User Guidestatic.huaweicloud.com/upload/files/pdf/20180205/...The purchased products, services and...

Database Security Service

User Guide

Issue 06

Date 2018-04-27

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://e.huawei.com

Issue 06 (2018-04-27) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com

Contents

1 Overview......................................................................................................................................... 11.1 Database Security Service.............................................................................................................................................. 11.2 DBSS Instance................................................................................................................................................................21.3 Database Protection........................................................................................................................................................ 21.3.1 Database Security........................................................................................................................................................ 21.3.2 Sensitive Data Discovery.............................................................................................................................................31.3.3 Database Activity Monitoring..................................................................................................................................... 31.3.4 Dynamic Data Masking............................................................................................................................................... 31.4 Application Scenarios.....................................................................................................................................................31.5 Accessing and Using DBSS........................................................................................................................................... 31.5.1 Accessing DBSS..........................................................................................................................................................31.5.2 Using DBSS.................................................................................................................................................................31.5.3 Related Services.......................................................................................................................................................... 4

2 Audit................................................................................................................................................ 52.1 Auditable Operations......................................................................................................................................................52.2 Viewing an Audit Trace..................................................................................................................................................5

3 Operations Related to DBSS Instances..................................................................................... 83.1 Upgrading the Service.................................................................................................................................................... 83.2 Associating an EIP with a DBSS Instance..................................................................................................................... 93.3 Disassociating an EIP from a DBSS Instance.............................................................................................................. 103.4 Managing a DBSS Instance.......................................................................................................................................... 11

4 HexaTier........................................................................................................................................ 164.1 Login to HexaTier.........................................................................................................................................................164.2 Home Page....................................................................................................................................................................194.3 Dashboard.....................................................................................................................................................................21

5 Initial Configuration...................................................................................................................245.1 Configuration Process...................................................................................................................................................245.2 Configuring the Log Repository...................................................................................................................................255.3 Configuring Protected Databases................................................................................................................................. 27

6 Configuring Database Security Policies................................................................................. 336.1 Configuring Database Firewall Policies....................................................................................................................... 33

Database Security ServiceUser Guide Contents


ii

6.2 Configuring Risk based-IPS/IDS Rule......................................................................................................................... 356.3 Configuring Advanced Options for a Policy................................................................................................................ 376.3.1 Configuring Query Group......................................................................................................................................... 396.3.2 Configuring Learning Mode......................................................................................................................................406.3.3 Configuring Risk Profile........................................................................................................................................... 426.3.4 Configuring Risk Engine........................................................................................................................................... 446.3.5 Configuring Regular Expression Patterns................................................................................................................. 456.4 Related Operation......................................................................................................................................................... 476.4.1 Switching Between Global and Database Views.......................................................................................................476.4.2 Reordering Database Security Rules......................................................................................................................... 476.4.3 Managing Security Logs............................................................................................................................................48

7 Configuring Sensitive Data Discovery Policies.................................................................... 507.1 Creating or Editing a Discovery Job.............................................................................................................................507.2 Generating Rules Based on Discovery Results............................................................................................................ 527.3 Creating or Editing a Regex Pattern............................................................................................................................. 54

8 Configuring Database Monitoring Policies........................................................................... 558.1 Creating or Editing an Activity Monitoring Rule.........................................................................................................558.2 Auditable Objects and Commands............................................................................................................................... 598.3 Viewing Activity Monitoring Logs.............................................................................................................................. 61

9 Configuring Dynamic Data Masking Policies.......................................................................629.1 Creating and Editing Data Masking Rules................................................................................................................... 629.2 Viewing Data Masking Event Logs..............................................................................................................................64

10 More Configuration.................................................................................................................. 6610.1 Configuring Policy Objects........................................................................................................................................ 6610.1.1 Configuring IP Address Objects..............................................................................................................................6610.1.2 Configuring Database user Objects......................................................................................................................... 6810.1.3 Configuring Application Objects.............................................................................................................................7010.1.4 Configuring Schedule Objects.................................................................................................................................7110.1.5 Configuring Table Objects.......................................................................................................................................7310.1.6 Configuring Procedure Objects............................................................................................................................... 7410.2 Configuring Alert-related Settings............................................................................................................................. 7610.2.1 Creating or Editing an Alert.................................................................................................................................... 7610.2.2 Configuring a Contact............................................................................................................................................. 7710.2.3 Configuring an SMTP Server.................................................................................................................................. 7810.3 Configuring SSL Security Settings.............................................................................................................................7910.3.1 Setting Incoming SSL Security Settings................................................................................................................. 8010.3.2 Uploading Incoming Certificates.............................................................................................................................8110.3.3 Configuring Outgoing SSL Security Encryption Settings.......................................................................................8210.3.4 Managing Outgoing Certificates............................................................................................................................. 8310.4 Customizing and Generating Reports.........................................................................................................................8410.4.1 Creating or Editing a Report....................................................................................................................................84



iii

10.4.2 Generating and a Viewing Report............................................................................................................................8710.4.3 Exporting a Report...................................................................................................................................................8710.5 Configuring the Active Directory...............................................................................................................................8810.5.1 Setting the LDAP Mode.......................................................................................................................................... 8810.5.2 Setting the Domain Integration Mode..................................................................................................................... 9010.5.3 Switching Between Integration Modes....................................................................................................................9210.6 Configuring the Administrative Settings....................................................................................................................9310.6.1 Creating or Editing User..........................................................................................................................................9310.6.2 Changing Your Password.........................................................................................................................................9510.6.3 Changing Password for Other Users....................................................................................................................... 9610.7 System Configuration................................................................................................................................................. 9610.7.1 Configuring Management Settings..........................................................................................................................9610.7.2 Configuring Syslog..................................................................................................................................................9710.7.3 Configuring System Parameters.............................................................................................................................. 9810.7.4 Backing up and Restoring System Configuration................................................................................................... 9910.7.5 Generating a Support File......................................................................................................................................10010.7.6 Restarting Service..................................................................................................................................................10110.8 Other Informations................................................................................................................................................... 10110.8.1 Viewing License Information................................................................................................................................ 10110.8.2 Viewing System Logs............................................................................................................................................10210.8.3 Sorting................................................................................................................................................................... 10210.8.4 Customizing Views................................................................................................................................................10310.8.5 Filtering................................................................................................................................................................. 10410.8.6 Key Management System (KMS)..........................................................................................................................104

11 FAQs...........................................................................................................................................10511.1 Function.................................................................................................................................................................... 10511.1.1 What Databases Does DBSS Support?..................................................................................................................10511.1.2 What Databases Can DBSS Protect on HUAWEI CLOUD?................................................................................ 10511.1.3 How Do I Protect My EIP Against DDoS Attacks?.............................................................................................. 10511.1.4 Why Cannot I View DBSS Instances Immediately After I Purchase a Set of DBSS Instances?.......................... 10511.1.5 What Fine-Grained Functions Does DBSS Provide?............................................................................................ 10511.1.6 What Is the Configuration Process on HexaTier?..................................................................................................10611.1.7 Does DBSS Require Rights of User root from a MySQL Database?....................................................................10611.1.8 Can I Import Logs Generated by DBSS to My Own Log Analysis Platform?......................................................10611.1.9 What Database-Side Configurations Are Required by DBSS?............................................................................. 10611.1.10 What Is the Difference Between DBSS and WAF in SQL Injection Prevention?...............................................10711.1.11 Will My Raw Data in the Database Changed by the Dynamic Data Masking Function?................................... 10711.1.12 How Will DBSS Affect My Service Latency?.................................................................................................... 10711.2 Restriction.................................................................................................................................................................10711.2.1 What Constraints Does HexaTier Have?............................................................................................................... 10711.2.2 What Browser Versions Does HexaTier Support?.................................................................................................10711.3 Management..............................................................................................................................................................107



iv

11.3.1 How Do I Log In to HexaTier?..............................................................................................................................10811.3.2 What Should I Do When I Fail to Log In to HexaTier?........................................................................................ 110

A Change History......................................................................................................................... 111



v

1 Overview

1.1 Database Security ServiceThe Database Security Service (DBSS) is a security service that protects databases on clouds.Based on the reverse proxy and machine learning technologies, it provides functions such asdata masking, database auditing, sensitive data discovery, and injection attack prevention.

Based on security configurations of DBSS instances, DBSS provides protection and auditingfunctions for the following databases on HUAWEI CLOUD:

l Relational Database Service (RDS) instancesl Databases on Elastic Cloud Servers (ECSs)l Databases on Bare Metal Servers (BMSs)

Deployment ArchitectureFigure 1-1 shows the deployment architecture of DBSS.

Database Security ServiceUser Guide 1 Overview


1

Figure 1-1 DBSS deployment architecture

1.2 DBSS InstanceA DBSS instance is an independently running set of DBSS. You can apply for and manageinstances on the DBSS console.

1.3 Database ProtectionAfter you purchase a DBSS instance, you can log in to the database protection platform(HexaTier) to configure protection and auditing functions for your database on HUAWEICLOUD.

1.3.1 Database SecurityDatabase security policies include database firewall settings, separation of duties, and SQLinjection detection and protection.

l HexaTier supports policy customization, automatically learns policies, and can pre-configure Intrusion Detection System/Intrusion Prevention System (IDS/IPS) policiesbased on exception detection. If a request is violating the security policy reaches thedatabase firewall, HexaTier reports an alarm in real-time or blocks the request asrequired. By machine learning, HexaTier can also establish a user access behaviorbaseline, generating and executing protection rules.

l HexaTier supports fine-grained user management and permission control based on SQLoperation types, object owners, tables, view objects, or columns.

l HexaTier has a built-in SQL injection protection feature, context-based learning models,and rating mechanisms. It performs comprehensive diagnosis on any incoming SQL andblocks any suspicious ones in real time, protecting your databases from SQL injectionattacks.



2

1.3.2 Sensitive Data Discoveryl HexaTier has the built-in compliance knowledge bases for Payment Card Industry (PCI),

Healthcare Information Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act (SOX). You can also customize the rule knowledge base and discoverypolicies for sensitive data.

l Once sensitive data is identified, you can generate masking and audit rules in one click.

1.3.3 Database Activity Monitoringl HexaTier can monitor at the database, table, or column level. It can independently

monitor and analyze database activities, detecting and generating alarms forunauthorized activities.

l Database activity monitoring is also called database audit. HexaTier provides leads formulti-dimensional database audit, including source IP addresses, user identities,applications, access time, requested databases, original SQL statements, operations,execution successes/failures, elapsed time, and returned results, helping you traceattackers. The audit records are remotely stored to meet audit compliance requirements.

1.3.4 Dynamic Data Maskingl You can set a rule to anonymize data from a specific table, source IP address, user, or

application.l An accurate masking engine anonymizes sensitive user data in real time without

affecting application performance or data storage in the database.

1.4 Application ScenariosDeployed as a reverse proxy between an application server and a database, DBSS providesyou with database protection functions such as database firewall, database auditing, anddynamic data masking.

DBSS supports the following database types:l Microsoft SQL Server 2008 - 2014l MySQL 5.5 - 5.7l PostgreSQL 9.4 - 9.5

1.5 Accessing and Using DBSS

1.5.1 Accessing DBSSYou can use the management console to access DBSS. If you have registered with the publiccloud, you can log in to the management console directly and choose Security > DatabaseSecurity Service.

