PowerSC
advertisement
Jan Kristian Nielsen - Client Architect 24/04/2012 IBM System Software © 2012 IBM Corporation IBM System Software Hierarchy Enterprise-wide IBM Tivoli IBM Systems Director VMControl PowerHA Operating Systems PowerVM PowerSC Hypervisor (Firmware) Single System Hardware © 2009 IBM Corporation System Management © 2009 IBM Corporation IBM Systems Director 6.3 Simplify platform management across server and storage infrastructure Focus on health, status, automation Manage physical and virtual resources Common navigation, look and feel Enable upward integration to enterprise service management 4 © 2009 IBM Corporation IBM® Systems Director provides platform lifecycle management Consolidation of Platform Management Tools – Single consistent cross-platform management tool – Simplified tasks via Web based interface – Manage many systems from one console Physical and Virtual Management – – – – – Discovery and Inventory of physical and virtual resources Configuration and provisioning of platform resources Status, Health, and Monitoring of platform resources Visualization of server resource topologies Move virtual servers between systems without disruption to running workloads Platform Update Management – Simplified consistent cross-platform tools to – acquire – distribute – install – firmware, driver and OS updates 6 © 2009 IBM Corporation What can IBM® Systems Director manage? Blade and Modular System resources: – – – – BladeCenter, Blade servers (x, Power, Cell), I/O modules System x servers VMware ESX, VMware 3i, MSVS, Xen Windows, Linux POWER System resources: – HMC, IVM, Virtual I/O Server, System i/p Servers – AIX, POWER Linux, IBM i Mainframe System resources: – Linux on zSeries – z/VM HP, Dell, and other OEM x86 systems SNMP-based devices: – Network, storage, power distribution units, etc. CIM-based devices – CIM = Common Information Model Storage resources (SMI-S) – LSI (IRC), DS3000, DS4000, DS6000, RSSM – SAS Switch (NSSM, RSSM), Brocade FC Switch, Qlogic FC Switch © 2009 IBM Corporation IBM Systems Director - End-to-End Management – Other Systems Management Software Integrated Service Management Configuration Automation Update System x & Blade Center Status Remote Access System z Virtualization Core Director Services Power Systems Discovery Configuration Storage Configuration Storage Control Additional Plug-Ins WPAR Manager VMControl Image Manager BOFM Transition Mgr for HP SIM Network Control Active Energy Manager VMControl Service & Support Manager IBM® Systems Director Editions $$ Enterprise Service Management Advanced Managers & Priced Plug-Ins Base Systems Director Managers & Hardware Platform Managers Resource Management Managed virtual and physical environments Hardware 8 IBM and non-IBM hardware © 2009 IBM Corporation IBM Systems Director topology Web-based Interface IBM System Director Server Deploying agents: •Common Agent •Platform Agent •(No Agent) Database (Local or Remote) Management Interface – Apache Derby (local default), SQL, DB2 or Oracle IBM Systems Director Agents Managed Systems (All IBM Server platforms, Desktops, Laptops, SNMP devices, CIM devices) Three-tier architecture Thousands of managed end-points Upward Integration modules supporting: – IBM Tivoli, Computer Associates, Hewlett Packard, Microsoft © 2009 IBM Corporation 9 IBM Tivoli and Systems Director Together deliver a comprehensive, ultra-scalable end-to-end systems and service management solution Physical/Virtual Resources and Applications Functionality “Care and feeding” of platform hardware Middleware Let me configure, install and tweak it Tell me if it’s working Let me update it IBM Systems Director Tell me what I have Network Operating System IBM Tivoli IBM Systems Director IBM Tivoli Integrated visibility, control & automation across business and technology assets See the business with real-time dashboards Govern the business with integrated asset control solutions Hardware Optimize the business with automated solutions Functionality © 2009 IBM Corporation Performance Advisors © 2009 IBM Corporation Performance Advisors Run advisors on test or production systems. Advisors will evaluate the environment for performance optimization opportunities – Gives guidance on how to make the necessary changes. Three advisors available…. – Java, – VIOS & Virtual Ethernet – Virtualization. “Built in Smarts” to detect some of the most common problems that are encountered Available on Developer Works – FREE OF CHARGE Link: https://www.ibm.com/developerworks/wikis/display/WikiPtype/Other+ Performance+Tools © 2009 IBM Corporation Introducing the VIOS Advisor What is it? The VIOS advisor is a standalone application that polls key performance metrics for minutes or hours, before analyzing the results to produce a report that summarizes the health of the environment and proposes potential actions that can be taken to address performance inhibitors. • How does it work? STEP 1) Download VIOS Advisor STEP 2) Run Executable STEP 3) View XML File VIOS Advisor VIOS Partition VIOS Partition Only a single executable is required to run within the VIOS The VIOS Advisor can monitor from 5min and up to 24hours Open up .xml file using your favorite web-browser to get an easy to interpret report summarizing your VIOS status. https://www.ibm.com/developerworks/wikis/display/WikiPtype/VIOS+Advisor © 2009 IBM Corporation Screenshot: 1 Overview Get a comprehensive summary of your VIOS’ health on a single page. https://www.ibm.com/developerworks/wikis/display/WikiPtype/VIOS+Advisor © 2009 IBM Corporation PowerSC © 2009 IBM Corporation IBM Power Systems PowerSC SECURITY AND COMPLIANCE The Foundation of Trust for AIX Power is Performance Redefined 16 Illustration by Chris Short © 2012 IBM Corporation IBM Power Systems Security Concerns in a virtualized environment 1. 