and the database Security Lab take the VMware virtualization platform as an example, the Software Edition database audit is deployed under the virtualization platform, which is different from the traditional database audit equipment through the physical switch mirror traffic, through the vsphere distributed switch mirroring traffic, At the same time, the implementation of the model features of different database servers under the virtualization platform is also faced.
This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1650313
Cloud Platform Database Security series (ii) database audit