1.5.2 Using DBSSAfter you purchase a set of DBSS instances, you can log in to the database protectionplatform (HexaTier) to configure the instances and protect your database.



3

1.5.3 Related Services

ECSDBSS instances are created on Elastic Cloud Servers (ECSs). You can use the DBSSinstances to protect and audit databases already running on the ECSs.

RDSDBSS can protect and audit Relational Database Service (RDS) instances.

BMSDBSS can protect and audit databases already running on Bare Metal Servers (BMSs).

CTSCloud Trace Service (CTS) provides you with a history of DBSS operations. After enablingCTS, you can view all generated traces to review and audit performed DBSS operations. Fordetails, see the Cloud Trace Service User Guide.

Table 1-1 DBSS operations that can be recorded by CTS

Operation Resource Type Trace Name

Creating an instance dbss createInstance

Deleting an instance dbss deleteInstance

Starting an instance dbss startInstance

Stopping an instance dbss stopInstance

Restarting an instance dbss rebootInstance



4

2 Audit

Cloud Trace Service (CTS) records all operations on DBSS, including requests initiated fromthe management console or open APIs and responses to the requests, for tenants to query,audit, and trace.

2.1 Auditable OperationsTable 2-1 lists DBSS operations recorded by CTS.

Table 2-1 DBSS operations that can be recorded by CTS

Operation Description

createInstance Creating a DBSS instance

deleteInstance Deleting a DBSS instance

startInstance Starting a DBSS instance

stopInstance Stopping a DBSS instance

rebootInstance Restarting a DBSS instance

2.2 Viewing an Audit TraceAfter you enable CTS, the system starts recording operations on DBSS. Operation records forthe last seven days can be viewed on the CTS console.

Viewing a DBSS Trace on the CTS Console

Step 1 Log in to the management console.

Step 2 Click Service List and select Cloud Trace Service under Management & Deployment.

Step 3 Choose Trace List in the navigation pane.

Step 4 Click Filter in the upper right corner to set the corresponding conditions.

Database Security ServiceUser Guide 2 Audit


5

The following four filters are available:l Trace Source, Resource Type, and Search By

– Select the filter from the drop-down list. Set Trace Source to DBSS.– When you select Trace name for Search By, you also need to select a specific trace

name.– When you select Resource ID for Search By, you also need to select or enter a

specific resource ID.– When you select Resource name for Search By, you also need to select or enter a

specific resource name.l Operator: Select a specific operator (a user other than tenant).l Trace Rating: Available options include All trace status, normal, warning, and

incident. You can only select one of them.l Start time and End time: You can specify the specific period to query traces.

Step 5 Click Query.

Step 6 Click on the left of a trace to expand its details, as shown in Figure 2-1.

Figure 2-1 Expanding trace details

Step 7 Click View Trace in the Operation column. On the displayed View Trace dialog box shownin Figure 2-2, the trace structure details are displayed.



6

Figure 2-2 Viewing a trace

----End



7

3 Operations Related to DBSS Instances

3.1 Upgrading the ServiceAfter purchasing a set of DBSS instances, you can upgrade them online to the latest version.

Prerequisitesl You have obtained an account and its password to log in to the management console.l You have purchased at least one set of DBSS instances and the Running Status of both

instances is Running.

Precautions

NOTICEA master-slave switchover of nodes will be triggered during the upgrade, and the service willbe interrupted temporarily.

Procedure


Step 2 Choose Security > Database Security Service. The Database Security Service page isdisplayed.

Step 3 In the square ("card") of the desired set of DBSS instances, click Upgrade, as shown inFigure 3-1.

Database Security ServiceUser Guide 3 Operations Related to DBSS Instances


8

Figure 3-1 Upgrading DBSS

Step 4 In the dialog box that is displayed, click OK.

After the upgrade, both the master and slave instances will be the latest version.

----End

3.2 Associating an EIP with a DBSS InstanceIf you want to log in to HexaTier from the Internet from a DBSS instance, you need toassociate an EIP with the instance.

This section describes how to associate an EIP with a DBSS instance.

Prerequisitesl You have obtained an account and its password to log in to the management console.l You have purchased at least one set of DBSS instances and the Running Status of the

instance with which you want to associate an EIP is Running.l You have purchased an EIP on HUAWEI CLOUD, and the EIP has not been associated

with any DBSS instance.

Procedure



Step 3 In the square of the set of DBSS instances to be associated with an EIP, click Associate, asshown in Figure 3-2.

Figure 3-2 Associating an EIP with a DBSS Instance



9

Step 4 In the Associate EIP dialog box that is displayed, select the EIP to be associated and clickOK, as shown in Figure 3-3.

Figure 3-3 Selecting an EIP

----End

3.3 Disassociating an EIP from a DBSS InstanceWhen a DBSS instance needs to be re-associated with another EIP or an EIP needs to bereleased, you must disassociate the EIP from the DBSS instance.

Prerequisitesl You have obtained an account and its password to log in to the management console.l You have purchased at least one set of DBSS instances and the Running Status of the

instance with which you want to associate an EIP is Running.l The DBSS instance has been associated with an EIP.



10

Procedure



Step 3 In the square of the set of DBSS instances to be disassociated from an EIP, click Disassociate,as shown in Figure 3-4.

Figure 3-4 Disassociating a set of DBSS instances from an EIP

Step 4 Click OK in the displayed dialog box.

----End

3.4 Managing a DBSS InstanceAfter you purchase a set of DBSS instances, you can view, restart, start, or stop a DBSSinstance.

Prerequisitesl You have obtained an account and its password to log in to the management console.

l You have purchased a set of DBSS instances.

l The Running Status of the DBSS instance to be restarted or stopped is Running.

l The Running Status of the DBSS instance to be started is Stopped.

Viewing the Information About a DBSS Instance



Step 3 View the information about the desired DBSS instance, as shown in Figure 3-5. Table 3-1describes the parameters.

NOTE

Click next to an instance to view its details.



11

Figure 3-5 Viewing the information about a DBSS instance

Table 3-1 Parameter description

Parameter Description

InstanceName

Name of a DBSS instance

Version Service version of the DBSS instance

ConnectionAddress

Private IP address of a DBSS instance, to which an application isconnected to

RunningStatus

Running status of a DBSS instance, which can be:l Runningl Creatingl Faultyl Stopped

----End

Restarting a DBSS Instance



Step 3 Click the DBSS instance to be restarted.

Step 4 In the row containing the desired instance, click Restart, as shown in Figure 3-6.



12

Figure 3-6 Restarting a DBSS instance

Step 5 In the displayed dialog box, click OK, as shown in Figure 3-7.

Figure 3-7 The Restart dialog box

Click above the list to verify the restart.

----End

Starting a DBSS Instance

A DBSS instance starts automatically after you purchase it. After it is started, you can log into HexaTier to manage its configuration and protect your database.

To log in to HexaTier from a stopped DBSS instance, you need to start the instance first.





13

Step 3 Click the DBSS instance to be started.

Step 4 In the row containing the desired instance, click Start, as shown in Figure 3-8.

Figure 3-8 Starting a DBSS instance

Step 5 In the displayed dialog box, click OK.

When the DBSS instance is started, its Running Status becomes Running.

----End

Stopping a DBSS InstanceAfter you stop a DBSS instance, you will not be able to log in to HexaTier from the instance.



Step 3 Click the DBSS instance to be stopped.

Step 4 In the row containing the desired instance, click Stop, as shown in Figure 3-9.

Figure 3-9 Stopping a DBSS instance

Step 5 In the displayed dialog box, click OK, as shown in Figure 3-10.



14

Figure 3-10 The Stop dialog box

When the DBSS instance is stopped, its Running Status becomes Stopped.

----End



15

4 HexaTier

4.1 Login to HexaTier

Scenario

After a DBSS instance is started, you must log in to HexaTier and manage the instance'sconfiguration to protect your database.

l If an EIP has been associated with a DBSS instance, two methods are available for goingto the HexaTier login page: either directly from the DBSS console or using an ECS inthe VPC where the instance resides.

l If no EIP has been associated with the DBSS instance, one method is available: using anECS in the VPC where the instance resides.

Prerequisitesl You have obtained an account and its password to log in to the management console.l You have associated an EIP with your DBSS instance and the instance's Running Status

is Running. This prerequisite is for scenario where you need to log in to HexaTier fromthe DBSS console on the Internet.

l The password for logging in to HexaTier has been obtained.

NOTE

You set this password when you purchase the DBSS instance. Keep the password properly.

Table 4-1 lists web browsers supported by HexaTier.

Table 4-1 Supported browser versions

Browser Version

Google Chrome -

Mozilla FireFox 30.1 and later

Internet Explorer 11.0 and later

Database Security ServiceUser Guide 4 HexaTier


16

Going to the HexaTier Login Page on the Internet from the DBSS Console



Step 3 In the square of the desired set of DBSS instances, click Login to go to the HexaTier loginpage, as shown in Figure 4-1.

Figure 4-1 Logging in to HexaTier

Step 4 Enter the login username (admin) and password. Then click Logon or press Enter.

----End

Using an ECS in the VPC Where the Instance Resides

Step 1 In the VPC where the DBSS instance you want to use to log in to HexaTier resides, checkwhether there are more ECSs.



17

l If yes, go to Step 2.

l If no, create an ECS in this VPC and go to Step 2.

Step 2 In the address box of one of the browsers listed in Table 4-2, enter https://private IP addressof the newly created ECS:5000. Then press Enter to go to the HexaTier login page.

NOTICEIf you fail to access port 5000, add Transmission Control Protocol–based (TCP-based) accesspermissions on the port to the corresponding security group. For details, see the VirtualPrivate Cloud User Guide.


Browser Version

Google Chrome -




----End



18

4.2 Home PageHexaTier console interface:



19

Table 4-3 Functional areas

FunctionalArea

Description

Main menu The main menu provides the following items:l Dashboard displays the overview of each area in the system. For

details, see Dashboard.l Assets allows you to set and modify active directories, protected

databases, object definitions, and schema definitions.l Discovery automatically locates and classifies sensitive data in the

database environment. Once sensitive data is identified, you canquickly create masking and monitoring rules. For details, seeConfiguring Sensitive Data Discovery Policies.

l Firewall allows you to manage database firewalls and risk policies,including intrusion detection and prevention. For details, seeConfiguring Database Security Policies.

l Monitoring allows you to manage database activity monitoringpolicies and view monitoring logs. For details, see ConfiguringDatabase Monitoring Policies.

l Masking allows you to manage data masking policies and view datamasking events. For details, see Configuring Dynamic DataMasking Policies.

l Report allows you to define, generate, display, and export reports,including statistics on database activities. For details, seeCustomizing and Generating Reports.

l System allows you to set system configuration and maintenanceoptions. Only users having administrator rights can access theSystem menu.

Command bar You can create new projects or objects for a selected function, create acustom view by setting filter criteria, and can sort rules in the policyview.

Task bar You can perform the following operations on any HexaTier interface:

l Click (Change Password) to change the password of the loggedin user.

l Click (Default Language) to change the HexaTier consolelanguage to Chinese or English.

l Click (Help) to view help information about the current page.

l Click (Log Out) to log out of the HexaTier console.

Navigation tree You can choose sub-items of the item chosen from the main menu.Forexample, if you choose Masking from the main menu, the navigationtree displays functions related to data masking.

Click to hide the navigation tree.