2. 3. 4. 5. Trusted Boot How can I be sure that a VM’s OS has booted in a known-trusted state? Trusted Execution How can I be sure that the application binaries are safe to run? Trusted Logging How can I be sure that audit files are safe from malicious modification? Compliance Automation How can I raise alerts in when security policies are violated? Trusted Network Connect How do I ensure that a new system is trustworthy when it attempts to join a secure network? 17 Power is Performance Redefined PowerSC Platform Management TNC App App App App Trusted Logging OS OS OS OS VM1 VM2 VM3 VM4 Hardened VIOS SVM Hypervisor vTrusted Platform Module © 2012 IBM Corporation IBM Power Systems PowerSC Answers These Questions 1. Trusted Boot How can I be sure that a VM’s OS has booted in a known-trusted state? 2. Trusted Execution How can I be sure that the application binaries are safe to run? 3. Trusted Logging How can I be sure that audit files are safe from malicious modification? 4. Compliance Automation How can I be sure data security standards are being followed? 5. Trusted Network Connect How do I ensure that a new system is trustworthy when it attempts to join a secure network? 18 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems PowerSC – Trusted Boot and Trusted Execution Overview Challenge: Ensure that every virtual machine image in your datacenter hasn’t be altered either by accident or maliciously. Applications O/S PowerSC Solution: Trusted Boot forms the core root of trust for the image, i.e. a foundation for trust. Each stage of the boot process measures the next, starting at the firmware. Kernel BIOS How PowerSC works: 1. Measure the boot process and securely store the results in a Virtual Trusted Platform Module(vTPM) 2. Provide a sealed set of measurements to the requestor 3. Verify these measurements against a reference manifest 19 Power is Performance Redefined Benefits • PowerSC offers the only solution on the market to form a chain of trust for VMs all the way from boot to application! • Improve QoS by reducing the risk of accidental or malicious image tampering • Reduce the time it takes to ensure that every VM in your datacenter is running authorized and trusted software. © 2012 IBM Corporation IBM Power Systems PowerSC Moves to “Known Good Model” Only Allow Known Trusted Software to Run Security Vulnerability Detection tends to work on a “Known Bad Model” This reactive model blocks intrusions based on historical break-ins . PowerSC Trusted Boot employs a more efficient “Known Good Model” which only allows trusted images to run. Power Systems are “hermetically sealed” with tight interlocks between the hardware, virtualization and software. 20 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems “But I’ve already written Scripts to check Security and Compliance” A: Home Grown scripts are expensive to maintain and error prone: Who certifies to auditors that these scripts match security standards? Are scripts secure to modification or tampering? What is the cost of maintenance of scripts? Who monitors data security standards and ensures that the scripts are updated? Is there a standard set of scripts in the company or does every group roll their own? What happens when the author of the scripts leave the company? Do all administrators understand what the scripts do and what are the expected results? 21 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems PowerSC – Security Compliance Automation Overview Challenge: Demonstrate compliance to Regulatory standards by setting security configurations on systems in a uniform manner. PowerSC solution: Compare settings across all of the systems in the datacenter against prebuilt profiles, e.g. Payment Card Industry (PCI), DoD STIG and COBIT. Benefits How PowerSC works: •A single dashboard monitors compliance and generates audit reports. •Sets and checks compliance for systems based on prebuilt security profiles 22 Power is Performance Redefined • Lower Administration costs by setting security configs in a repeatable manner • Lower Admin costs by automating compliance reporting • Automatic remediation of servers that are out of compliance © 2012 IBM Corporation IBM Power Systems PowerSC – Trusted Network Connect Overview Challenge: Ensure that images are trusted and at the proper patch level when they connect to the network. Out of compliance PowerSC Solution: Trusted Network Connect and Patch Management detects noncompliant virtual machines during activation and alerts