20

FunctionalArea

Description

Workspace Information displayed here can be used to perform different tasks. Youcan also view log information here.

Status Bar You can view the name of the current user.

4.3 Dashboard

Dashboard

Widgets

Table 4-4 Widgets

Widget Description

System Information Displays HexaTier system information, including:l System timel Timezonel License statusl Last session

Latest Intrusion Events Displays the list of latest intrusion attacks.You can click an intrusion event to view its log.



21

Widget Description

System Activity Displays real-time and the latest historical records in thefollowing charts:l Security: permitted and prevented security eventsl Monitoring: audit and administrative audit eventsl Masking: masking eventsl SQL Injections

Top Activity Displays the following top activity information in bar charts:l Top Usersl Top IPsl Top Rulesl Top Applications

Performance Displays real-time summary information about the followingitems:l Memory: percentage of OS memory occupied by the

HexaTier processl CPU: percentage of CPU used by the HexaTier processl Session: number of open sessionsl Throughput (TPS): transaction throughput per second

Latest Security Events Displays the list of latest secure traffic events.You can click an event to view its secure traffic logs.

Top SQL InjectionPatterns

Displays the list of detected Top SQL injection patterns.You can click an event to view details about the SQL injectionpattern.

Protected DatabaseServers: Topology

Topology between the following items is displayed:l Applicationsl Proxiesl Instancesl Databases

Latest Masking Events Displays the list of latest data masking events.Click the event and the masking event logs are displayed.

High Availability Status Displays the summary of HexaTier HA status.

Configuring the Dashboard

Step 1 On HexaTier main menu, click Dashboard.

Step 2 Click Widgets Gallery to display hidden widgets on the Dashboard page.



22

Step 3 In the navigation tree, select the required widget categories. The options are as follows:l Auditl Securityl Maskingl All

Step 4 Drag widgets to required positions.

----End

NOTE

l To close the widget selection area, click Widgets Gallery again.

l To remove a widget, click at its top right corner.

l To change the dashboard layout, drag widgets to required positions.

l To configure how many columns displayed, click Column at the top right corner of dashboard.



23

5 Initial Configuration

5.1 Configuration ProcessAfter logging in to HexaTier, you must configure your DBSS instance for it to connect to,protect, and audit your database on HUAWEI CLOUD.

Figure 5-1 illustrates the configuration process.

Figure 5-1 Configuration process

NOTE

For details about configuring a policy object, see Configuring Policy Objects.

Database Security ServiceUser Guide 5 Initial Configuration


24

5.2 Configuring the Log Repository

ScenarioConfigure the log storage location.

After you configured the log repository, monitoring feature is enabled and you can view thelogs.

You can view the following types of logs:

Log Type Description

Traffic Contains all events that meet the criteria defined by the rules. For detailsabout traffic logs, see Managing Security Logs.

Intrusion Specifies lists of queries that were identified and/or blocked when SQLinjection attempts were detected. For details about intrusion logs, seeManaging Security Logs.

Monitoring Specifies monitoring event logs generated by customized activity monitoringrules. For details about monitoring logs, see Viewing Activity MonitoringLogs.

Masking Specifies masking event logs generated by customized activity maskingrules. For details about masking logs, see Viewing Data Masking EventLogs.

System Specifies details about how HexaTier manages the console. For details aboutSystem logs, see Viewing System Logs.

NOTICEl If the database type where logs are stored is changed, the stored logs may be lost.l If the log storage location is not configured, HexaTier records the logs locally. HexaTier

generates log files (system logs, security logs, masking logs, and audit logs) for all typesof logs. The maximum size of a local log file is 50 MB.

l While you configure log repository, the SSL connection is used by default.



25

NOTE

If a log repository is configured for MySQL, HexaTier sets the following parameters on your MySQLserver:

l SET GLOBAL LOCAL_INFILE = 1

The LOCAL_INFILE system variable controls server-side local capability. SettingLOCAL_INFILE to 1 (enable) forces the server to permit local data loading by clients that havelocal enabled on the clientside.

l SET GLOBAL LOG_BIN_TRUST_FUNCTION_CREATORS = 1

The LOG_BIN_TRUST_FUNCTION_CREATORS system variable controls whether binarylogging trusts stored function creators, because stored function creators may be non-deterministicand cause unsafe events. Setting LOG_BIN_TRUST_FUNCTION_CREATORS=1 (enable) relaxesthe restrictions on non-deterministic functions.

If you select RDS MySQL as the log repository, set the parameter group on the RDS console and setlocal_infile to ON before configuring log storage.

Procedure

Step 1 On the HexaTier main menu, click System.

Step 2 In the navigation tree, select Logs > Log Repository.

Step 3 Select Log Database Type and set the following parameters:

Table 5-1 Parameters


Log Database Type Specifies the database that connects to the log storage location. Thedatabase types can be:l MySQLl SQL-Serverl PostgreSQL

Address Specifies the IP address or the host name of a database to beconnected.



26


Port Specifies the database port used to connect to the database instance.Examples of such ports are port 3306 of the MySQL database andport 8635 allocated by the system when you create an RDS MySQLdatabase. You can configure the port as required.

Instance This parameter is displayed after you selected SQL-Server for LogDatabase Type.Specifies the name of the instance used to connect to the SQL-Server database.

Database Name Specifies the name of the database that stores the system logs. Youcan set this parameter as required.

Authentication This parameter is displayed after you selected SQL-Server for LogDatabase Type.Specifies the authentication mode of your account when youattempt to connect to the database:l For SQL authentication, use an SQL account (for example, sa)

for authentication.l For Windows authentication, use a Windows account (for

example, domain\administrator) for authentication.NOTE

After configuring the domain integration, you can select Windowsauthentication. Otherwise, SQL authentication is selected as default. Fordetails about domain integration, see Setting the Domain IntegrationMode.

Username Specifies the user name you used for logging in to the log storagedatabase. You must have the read/write permission on the logstorage database.

Password Specifies the password used for logging in to the log storagedatabase.

Step 4 Click Test.

Step 5 Click Update.

----End

5.3 Configuring Protected Databases

Scenario

Create and edit a protected database.

After you configured a protected database in the HexaTier console, you can enable functions,such as sensitive data discovery, database firewall, database activity monitoring, and dynamicdata masking.



27

After the protected database is created, you need to change the IP address and port of thedatabase which the application is connected, to the IP address and port of the HexaTier proxy.

Prerequisitesl Make sure that the SQL service on the database server is running.l Make sure the database server is properly networked.

Procedure

Step 1 On HexaTier main menu, click Assets.

Step 2 In the navigation tree, choose Protected Databases.

Step 3 Perform either of the following operations:l Create a protected database:

In the command bar, Click Create New, and choose any of the following database types:– SQL Server– MySQL– PostgreSQL

NOTE

– For Kerberos support on protected databases using SQL-Server, you must first configureactive directory.

– Protected databases using SQL Server are case-sensitive only at the instance level.

l Edit an existing protected database:

Click (Edit) at the end of the row where the protected database to be edited resides.

Step 4 Set parameters as required.



28

Table 5-2 Database parameters

Parameter Name Description

Database ServerAddress

Specifies the host name or IP address of the database instance.

Port/Instance Name This parameter is displayed when select database type as SQL-Server.Specifies the port or instance name used to connect to your database.For example, the port of the RDS SQL Server you created is 8433.

Port This parameter is displayed when select database type as MySQLor PostgreSQL.Specifies the database connection port. For example, the defaultMySQL port 3306, or the port 8635 allocated by the system whenyou create the RDS MySQL database. You can modify it as required.

Name Specifies the alias of the connected database instance. HexaTierautomatically generates the alias and you can modify it as required.

Default Database HexaTier automatically connects to the default database in thedatabase instance. You can change the default database.l For SQL-Server, the default database is master.l For MySQL, the default database is mysql.l For PostgreSQL, the default database is postgres.

AuthenticationMethod

Specifies the authentication method when you connect to thedatabase using an account. The options are as follows:l SQL Authentication: Use an SQL account for connection.l Windows Authentication: Use Windows authentication.NOTE

Windows Authentication is available only after you configured the DomainIntegration in active directory. If the directory is not configured, SQLAuthentication is selected by default. For details about how to configure theDomain Integration, see Setting the Domain Integration Mode.

Username Specifies the user name used for logging in to the database.

Password Specifies the password used for logging in to the database.

Step 5 (Optional) Configure a proxy and its SSL security.

NOTE

l During protected database creation, HexaTier automatically creates a default proxy. You can modifyit.

l The proxy can be set to bypass mode, which does not check the incoming and outgoing traffic of thedatabase.

- You can manually set the proxy status to bypass. For details, see Table 5-3.

- When the HexaTier service is unavailable due to a fault, it automatically switches to bypass mode.When the fault is rectified, you need to restart the HexaTier service to restore the proxy status toActive.



29

1. Click Advanced Proxy Configuration.

2. Set the parameters in the following table as required:

Table 5-3 Advanced proxy configuration parameters


Proxy Label Specifies the logical name of a proxy. You can modify it.

Listening Address Specifies the IP address to be listened to by the proxy.You can set it to 0.0.0.0 to monitor all IP addresses.

Port Specifies the port to connect to HexaTier. You are advised to set itto the same as the database port. It can be any port other than ports0–1023, port 5000, and occupied ports.

Status Select any of the following:l Active: Activate the proxy.l Disable: Disable the proxy.l Bypass: Traffic is transmitted to the database without checking.

(This is insecure).

AuthenticationProxy

Authentication Proxy is available only when Domain Integrationis configured.Specifies credentials used for connecting to the database and allowsHexaTier to use the active directory to identify client credentials.The options are as follows:l Same as above: Use the same user name and password as those

configured in Windows authentication.l SQL authentication: Allows you to specify you user name and

password.NOTE

l For details about how to configure the Domain Integration, see Settingthe Domain Integration Mode.

l The authentication proxy function can be used for all databases.

l The provided user name and password determine derived proxy rights.



30


SSL Certificate In the SSL Certificate drop-down list, select a certificate.NOTE

l You can import other certificates. For details, see Uploading IncomingCertificates.

l If the client does not provide the required SSL certificate, click toimport the certificate to the client.

Block unencryptedconnections

Encrypts all communications and blocks unencrypted connections.You are advised to select this check box.If you do not select this check box, all the communications of theproxy are not encrypted, incurring communication security risks.

NOTE

l To add multiple proxies, click Add Proxy.

l You can modify the lowest incoming SSL security settings. For details, see Setting Incoming SSLSecurity Settings.

Step 6 (Optional) Click Test.

NOTE

The connection test is optional, because the user connection and security settings are automaticallytested when they are saved.

Step 7 Click Save.

SSL settings are automatically tested when they are saved. If they are valid, user credentialswill be authenticated, and the test result described in the following table will be displayed.

Table 5-4 Test result

Test result Description Measure 1 Measure 2 Measure 3

Success The protecteddatabase isconnected.

- - -

SSL error Failed toestablish anSSL connectionbased onprovidedparameters.

Click Proceedanyway to useunencryptedcommunications.

Click Cancel,troubleshootyour databaseSSL settings,and try again.

-



31

Test result Description Measure 1 Measure 2 Measure 3

Trust error Failed toauthenticate theserver identity.The securitycertificate is nottrusted byHexaTier.

Upload yourCA certificate,and try again.For detailsabout how toupload acertificate to theoutgoingrepository, seeManagingOutgoingCertificates.