administrators immediately. Benefits How PowerSC works: • An image that does not meet trusted measurements and patch levels will trigger an alert to the administrator. • Reduce business risk by active notification of down level systems via email and SMS. • Lower admin costs by automatically spotting non compliant systems within the virtual data center and cloud environments • Lower costs of demonstrating compliance. Monitoring at virtual machine activation proves compliance to patch policy 23 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems PowerSC – Trusted Logging Overview Challenge: Prevent malicious users from “covering their tracks.” Power SC Solution: Move log events to a secure external VM via the hypervisor. Centralized logging ensures that even when virtual machines are discarded the audit logs remain on the central location for audit purposes. How PowerSC works: •Trusted Logging provides tamperproof secure centralized protection for AIX audit and system logs and is integrated with PowerVM virtualization. •Limited access to the Secure VM to a few privileged super users •Guest VM logs can be managed and backed up from a single location within each physical server. •Log scraping agents and reporting agents can be removed from guest OS. 24 Power is Performance Redefined Benefits • Discourage malicious activity by ensuring individual accountability; trace actions to authenticated individuals. • Reduce the time it takes to identify tampering and/or unauthorized changes • Reduce the time it takes to demonstrate Security Compliance by maintaining strict control over audit logs. © 2012 IBM Corporation IBM Power Systems Power is performance redefined Deliver new services faster PowerSC accelerates secure system creation and compliance. Deliver higher quality services PowerSC reduces your business risk from accidental or malicious image tampering while minimizing the impacts to system performance. Deliver services with superior economics PowerSC dramatically reduces the operational expense to establish and maintain security assurance over your virtualized datacenter. 25 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems PowerSC Editions Security and Compliance Options PowerSC Express – Basic compliance for AIX PowerSC Standard – Security and compliance for virtual & cloud environments PowerSC Editions Security and Compliance Automation Express Standard Trusted Logging Trusted Boot** Trusted Network Connect and Patch Management * ** Requires POWER7 System with eFW7.4 26 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems Click here to learn more about Security in a Virtual World! PowerSC SECURITY AND COMPLIANCE The Foundation of Trust for AIX Power is Performance Redefined 27 Illustration by Chris Short © 2012 IBM Corporation IBM Power Systems Learn more about PowerSC on the Web http://www.ibm.com/systems/power/software/security/ Put Page here 28 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems END 29 Power is Performance Redefined © 2012 IBM Corporation PowerSC Business Requirements PowerSC provides a security and compliance solution to protect datacenters virtualized with PowerVM enabling higher quality services Capabilities Guarantee that the OS has not been hacked or compromised in any way Trusted Boot Boot images and OS are cryptographically signed and validated using a virtual Trusted Platform Module (vTPM) Trusted Logging Compliance and Audit Ensure that every Virtual System has appropriate security patches Compliance and Audit to External Standards The VIOS capture all LPAR audit log information in real time. Trusted Network Connect and Patch Management With the Trusted Network Connection protocol imbedded in the VIOS, we can detect any system attempting to access the network and determine if it is at the correct security patch and update level. Security Compliance Automation Pre-built compliance profiles that match various industry standards such as Payment Card Industry, DOD and Sox/Cobit. Activated and Reported on centrally using AIX Profile Manager Defense against tampering Tamper-proof logs Notification of unpatched systems Compliance automation and reporting © 2012 IBM Corporation AIX V7.1 GA 09/2010 AIX V6.1 / 7.1 Security: Role Based Access Control Provides greater security and increased administration flexibility – Authorizations Users Roles AIX Resources DBA • Mechanism to grant access to commands or certain functionality. Context aware. – Roles • A container for authorizations that can be assigned to a user. PRINT – Privileges • Process attribute that allows process to bypass a security restriction. Not context aware. BACKUP aix device fs network proc ras security system wpar boot config install stat create halt info reboot shutdown “create boot image” “halt the system” “display boot information “reboot the system” “shutdown the system” New in AIX 7: Domain Role Based Access Control New in PowerVM 2.2: RBAC on the Virtual I/O Server # lssecattr -c -F /usr/sbin/bootinfo /usr/sbin/bootinfo: accessauths = aix.system.boot.info innateprivs = PV_DAC_R,PV_DAC_W,PV_DEV_CONFIG,PV_KER_RA /etc/security/privcmd s31 Networking and Security © 2012 IBM Corporation