Click Proceedanywayto addyour instance tothe exceptiontable. Thecommunications will be keptencrypted.

-

Minimum levelnot met

The server doesnot meet theminimumsecurity settingspecified by theadministrator.

Click Cancel,upgrade yourSSL version inyour database,and try again.

Click Proceedanyway to addyour instance tothe exceptiontable.Communications will be keptencrypted, butat a lowersecurity setting.

Click Cancel,downgrade youroutgoing SSLsecurity settingsand try again.For detailsabout how toset outgoingsecuritysettings, seeManagingOutgoingCertificates.NOTE

Modifyingoutgoing SSLsecurity settingsmay affectprotecteddatabase createdlater.

----End



32

6 Configuring Database Security Policies

This section describes the security policy feature of the database firewall, which is the coremechanism for protecting database security.

You can choose to be immediately alerted when a policy is breached.

You can configure security policies in any of the following types:

l Learning modeThe HexaTier policy has the self-learning mode. Once the learning time has ended, thedatabase firewall automatically generates security policy rules. You can accept or rejectthe rules. The learning mode simplifies the execution of database security policies.

l Database firewallThis type allows you to customize security policy rules based on query groups, tables, orstored procedures. You can determine whether to allow or deny requests that violate therules.

l Risk based-IPS/IDSThis rule type enables you to use an intrusion prevention system (IPS) or intrusiondetection system (IDS) to handle possible database risks.

HexaTier's policy engine scans defined rules for an exact match. The database security policyis executed based on policy priority in a descending order. When the engine finds the firstmatching rule, it stops scanning other rules. The database security policy contains a rule thatallows all query operations. If the policy is deleted, all query operations are blocked.

Create policy objects and apply the policy to queries from a specific IP address, database user,active directory user, application, or schedule (see Configuring Policy Objects).

6.1 Configuring Database Firewall Policies

ScenarioThis type allows you to create customized security rules based on query group, table orprocedure, for request violated this rule, you can be further customized as "allow" or "block"

Users can create one of the following firewall types:

l Query Groups: applies a database security rule to a query group you created or a querypattern group created by a learning mode rule.

Database Security ServiceUser Guide 6 Configuring Database Security Policies


33

l Table Based: applies a database security rule to a specific table in a specific database orany table.

l Procedure Based: applies a database security rule to a specific procedure or anyprocedure.

Procedure

Step 1 On HexaTier main menu, click Security.

Step 2 Perform the following operations as needed.l Create a security rule:

In the command bar, click Create New.l Edit an existing security rule:

Click button at the end of the row where the rule resides.

Step 3 In the Rule Type drop-down list, select Database Firewall.

Step 4 Select the Database which to apply the firewall rule.

Step 5 In the database firewall list, select one of the following firewall types:l Query Groupsl Table Basedl Procedure Based

Step 6 Select the Proxy which applied this firewall rule.

Step 7 According to the selected Firewall Type, configure the object which applied the firewall rule.l Query Groups: Applies the security rule to a query group or a query pattern group. For

details, see Configuring Query Group.l Table: Applies the security rule to a specific table or any table, you can configure the

object in advance. For details, see Configuring Table Objects.l Procedure: Applies security rule to a specific procedure or any procedure, you can

configure the procedure in advance. For details, see Configuring Procedure Objects.

You can click Create New to create a new object, or click More to add multiple objects.

Step 8 Set parameters as needed.

Table 6-1 Firewall type: query groups rules


Source IP Specifies the source IP address that uses the rule. You can clickNew to create a source IP address.

Database Username Specifies the database user who uses the rule. You can click Newto create a database user object.

Application Name Specifies the name of the application that uses the rule.

Schedule Specifies the schedule that uses the rule. You can click New tocreate a schedule.



34


Action l Allow: allows the query that matches the firewall rule.l Block: blocks the query that matches the firewall rule.

Blocking Action If you selected Block from theAction drop-down list, you canselect the following options from the Blocking Action drop-down list box:l Empty Result Setl Close SQL Connectionl Generate SQL Error

Logging Specifies whether queries are written to the traffic log.

Alerts(SMTP) If you selected Traffic Events from the Logging drop-down list,you can select Alerts(SMTP) to enable alerts. An alert is senteach time the rule is activated based on the parameters defined inthe alerts. For details about how to configure alerts, seeConfiguring Alert-related Settings.

Syslog If you selected Traffic Events from the Logging drop-down list,you can select Syslog to enable Syslog. Each time the rule isactivated, a message is sent to the Syslog server. For details abouthow to configure Syslog, see Configuring Syslog.

Rule Position This function is used to set the priority of a new firewall.l Top: The new rule is applied first.l Bottom: The new rule is applied last.

Name Specifies the name of a security policy.

Disable Rule Select the check box to disable the rule.

Step 9 Click Create or Update.

----End

6.2 Configuring Risk based-IPS/IDS RuleRisk based-IPS/IDS rule supports any combination of SQL Injection Detection and riskprofile.

To create a risk based-IPS/IDS rule, create a risk profile first. For details, see ConfiguringRisk Profile. Configure the risk engine by weighting risk factors according to your ownsecurity policy requirements. For details, see Configuring Risk Engine.

Procedure


Step 2 Perform the following operations as needed.



35

l Create a rule:

In the command bar, click Create New.

l Edit an existing rule:

Click the button at the end of the row where the rule to be edited resides.

Step 3 In the Rules Type, select Risk based-IPS/IDS.

Step 4 Select the Database and Proxy which to apply this security rule.


Table 6-2 Parameters of Risk based-IPS/IDS



Database Username Specifies the database user who uses the rule. You can clickNew to create a database user object.



Mode Specifies the tasks that are executed simultaneously with SQLinjection detection:l Active Protection-IPS: uses the intrusion prevention system

and blocks queries that match an existing risk profile.l Monitoring-IDS: uses the intrusion detection system and an

existing risk profile and monitors queries.

Risk Profile According to the selection in the Mode, you can select theconfigured risk profile with blocking or monitoring action.Configuring Risk Profiles, see Configuring Risk Profile.

SQL Injection Detection l If you selected Active Protection-IPS from the Modedrop-down list, you can select this option to prevent SQLinjection.

l If you selected Monitoring-IDS from the Mode drop-downlist, you can select this option to monitor SQL injection.

The detection of SQL injection attempts is based on HexaTier'sbuilt-in detection system. Configuring Risk Engine, seeConfiguring Risk Engine.

Action Specifies the action to be taken by the rule. This item does notneed to be configured.l If Active Protection-IPS is selected from the Mode, drop-

down list, the action will always be Block.l If Monitoring-IDS is selected from the Mode drop-down

list, the action will always be Allow.



36


Blocking Action If you selected Block from the Action, drop-down list, you canselect the following options from the Blocking Action drop-down list box:l Empty Result Setl Close SQL Connectionl Generate SQL Error

Logging Specifies whether to write blocked queries to intrusion eventlogs.

Alerts (SMTP) If you selected Intrusion Events from the Logging drop-downlist, you can select Alerts (SMTP) to enable alerts. An alert issent each time the rule is activated based on the parametersdefined in the alerts. For details about how to configure alerts,see Configuring Alert-related Settings.

Syslog If you selected Intrusion Events from the Logging drop-downlist box, you can select Syslog to enable Syslog. Each time therule is activated, a message is sent to the Syslog server. Fordetails about how to configure Syslog, see ConfiguringSyslog.

Rule Position This function is used to set the priority of a new policy.l Top: The new rule is applied first.l Bottom: The new rule is applied last.


Disable Rule Select the check box to disable the rule.


----End

6.3 Configuring Advanced Options for a Policy

Query GroupSQL statements can be defined as query group and can be used in database security rules.

Learning ModeThe HexaTier policy has the self-learning mode. Once the learning time has ended, thedatabase firewall automatically generates security policy rules. You can accept or reject therules. The learning mode simplifies the execution of database security policies.



37

Injection PatternsHexaTier identifies malicious attacks by comparing every query structure with the constantlyupdated signature database of known attacks. Suspicious attacks are automatically defined asinjection patterns (essentially SQL statements).

You can transform injection pattern to regex pattern, and add it to a query group using fordatabase firewall based on query group.

Risk ProfileWhen creating a risk based-IPS/IDS policy, you are advised to create a risk profile for threatidentification. For details see Configuring Risk Profile.

You can define risk profiles for specific types of threats. For example, you can create riskprofiles to identify all MySQL database modification attempts.

Risk EngineThe Risk Engine defines protection against SQL injection attacks, and you can apply a RiskBased-IPS/IDS policy by individually configuring risk weight for block and warning levels.

If you configure Active Protection-IPS mode, the system respectively performs blocking andallowing operations based on the configured block level and warn level risk score. If youconfigure Monitoring-IDS mode, only based on the warning level risk score, allowing usersto query and send warning.

You can adjust and fine-tune each risk factor using a weight range from 1 to 100. Your riskweight settings apply to all rules. For details see Configuring Risk Engine.

Regular Expression PatternRegex pattern can be added into query group, for creating a database firewall based on querygroup.

You can create a regex pattern yourself, or from the learned pattern and injection pattern.

A regular expression (regex) concisely and flexibly matches (specifies and recognizes) textstrings, such as specific characters, words, or character patterns.

l Regex FlagsCommon regex flags:– PCRE_DOTALL: A point metacharacter in the pattern matches all characters,

including newlines.– PCRE_CASELESS: Letters in the pattern match both uppercase and lowercase

letters.– PCRE_NEWLINE_ANY: The unicode newline sequence is recognized.– PCRE_UTF8: This modifier enables an additional function of PCRE, and this

function is incompatible with Perl. Patterns and subject strings are regarded asUTF-8.

l Regex AnchorRegexes are tested for all the SQL strings. If the ^ and $ anchors are lost, HexaTier willautomatically add the ^ anchor to the beginning of an expression string and the $ anchorto the end of a string.



38

l SQL CommentsIf an SQL statement matches a regex template, ignore the SQL statements. The syntax ofSQL comments differs depending on the type of database used.

l Stored ProceduresRegexes match the stored procedure contents.For example: EXEC SP_DEMO matches any string starting with EXEC SP_DEMO.

6.3.1 Configuring Query Group

Scenario

Create or edit a query group.

SQL statements can be defined as query group and can be used in database security rules.

Groups must belong to a query group used in the security rules. Use either of the followingmethods to create a query group:

l Automatically: create a learning mode and add it to the query group. For details seeConfiguring Learning Mode.

l Manually: create a query group and assign an existing schema to it, include learnedpatterns and regex patterns.

Procedure


Step 2 In the navigation tree, choose Groups > Query Groups.

Step 3 Perform the following operations as needed:l Create a query group:

In the command bar, click Create New.l Edit an existing query group:

Click the (Edit) button at the end of the row where the query group to be editedresides.

Step 4 Set the following parameters as needed, and then click Create or Update.

Table 6-3 Query group parameters


Name Specifies the name of a query group.

Color Specifies the color of the query group displayed in the query grouplist.

Database Type If you selected a database type, only query groups of this databasetype are displayed in the Available Member list.

Proxy If you selected a proxy, only query groups of this proxy aredisplayed in the Available Member list.



39


Database If you selected a database, only query groups of this database aredisplayed in the Available Membe list.

Available Members Includes an existing learned patterns or injection patterns, andgroups.You can double-click an available member name, or select anavailable member, and then click Add to add a member to CurrentMember.

Current Member Specifies the name of a member that is included in the query group.You can double-click a current member name, or select a currentmember, and then click Remove to delete a member from CurrentMember.

----End

6.3.2 Configuring Learning Mode

Scenario

Configure learning mode, and you can create or edit learned patterns.

After adding learned pattern to a query group, you can select the query group while creating adatabase firewall based query group.

Configuring Learning Mode


Step 2 Perform the following operations as needed.l Create a learning mode rule:

In the command bar, click Create New.l Edit an existing learning mode rule:

Click the (Edit) button at the end of the row where the rule resides.


Table 6-4 Parameters of the learning mode rules


Rule Type Select Learning Mode.

Database Specifies the database that uses this learning pattern rule. You canalso select All Databases.

Proxy If you select All Databases from the Database drop-down list,the proxy that uses the rule can be selected.



40



Database Username Specifies the database user who uses the rule. You can click Newto create a database user object.



Query Group The learning mode result needs to be attached to the query group.You can also click New to create an empty query group to add thelearning mode result.

Learning Duration Specifies the duration for learning the database access behavior.

Rule Position This function is used to set the priority of a new policy.l Top: The new rule is applied first.l Bottom: The new rule is applied last.


Disable Rule Disables the rule.


----End

Configure Learned Patterns

Step 1 In HexaTier main menu, click Assets.

Step 2 In the navigation tree, choose Groups > Learned Patterns.

Step 3 Perform the following operations as needed.l Create a query pattern:

In the command bar, click Create New.l Edit an existing query pattern:

Click the (Edit) button at the end of the row where the pattern to be edited resides.

Step 4 Enter the query pattern in the text box of the workspace.

NOTE

In the query pattern format, data parameters should be displayed as question marks. For example:select * from billing where m_id=?

Step 5 Select a database type from the Database Type drop-down list box for query pattern.

Step 6 (Optional) Select a color from the Color drop-down list box to display the query pattern inthe query list.



41


----End

6.3.3 Configuring Risk Profile

Scenario

Create or edit a risk profile.

After creating a risk profile, you can select the risk profile while creating a risk based-IPS/IDS rule and allow or block specific commands or operations.

NOTICERisk profile does not support PostgreSQL.

The risk profile consists of groups of actions (Risk Groups). Each group describes a differentrisk.

There are two types of settings:

l Action Behavior: action performed on each group of queries.l Logging Behavior: log settings for each group of queries.

When creating a risk profile, you can select the Basic Mode or Advanced Mode. In BasicMode, you can configure the server, security settings, and database objects. In AdvancedMode, you can click the name of the risk group in a table to view or specify the behavior ofeach action in the group.

Procedure


Step 2 In the navigation tree, click Risk Profiles.

Step 3 Perform the following operations as needed:l Create a risk profile:

In the command bar, click Create New.l Edit an existing risk profile:

Click the (Edit) button at the end of the row where the risk profile to be editedresides.

Step 4 In the workspace, enter the name and description of the risk profile.

Step 5 Select a database type from the Database Type drop-down list box.l MySQLl MS-SQL

Step 6 The workspace is displayed in Basic Mode. Click Advanced Mode to display the advancedmode.



42

Step 7 In the Action Behavior column, set the following parameters for each group:

Table 6-5 Action behavior parameters

Action BehaviorName

Description

Allow Allows all actions of the group.

Block Blocks all actions of the group.

None Ignores all actions of the group. This option saves resources bydisabling all queries.

Custom In basic mode, you can define different types of behavior fordifferent objects in a group.In advanced mode, you can specify different types of behavior foreach action in a group.

Default Uses the default action configured in the IPS or IDS policy.

Step 8 In the Logging Behavior column, set the following parameters for each group:

Table 6-6 Logging behavior

Logging Behavior Description

Enable Enables the logging function for all actions in a group.

Disable Disables the logging function for all actions in a group.



43

Logging Behavior Description

Custom In basic mode, you can define different type of behavior fordifferent objects in a group.In advanced mode, you can specify different type of behavior foreach action in a group.

Default Uses the default action configured in the IPS or IDS policy.


----End

Deleting Risk Profiles


Step 2 In the navigation tree, click Risk Profiles.

Step 3 Click the (Delete) button at the end of the row where the profile to be deleted resides.

NOTE

If the risk profile to be deleted has been associated with the risk based-IPS/IDS rule, the risk profilecannot be deleted. The associated rules will be displayed. You can edit the rules to disassociate themfrom the risk profile or delete the rules, and then delete the risk profile.

----End

6.3.4 Configuring Risk Engine

ScenarioConfiguring risk engine.

Risk engine defines prevention for SQL injection, the user can configure HexaTier risk engineby adjusting each risk factor using a weight range from 1 to 100.

Procedure

Step 1 On HexaTier main menu, click security.

Step 2 In the navigation tree, select Risk Profiles > Risk Engine.

Step 3 Type a weight from 1 to 100 for any of the following risk factors as required:l Risk score for warn levell Risk score for block levell Risk factor associated with SQL commentsl Risk factor associated with 'OR' SQL tokenl Risk factor associated with 'UNION' SQL statementl Risk factor associated with variable comparison, for example: 1 = 1 Risk factor

associated with variable any operation which is always true, for example: Select * fromXXX where 1



44

l Risk factor associated with an empty password SQL operation For example: select *from users where password=''. It works with the following fields: pass/pwd/passwd/password

l Risk factor associated with multiple queries which are separated by ";"

l Risk of SQL commands that can be used to brute force database content

l Risk factor associated with usage of sensitive functions/procedures/tables

Step 4 In Disable stored procedures/functions risk evaluation, choose either:

l no: disable

l yes: enable

Step 5 Click Save.

----End

NOTE

To restore the risk engine parameters to original settings, click Reset.

6.3.5 Configuring Regular Expression Patterns

Scenario

Create and edit a regex pattern.

You can create a regex pattern, or click Transform into Regular Expression in the LearnedPatterns or Injection Patterns windows. In this case, a new pattern is created. The originallearned pattern is not affected.

Procedure


Step 2 In the navigation tree, choose Groups > Regex Patterns.

Step 3 Perform the following operations as needed:

l Create a regex query pattern:


l Edit an existing regex pattern:


Step 4 In the Pattern Name text box, enter the name of the pattern.

Step 5 (Optional) In the Color list, select a color in which the query pattern will be displayed whenyou view the regex pattern list.

Step 6 Select a database type from the Database Type drop-down list box.

l MySQL

l MS-SQL

l PostgresQL



45

NOTE

The query mode can belong to a group of the same database type. The group can also be part of adatabase security rule. If a group is contained in a database security rule, it can only belong to the samedatabase type defined in the database security rule.

Step 7 In the Regular Expression Definition text box, type a regex.

Step 8 Create and edit regexes using tips provided by Macros and Legend.l Select one of the Macros links (Any, Const, Number, and Quoted String) to add

characters relevant to the regex defined in the Regular Expression Definition.l Click Legend to view related strings and their descriptions.

In the lower-right corner of the text box, the system automatically displays whether the regexyou entered is valid or not. If the expression is invalid, the regular expression cannot be savedor tested.

Step 9 In the Test Sample field, type a SQL query or statement, and then click Test Match to testwhether the test content matches the defined regex.


----End

Creating Regex Patterns Automatically

You can create regex patterns using the learned pattern or injection pattern.

l Transform learned pattern to regex pattern:

a. On HexaTier main menu, click Assets.b. In the navigation tree, choose Groups > Learned Patterns.

c. Click the (Edit) button at the end of the row where the pattern to be transformedresides.

d. Click Transform into Regular Expression.Regex pattern creating page displays.

e. Set the Pattern Name, Color and Database Type.f. (Optional)In the Test Sample field, type a SQL query or statement, and then click

Test Match to test whether the test content matches the defined regex.g. Click Create.

l Transform injection pattern to regex pattern:

a. On HexaTier main menu, click Assets.b. In the navigation tree, choose Groups > Injection Patterns.c. Click the injection pattern to be transformed.d. Click Transform into Regular Expression.

Regex pattern creating page displays.e. Set the Pattern Name, Color and Database Type.f. (Optional)In the Test Sample field, type a SQL query or statement, and then click

Test Match to test whether the test content matches the defined regex.g. Click Create.



46

6.4 Related Operation

6.4.1 Switching Between Global and Database Views

Scenario

This section describes how to switch between views in a security policy. The following tabledescribes the parameters in the view.

Table 6-7 Views

View Description

GlobalView

Allows you to view all database security rules to change the order in whichrules are applied (see Reordering Database Security Rules).

PerDatabase

Easily locates rules affecting a specified database, especially when multiplerules are defined.

Procedure


Step 2 In the command bar, select Global View or Per Database from the drop-down list.

The workspace is displayed based on the view selected.

----End

6.4.2 Reordering Database Security Rules

Scenario

This section describes how to set the order of applying policies in HexaTier.

You can reorder security policies. The higher the rule appears in the table, the higher itspriority is.



47

Prerequisites

The sorting function can be used only when the global view is selected. For details, seeSwitching Between Global and Database Views.

Procedure


Step 2 Select Global View from the drop-down list in the top right corner.

Step 3 In the command bar, click Reorder.

Step 4 In the workspace, drag a rule to the required location (up or down) in the policy list.

Step 5 Click Save Order.

----End

6.4.3 Managing Security Logs

Scenario

View security logs, including traffic logs and intrusion logs.

Traffic logs show the list of allowed and blocked queries generated by the database firewallpolicy.

Intrusion logs show the lists of identified and blocked queries generated by the identified SQLinjection attempts.

The following information is displayed:

Table 6-8 Security log parameters


Log ID Specifies the ID of an event in the log event list.

Log Date Specifies the time that an event occurred.

Rule ID Specifies the ID of a policy rule.

Rule Type Specifies the type of the activity monitoring rule used for logevents.



48


Database Specifies the name of the database that is being audited or AllDatabases.

Query Group Specifies the name of the query group contained in a policy andused as a rule pattern.

Risk Profile Specifies configuration file used for identifying threats.

Action Specifies response actions used for query. The options are asfollows:l Allowl Blockl None

Blocking Action Specifies the action to be taken when the query is blocked. Forexample:l Nonel Empty Result Setl Close SQL Connectionl Generate SQL Error

Procedure


Step 2 In the navigation tree, choose Traffic Logs or Intrusion Logs.

The basic information about event logs is displayed.

Step 3 Click an event log to view details.

----End



49

7 Configuring Sensitive Data Discovery

Policies

HexaTier's sensitive data discovery automatically identifies and classifies sensitive data. Oncesensitive data is identified, you can automatically create masking and audit rules. Enabling thesensitive data discovery policy does not require you to change anything in the database orapplications. Enabling the sensitive data discovery does not cause database performanceproblems.

HexaTier provides the following predefined compliance groups:

Table 7-1 Compliance groups

Compliancegroup

Description

PCI PCI DSS (Payment Card Industry Data Security Standard). Specifies thepayment card industry data security standard, which aims to protectcardholders' credit and debit card information security.

HIPAA Health Insurance Portability and Accountability Act/1996.

SOX Specifies the Sarbanes-Oxley Act. This act is important for reform inaccounting professional supervision, corporate governance, and securitymarket regulation in US.

GROUP-SAMPLE

HexaTier is an example of compliance group for users.

In addition, you can customize patterns and associate them with compliance groups toenhance compliance group capabilities.

7.1 Creating or Editing a Discovery Job

ScenarioCreate and edit a sensitive data discovery job.

Database Security ServiceUser Guide 7 Configuring Sensitive Data Discovery Policies


50

NOTE

A single discovery job has a 7000 limit on the number of tables returned from the DB.

Procedure

Step 1 On HexaTier main menu, click Discovery.

Step 2 In the navigation tree, choose Discovery Job.

Step 3 Perform the following operations as needed.l Create a discovery job.

In the command bar, click Create New.l Edit an existing discovery job.

Click the (Edit) button at the end of the row where the job to be edited resides.


Table 7-2 Discovery job parameters


Job Name Specifies the name of a discovery job. The name can contain amaximum of 50 characters.

Disable Job Disables the discovery job.

Compliance Specifies the compliance group that is used for the discovery job.

Instance Name Specifies the instance that is used for the discovery job. You need toselect at least one table to be used for the discovery job.NOTE

You can select a table only after you have selected an instance.



51


Scheduling Sets a schedule for executing the discovery job. The options are asfollows:l Now: The discovery job is immediately executed after you selected

this option and saved it.l Once: Select this option and set the execution time. You can execute

the discovery job once at a specified time.l Daily: The discovery job is executed every day at a specified time

after you selected this option and set the execution time.l Weekly: The discovery job is executed every week at a specified

time after you selected this option and set the execution time.l Monthly: The discovery job is executed every month at a specified

time after you selected this option and set the execution time.l Schema change: A discovery job is executed when the schema of

the database is changed.

Step 5 Click Save & Run or Save.

NOTE

To temporarily disable a discovery job, select Disable Job under job name and click Save.

----End

7.2 Generating Rules Based on Discovery Results

Scenario

Automatically generate monitoring and masking rules based on discovery results.

Procedure


Step 2 In the navigation tree, choose Discovery Results.

Step 3 If the Sensitive Fields column displays Found, click Details in the Action column.

All the noncompliant table columns are displayed in the Detailed Results window.

Step 4 Create a monitoring rule for the discovered sensitive columns:

1. Select the check box of the monitoring rule in the row.

2. Click Generate.

A monitoring rule is automatically generated. You can edit the automatically generatedmonitoring policy in the monitoring policy list. For details, see Creating or Editing anActivity Monitoring Rule.



52

Step 5 Create a masking rule for the discovered sensitive columns:

1. Select the check box of the masking rule in the row.2. Click Generate.3. Click OK.

A masking rule is automatically generated. You can edit the automatically generatedmasking policy in the masking policy list. For details, see Creating and Editing DataMasking Rules.

----End

Deleting Automatically Generated Rulesl Deleting automatically generated monitoring rules:

a. On HexaTier main menu, click Monitoring.b. In the command bar, click Delete ALL Auto-Generated Rules.c. Click OK.

l Deleting automatically generated masking rules:

a. On HexaTier main menu, click Masking.b. In the command bar, click Delete ALL Auto-Generated Rules.c. Click OK.

NOTE

The Delete ALL Auto-Generated Rules button is displayed in the command bar only when amonitoring rule or masking rule is automatically generated based on a discovery job.



53

7.3 Creating or Editing a Regex Pattern

Scenario

Create and edit a customized pattern.

You can also create customized patterns to create compliance groups or associate the patternwith existing compliance groups to enhance compliance groups' capabilities.

Procedure


Step 2 In the navigation tree, choose Regex Patterns.

Step 3 Perform the following operations as needed.

l Create a Regex pattern:


l Edit an existing regex pattern:


Step 4 Enter or edit the Regex Name.

Step 5 Perform the following operations:

l Enter a regex pattern in Search in Data to search for sensitive information in data.

l Enter a regex pattern in Search in Column Names to search for sensitive information ina column.

NOTE

– Click Show Builder to write a regex.

– Enter a string in the test box and click Test to validate Syntax.

– You can select either of the two search patterns. However, if you entered a regex in bothSearch In Data and Search In Column Names, the search criterion is interpreted as logicOR.

Step 6 In the Attach to Compliance Groups list, you can perform the following operations:

l Add the customized pattern to a built-in or customized compliance group by clicking thename of a compliance group under Attach to Compliance Groups.

l Create a new customized compliance group by typing a new compliance group name inthe Attach to Compliance Groups list.

Step 7 Click Save.

NOTE

To temporarily disable the regex pattern, select Disable Regex and click Save.

----End



54

8 Configuring Database Monitoring Policies

HexaTier provides the database activity monitoring (also called database audit) capability,which is presented to users in a refined manner. You can select the audit scope as needed.

HexaTier provides IT personnel and security administrators with all database queryinformation, such as extracting, modifying, and deleting database data, and modifyingdatabase configuration and system settings.

In the advanced activity monitoring function of HexaTier, original data and modified data aredisplayed in red to quickly compare data changes and display detailed information aboutmodification events (such as source IP address, user, application name, affected row, andmodification time).

To use the database activity monitoring function, you must configure the log repository.

8.1 Creating or Editing an Activity Monitoring Rule

Scenario

Create and edit an activity monitoring rule.

You can create four types of activity monitoring rules:

l Administrative: activity monitoring for schema configuration and system settingmodification.

l Table Based: activity monitoring of data viewing, modifying and deleting in tables.l Procedure Based: activity monitoring of database stored procedures.l Login Events: activity monitoring of user login or logout, and database changes.

Prerequisites

You have configured the log repository.

Procedure

Step 1 On HexaTier main menu, click Monitoring.

Step 2 In the navigation tree, choose Policy.

Database Security ServiceUser Guide 8 Configuring Database Monitoring Policies


55

Step 3 Perform the following operations as needed.l Create activity monitoring rules.

In the command bar, click Create New.l Edit an existing activity monitoring rule.

Click the (Edit) button at the end of the row where the rule to be edited resides.

Step 4 Select a monitoring type from the Type drop-down list box and configure associatedparameters.

Table 8-1 Parameters of activity monitoring rules: administrative


Database Specifies the database to be audited by this rule.If you select All Databases, you need to specify all proxies or aspecific proxy.

Proxy Specifies the proxy with which this rule is associated.

Source IP Specifies the source IP address to be audited, which can be aspecific IP address, IP address range, or IP address group.

Database Username Specifies the database user to be audited by this rule. The usercan be a specific user or a user group.

Active Directory User Specifies the active directory user to be audited by this rule. Theuser can be a specific user or a user group.NOTE

This parameter is displayed only when the LDAP integration mode isconfigured. For details about how to configure the LDAP integrationmode, see Setting the LDAP Mode.

Application Name Specifies the application to be audited by this rule. You canspecify an application name or an application group.

Alerts (SMTP) An alert is sent by email when an event defined by this ruleoccurs.To use this option, ensure that the alert has been correctlyconfigured and enabled. For details about how to configurealerts, see Configuring Alert-related Settings.

Disable Rule Disables this rule.

Advanced ActivityMonitoring

Performs detailed audits on sensitive administrative operations.

Administrative activitymonitoring groups

You can narrow the audit scope to specified administrativeoperations using this option.



56

Table 8-2 Parameters of activity monitoring rules: table-based



Proxy Specifies the proxy with which this rule is associated..






Alerts (SMTP) An alert is sent by email when an event defined by this ruleoccurs.To use this option, ensure that the alert has been correctlyconfigured and enabled. For details about how to configurealerts, see Configuring Alert-related Settings.


Advanced ActivityMonitoring

Performs detailed audits on sensitive tables and columns.

Monitored actions Performs activity monitoring on any combination of viewing,modifying, and deleting events.You can narrow the audit to specific tables or columns of thedatabase by selecting them from the drop-down list box.Alternatively, you can click New to add a table or column.

Any Table/Column By using this option, you can select a table/column to be audited,which can be a specific table/column or all tables/columns. Youcan also click New to select a new table/columns object.

Table 8-3 Parameters of activity monitoring rules: procedure-based





57








Alerts(SMTP) An alert is sent by email when an event defined by this ruleoccurs.To use this option, ensure that the alert has been correctlyconfigured and enabled. For details about how to configurealerts, see Configuring Alert-related Settings.


Any Procedure By using this option, you can select a procedure to be audited,which can be a specific procedure or all procedures.You can also click New to select a new storage procedure objectand click More to add more procedure objects.

Table 8-4 Parameters of activity monitoring rules: login events




Alerts(SMTP) An alert is sent by email when an event defined by this ruleoccurs.To use this option, ensure that the alert has been correctlyconfigured and enabled. For details about how to configurealerts, see Configuring Alert-related Settings.




58


Monitored actions Performs activity monitoring on the following operations:l Success loginl Failed loginl Logoutl Database change


----End

8.2 Auditable Objects and CommandsThis section describes the objects and commands that can be audited by HexaTier.

MySQLObject/Command CREATE DRO

PALTER GRANT REVOKE

USER √ √ √ √ √

PLUGIN, SERVER,EVENT, INDEX,TRIGGER, FUNCTION,PROCEDURE,DATABASE, VIEW,TABLE

√ √ √ - -

NOTE

In addition to the above, sensitive tables or columns will also audit INSERT, UPDATE, DELETE,TRUNCATE, and SELECT (The SELECT commands of sensitive tables or columns are audited onlywhen SELECT is configured on the HexaTier administrative console).



59

MS SQLObject/Command CREAT

EDROP ALTER

LOG SHIPPING MONITOR, TYPE, EXTENDEDPROCEDURE, SPECIAL INDEX, RENAMEOBJECT*, SYSTEM CONFIGURATION,STATISTICS, LOG SHIPPING SECONDARY, LOGSHIPPING PRIMARY, FUNCTION, SIGNATURE,DATABASE MASTER KEY, SERVICES MASTERKEY, LINKED SERVER, OPERATOR, ALERT,CATEGORY, SCHEDULE, JOB, MESSAGE,ASSEMBLY, PROCEDURE, TABLE, USER,DATABASE, INDEX, BACKUP DEVICE, VIEW,PARTITION FUNCTION, PARTITION SCHEMA,SCHEMA, SERVER AUDIT, SERVER AUDITSPECIFICATION, CERTIFICATE, CREDENTIAL,SYMMETRIC KEY, ASYMMETRIC KEY,APPLICATION ROLE, DATABASE ROLE, REMOTELOGIN, LOGIN, FULLTEXT CATALOG, FULLTEXTINDEX, TRIGGER, SEQUENCE

√ √ √

NOTE

In addition to the above, sensitive tables or columns will also audit INSERT, UPDATE, DELETE,TRUNCATE, and SELECT (The SELECT commands of sensitive tables or columns are audited onlywhen select is configured on the HexaTier administrative console).

PostgreSQLObject/Command CREAT

EDROP ALTER

USER, ROLE, AGGREGATE, DB, EVENT,FULLTEXCATALOG, FUNCTION, GROUP, INDEX,DROP, PLUGIN, POLICY, RULE, SCHEMA,SEQUENCE, SERVER, SQL_OPERATOR, TABLE,TABLESPACE, TRIGGER, DROP , TYPE, VIEW

√ √ √

Auditable objects and commands:

l User: GRANT and REVOKEl Table: ANALYZE, BATCH INSERT, and TRUNCATEl Transaction: START, ROLLBACK, and COMMITl Variable: DISPLAY



60

NOTE

In addition to the above, sensitive tables or columns will also audit INSERT, UPDATE, DELETE,TRUNCATE, and SELECT (The SELECT commands of sensitive tables or columns are audited onlywhen SELECT is configured on the HexaTier administrative console).

8.3 Viewing Activity Monitoring Logs

ScenarioView activity monitoring events.

Procedure

Step 1 On HexaTier main menu, click Monitoring.

Step 2 In the navigation tree, choose Monitoring Logs.

The basic information about monitoring logs is displayed.

Step 3 Click a monitoring log to view details.

NOTE

If Advanced Activity Monitoring is selected in related rules, the modified object window is displayedbased on the preset rules.

----End



61

9 Configuring Dynamic Data Masking

Policies

HexaTier's data masking feature allows you to mask sensitive information, such as credit cardnumbers, email addresses, and license information from unauthorized users.

HexaTier solution provides real-time data masking and ensures that the sensitive informationof database users is not exposed.

To enable data masking, you do not need to change anything in your database or applications.You only need to set a proper policy in HexaTier.

You can set rules to mask information from specific tables, columns, and queries originatingfrom specific source IP addresses, users, and applications.

This topic describes how to set data masking rules and view masking event logs in HexaTier.

NOTE

If you enable data masking, HexaTier creates a masking function on every protected database.

9.1 Creating and Editing Data Masking Rules

Scenario

Create and edit a data masking rule.

Procedure

Step 1 On HexaTier main menu, click Masking.

Step 2 In the navigation tree, choose Policy.

Step 3 Perform the following operations as needed.l Create a data masking rule.

In the command bar, clickCreate New.l Edit an existing data masking rule

Click (Edit) at the end of the row where the rule to be edited resides.

Database Security ServiceUser Guide 9 Configuring Dynamic Data Masking Policies


62

Step 4 Set the following parameters as needed,and then click Create or Update.

Table 9-1 Data Masking Parameters


Database Specifies the databases to be masked using this rule.

Source IP By setting this parameter, you can apply a rule to queries from any IPaddress or only to queries from a specific IP address, IP addressrange, or IP address group.

DatabaseUsername

By setting this parameter, you can apply a rule to queries from anydatabase users or only to queries from a specific user or user group.

Application Name By setting this parameter, you can apply a rule to queries from anyapplications or only to queries from a specific application orapplication group.

Alerts (SMTP) Specifies an alert sent by email when an event defined by this ruleoccurs.To use this option, ensure that the alert has been correctly configuredand enabled. For details about how to configure alerts,seeConfiguring Alert-related Settings.


Columns Specifies the columns to be masked by this rule. If necessary, you canclick New to add a new column using the new column wizard.NOTE

You can select columns only when credentials are entered in the databaseserver that hosts the database.

Behavior Specifies the type of data masking that is based on the selectedcolumn type.l Mask All: masks all data.l Empty: returns the data as an empty string.l Credit card masking: masks the last four digits of a credit card.

Other characters are masked.l Random number: displays random numbers instead of the original

data.l Full Email masking: masks the user name and domain in an email

address. For example: [email protected] is converted [email protected].

l Mask all digits: masks all digits in a string. For example: Alldigits in a zip code are masked: 123456 is converted to ******.

l Fixed string: replaces all values in a column withCONFIDENTIAL.

NOTEIf you have defined two or more types of columns, you can select only MaskAll.

Condition Masks data that meets the defined conditions in the column.



63


Logging Determines whether to record data masking events.

----End

Reference

You can select different types of behavior based on column types. For details, see the behaviorin this table.

Table 9-2 Masking behavior

Column Type Masking Behavior

String Mask All, Empty, Credit Card Masking, Last Three Masking, LastFour Masking, Basic Email Masking, Full Email Masking, and soon

Date Mask All

Numeric Mask all, and Random Number

The following table defines data masking condition operators based on column types.

Table 9-3 Condition operators

Column Type Masking Condition Operators

Numeric Equal to, Not equal to, Bigger than, Less than, Bigger or equal, andLess or equal

Other types Equal to, Not equal to, Contains, and Does not contain

9.2 Viewing Data Masking Event Logs

Scenario

View data masking events

Procedure

Step 1 In HexaTier main menu, click masking.

Step 2 In the command bar, choose Masking Logs.

In the workspace,The basic information about event logs is displayed.



64

Step 3 Click the event log to see more details about the event.

----End



65

10 More Configuration

10.1 Configuring Policy ObjectsObjects are the main components of a policy rule. You can use them when creating a rule. Theobjects include:

l IP addresses, which include IP addresses, ranges, and groups. They can be used forcreating database security policies, active directory monitoring policies, and dynamicdata masking policies.

l Database users, which include database users and user groups. They can be used forcreating database security policies, active directory monitoring policies, and dynamicdata masking policies.

l Applications, which include application names and groups. They can be used for creatingdatabase security policies, active directory monitoring policies, and dynamic datamasking policies.

l Schedules, which include one-time, recurring, and group schedules. They can be used forcreating database security policies.

l Tables, which include single tables and groups. They can be used for creating table-based database firewall policies.

l Stored procedures, which include stored procedures and groups. They can be used forcreating storage procedure–based database firewall policies.

NOTE

After you set the LDAP integration mode, you can create an active directory user to set mode details.For details about how to configure the LDAP integration mode, see Setting the LDAP Mode.

Objects of the same type can be combined into an object group. An object can be associatedwith a specific database type, proxy, database, or their combination; and is displayed only in aspecific configuration.

10.1.1 Configuring IP Address Objects

Scenario

Create or edit a specific IP address objects.

Database Security ServiceUser Guide 10 More Configuration


66

Before applying a rule to IP address objects, you can create an IP address and select it as anobject for the rule.

You can also create IP group to combine several IP address objects to one.

The objects include:

l IP Addresses

l IP Ranges

l IP Groups

Procedure

Step 1 On the main menu, click Assets.

Step 2 In the navigation tree, select Objects > IP Addresses.

Step 3 In the navigation tree, choose:

l Addresses

l Ranges

l Groups

Step 4 Perform either of the following operations:

l Create new object


l Edit an existing object

Click (Edit) at the end of the row where the object to be edited resides.

Step 5 In the workspace, set the following parameters:

ParameterType

ParameterName

Description

general Name Specifies the name of the object.When setting a policy rule, you can select an object for therule.

Color Displays an object in a specified color in the object list.

DatabaseType

Specifies the type of the database associated with theobject. If it is not specified, the object is associated withall database types.After a database type is selected, the object is available forselection only when you set the policy rule for thedatabase type.

Proxy Specifies the proxy associated with the object. If it is notspecified, the object is associated with all proxies.After a proxy is selected, the object is available forselection only when you set the policy rule for the proxy.



67

ParameterType

ParameterName

Description

Database Specifies the database associated with the object. If it isnot specified, the object is associated with all databases.After a database is selected, the object is available forselection only when you set the policy rule for thedatabase.

IP Addresses IP Address Specifies the IP address.

Netmask Specifies the subnet mask.The default value is 255.255.255.255.

IP Ranges IP AddressStart

Specifies the start IP address in the IP address range.

IP AddressEnd

Specifies the end IP address in the IP address range.

IP Groups AvailableMembers

Displays objects to be added to the IP address group basedon the database type, proxy, and database filter criteria.To add an IP address object in the Available Members listto the Current Members list, double-click it, or click itand then click Add.

CurrentMembers

Displays objects added to the IP address group.To delete an IP address object from the CurrentMembers list, double-click it, or select it and then clickRemove.


----End

10.1.2 Configuring Database user Objects

Scenario

Create or edit a specific database user objects.

Before applying a rule to IP address objects, you can create an database user and select it asan object for the rule.

You can also create database user group to combine several database user objects to one.

Procedure


Step 2 In the navigation tree, choose Objects > DB users.




68

l Usersl Groups

Step 4 Perform either of the following operations:l Create new object

In the command bar, click Create New.l Edit an existing object



ParameterType

ParameterName

Description

General Name Specifies the name of the database user.When setting a policy rule, you can select an object for therule.

Color Displays in a specified color in the object list.

DatabaseType




Groups AvailableMembers

Displays objects to be added to the database user groupbased on the database type, proxy, and database filtercriteria.To add a database user object in the Available Memberslist to the Current Members list, double-click it, or clickit and then click Add.

CurrentMembers

Displays objects added to the database user group.To delete a database user from the Current Members list,double-click it, or select it and then click Remove.


----End



69

10.1.3 Configuring Application Objects

Scenario

Create or edit an application object connected to HexaTier.

You can create a policy rule and use it for an application.

An application group can contain multiple existing applications or application groups.

Procedure


Step 2 In the navigation tree, choose Objects > Applications.


l Names

l Groups


l Create new object





ParameterType

ParameterName

Description

General Name Specifies the name of the object.When setting a policy rule, you can select an applicationobject for the rule.

Color Displays an object name in a specified color in the objectlist.

DatabaseType





70

ParameterType

ParameterName

Description



Displays objects to be added to the application groupbased on the database type, proxy, and database filtercriteria.To add an application name in the Available Memberslist to the Current Members list, double-click it, or clickit and then click Add.

CurrentMembers

Displays objects added to the application group.To delete an application name from the CurrentMembers list, double-click it, or select it and then clickRemove to delete it from the Current Members.


----End

10.1.4 Configuring Schedule Objects

Scenario

Create or edit schedule objects.

The schedule is used when you create a firewall policy to specify when the policy is enabled.

You can create a policy rule and use it for an schedule.

You can create a schedule group to combine multiple schedules into one.

The schedule objects include:

l One-time schedulel Recurring schedulel Schedule group

Procedure


Step 2 In the navigation tree, choose Objects > Schedules

Step 3 In the navigation tree, choose:l One-Timel Recurring



71

l Groups


l Create new object





ParameterType

ParameterName

Description

General Name Specifies the name of the object.When setting a policy rule, you can select an object for therule.

Color Displays an object in a specified color in the object list.

DatabaseType




One-Time Start date Specifies the start date of the one-time schedule.

Start Time Specifies the start time of the one-time schedule.

End date Specifies the end date of the one-time schedule.

End Time Specifies the end time of the one-time schedule.

Recurring Week Days Specifies the enable days of a week for the recurringschedule.You can select one or multiple days in a week as theenable days of a recurring schedule.

Start Time Specifies the start time of the recurring schedule.

End Time Specifies the end time of the recurring schedule.



72

ParameterType

ParameterName

Description


Displays objects to be added to the schedule group basedon the database type, proxy, and database filter criteria.To add a schedule object in the Available Members list tothe Current Members list, double-click it, or click it andthen click Add.

CurrentMembers

Displays objects added to the schedule group.To delete a schedule object from the Current Memberslist, double-click it, or select it and then click Remove.


----End

10.1.5 Configuring Table Objects

Scenario

Create or edit table objects.

You can create a policy rule and use it for table objects.

You can also create table group to combine several table objects to one.

Procedure


Step 2 In the navigation tree, chooseObjects > Tables.

Step 3 In the navigation tree, choose:l Namesl Groups

Step 4 Perform either of the following operations:l Create new object

In the command bar, click Create New.l Edit an existing object



ParameterType

ParameterName

Description




73

ParameterType

ParameterName

Description


DatabaseType




Names Name Click Browse to set the table name.

Groups Name Specifies the name of the table group.When setting a policy rule, you can select a table groupfor the rule.

AvailableMembers

Displays objects to be added to the table group based onthe database type, proxy, and database filter criteria.To add a table object in the Available Members list to theCurrent Members list, double-click it, or click it andthen click Add.

CurrentMembers

Displays objects added to the table group.To delete a table object from the Current Members list,double-click it, or select it and then click Remove.


----End

10.1.6 Configuring Procedure Objects

ScenarioCreate or edit stored procedure objects.

You can create a policy rule and use it for procedure objects.

You can also create procedure group to combine several procedure objects to one.



74

Procedure


Step 2 In the navigation tree, choose Objects > Procedures.


l Names

l Groups


l Create new object





ParameterType

ParameterName

Description



DatabaseType




Names Name Click Browse to set the procedure name.

Groups Name Specifies the name of the stored procedure group.When setting a policy rule, you can select a storedprocedure group for the rule.



75

ParameterType

ParameterName

Description

AvailableMembers

Displays objects to be added to the stored procedure groupbased on the database type, proxy, and database filtercriteria.To add a table object in the Available Members list to theCurrent Members list, double-click it, or click it andthen click Add.

CurrentMembers

Displays objects added to the stored procedure group.To delete a table object from the Current Members list,double-click it, or select it and then click Remove.


----End

10.2 Configuring Alert-related SettingsThe HexaTier alert function allows you to send alert emails about specified events to a list ofassociated contacts.

To send alerts to certain contacts, the SMTP server must be configured.

You can enable or disable the alert function for each rule.

10.2.1 Creating or Editing an Alert

Scenario

Create or edit an alert.

The alert types are as follows.

Table 10-1 Alert types

Alerttypes

Description

System Specifies the system logs containing information about the login and rulecreation and deletion.

Traffic Specifies the query result of the database firewall rule.

Intrusion Specifies all query tasks detected by the IPS or IDS mechanism. Thousandsof alerts can be generated every minute for any intrusion attempt. If the alertinterval is incorrectly set, the mail box of associated contacts may be filledwith thousands of alert emails. In addition, the alert email sender may alsobe regarded as spam spreader.

Monitoring through the HexaTier proxy and are not blocked.



76

Alerttypes

Description

Masking through the HexaTier proxy and match a data masking rule.

PrerequisitesYou have configured alert contacts and an SMTP server.

Procedure

Step 1 On HexaTier main menu, click system.

Step 2 In the navigation tree, choose Alerts.

Step 3 Perform the following operations as required:l Create an alert.

In the command bar, click Create New.l Edit an existing alert.

Click (edit) at the end of the row where the alert to be edited resides.

Step 4 Set required parameters and click Create or Update.

Table 10-2 Alert parameters


Alert Name Specifies the alert name.

Alert Interval Specifies the frequency at which alerts are sent to the selectedcontacts.

Alert Type Specifies the type of events to appear in an alert.

Verbose Allows SQL texts to be included in alerts.

Email Contacts Specifies the contacts who will receive the alerts.

----End

10.2.2 Configuring a Contact

ScenarioConfiguring contact information.

To send alerts, you must set information about the contacts who will receive the alerts. Thecontact information includes the names and email addresses.

NOTE

You can create only one contact for an email address.



77

Procedure

Step 1 On HexaTier main menu, click System.

Step 2 In the navigation tree, choose Alerts > Contacts.

Step 3 Perform one of the following:

l Create a contact


l Edit an existing contact

Click (edit) at the end of the row where the contact to be edited resides.

Step 4 Specify detailed information about the contact, including its Nickname, Email address, firstname and last name.


----End

10.2.3 Configuring an SMTP Server

Scenario

Configure an SMTP server.

To send alerts, you must configure SMTP servers. You can create multiple SMTP servers andlet them work in the master/slave mode. If the primary SMTP server cannot be accessed, thesystem automatically switches to the secondary SMTP server to send alert emails. For detailsabout how to configure the primary and secondary SMTP servers, seeConfiguring SystemParameters.

NOTE

By default, the SSL connection is used for SMTP server configuration.

Procedure


Step 2 In the navigation tree, choose Alerts > SMTP Servers.

Step 3 Perform one of the following:

l Create an SMTP Server


l Edit an existing SMTP server

Click (edit) at the end of the row where the SMTP server to be edited resides.

Step 4 Set required parameters for the SMTP server and the sender. The parameters are listed in thefollowing table.



78

Table 10-3 SMTP server parameters


SMTP server name Specifies the SMTP server name.

SMTP server address Specifies the IP address of the SMTP server.

SMTP Server port Specifies the Transmission Control Protocol (TCP) or InternetProtocol (IP) port to transfer output information of the SMTPserver. The default port number is25, and you can change it asrequired.

Username Specifies the name of the user to be connected to the SMTPserver.

Password Specifies the password of the user to be connected to the SMTPserver.

From email Specifies the sender's Email address.

From name Specifies the sender's name.

Step 5 Click Test server.

The SMTP server settings are checked.


NOTE

Before you perform the preceding operations, choose System > Configuration and set ObjectsAssociation to Enabled.

----End

10.3 Configuring SSL Security SettingsYou can configure SSL security for both incoming (client to reverse proxy) and outgoing(reverse proxy to protected database server) communications.

SSL security settings contain:

l Protocol versions– TLS 1.2– TLS 1.1– TLS 1.0– SSL3– SSL2

l Password level– Modern is the highest level of security and not backward compatible.– Intermediate is the medium level of security and partially backward compatible.– Backward Compatible is the lowest level of security and backward compatible.



79

l Block unencrypted connections: HexaTier encrypts all communications with theprotected database. Otherwise, the communications will be aborted.

l Certificates maintained in HexaTier can use the following formats:– Standard PEM– PFX/PKCS#12– DER/Binary

10.3.1 Setting Incoming SSL Security Settings

Scenario

This task guides users to set incoming SSL security settings to protect the Communicationbetween HexaTier and the cilent.

You can set the allowed minimum protocol versions and cipher level suite of encryptionalgorithms, and block unencrypted connections between the client and HexaTier.

Procedure


Step 2 In the navigation tree, choose SSL > Incoming > Security Level.

Step 3 In the workspace, set associated parameters and click Update.

Table 10-4 Incoming SSL security parameters

Options Description

Protocol Versions Specifies the allowed minimum protocols. Select any of thefollowing:l TLS 1.2l TLS 1.1l TLS 1.0l SSL3l SSL2

Ciphers Level Specifies the allowed minimum suite of encryption algorithms. Thecipher levels include:l Modern is the highest level of security and not backward

compatible.l Intermediate is the medium level of security and partially

backward compatible.l Backward Compatible is the lowest level of security and

backward compatible.


Uses SSL for the new protected database.



80

NOTE

TLS 1.0 is just for compatible with MySQL, it's not secured.

----End

10.3.2 Uploading Incoming Certificates

Scenario

Upload and manage the incoming certificates.

You can upload and download trusted certificates encrypted using SSL between the client andHexaTier, as well as encryption keys.

You can also validate the certificate strength. The requirements are as follows:

l At least a 1024-bit or higher RSA public key.l The private key is encrypted with the given cipher field.l The start date and expiration date are valid at the time of import.l The certificate chain is valid.l The signature hash is not SHA-1.l The certificate has not been used in HexaTier.

Procedure


Step 2 In the navigation tree, choose SSL > Incoming > Certificates.

Step 3 Click Add.

The Upload Certificate page is displayed.

Step 4 In the Choose a Format drop-down list box, select a format for the certificate and perform thefollowing operations:l Standard PEM

a. Paste a certificate.b. Paste a CA chain.c. Paste a private key.d. Enter a pass phrase.

l PFX/PKCS#12

a. Click Select File and select a target file.b. Enter a pass phrase.

l DER/Binary

a. In the Certificate drop-down list box, clickChoose Fileand select the required file.b. n the CA Chain drop-down list box, click Choose File and select the required file.c. In the Private key drop-down list box, click Choose File and select the required file.d. Enter a pass phrase.



81

Step 5 (Optional) Select Check Certificate Strength.

Step 6 Click Upload to upload the certificate.

The certificate is displayed in the certificate list.

----End

Viewing and Downloading a Certificate

l Click at the end of the row where the certificate to be viewed resides. The certificatesummary is displayed.

l Click at the end of the row where the certificate to be downloaded resides.

10.3.3 Configuring Outgoing SSL Security Encryption Settings

ScenarioThis task guides users to Set the outgoing SSL security encryption.

You can set the protocol versions and cipher level suite of encryption algorithms, and canblock unencrypted connections between the database server and HexaTier.

Procedure


Step 2 In the navigation tree, choose SSL > Outgoing > Security Level.

Step 3 In the Component Type area, locate the required encryption level and click .

The component type SSL security settings window is displayed.

Step 4 In the workspace, set the following parameters as required, and then click Update.


Protocol Versions Specifies the minimum protocol. The options include:l TLS 1.2l TLS 1.1l TLS 1.0l SSL3l SSL2



82


Ciphers Level Specifies the minimum required suite of encryption algorithms. Thecipher levels include:l Modern is the highest level of security and not backward

compatible.l Intermediate is the medium level of security and partially

backward compatible.l Backward Compatible is the lowest level of security and

backward compatible.


Select Block unencrypted connections to require new protecteddatabase servers to use SSL.

----End

Deleting SSL Security Setting Exceptions

Step 1 On HexaTier main menu,click System.

Step 2 In the navigation tree, choose SSL > Outgoing > Security Level.

Step 3 Click at the end of the row where the exception to be deleted resides.

----End

10.3.4 Managing Outgoing Certificates

Scenario

Manage outgoing certificates. You can add trusted certificates for SSL encryption between theprotected database and HexaTier to set up an instance connection.

Adding a Certificate


Step 2 In the navigation tree, choose SSL > Outgoing > Certificates.

Step 3 Click Add.

The Upload Outgoing SSL Certificate page is displayed.

Step 4 In CA Chain of Standard PEM format,paste your certificate body.

Step 5 Click Upload.

The uploaded certificate is displayed in the certificate list.

----End



83

Viewing a Certificate


Step 2 In the navigation tree, choose SSL > Outgoing > Certificates.

Step 3 In the list of certificates, locate the required certificate and click The certificate summaryis displayed.

----End

10.4 Customizing and Generating Reports

ScenarioYou can view statistics of database activities by generating a built-in report or a customizedreport.

HexaTier provides the following built-in detection reports:

l Top Intruders IP Addressesl Top Blocked Queriesl Top Blocked Usersl Top Blocked Applicationsl Top Bad Login Attempts Source IP Addresses

HexaTier provides the following built-in detection reports:

l User settingsl User access rightsl Inactive Database Usersl Database Users with Passwords that never expirel Database Users with Passwords that haven't changed more than 90 daysl Database Users with Administrative privilegesl Latest Database Administrator Loginsl Latest Database Administrator Actionsl Latest Database Logins

NOTE

The built-in reports cannot be deleted.

10.4.1 Creating or Editing a Report

ScenarioCreate or edit a report.

PrerequisitesThe user has configured the log storage location, see Configuring the Log Repository.



84

Procedure

Step 1 On HexaTier main menu, click Reports.

Step 2 In the navigation tree, choose Manage Reports.

Step 3 Perform the following operations as needed.l Create a report

In the command bar, click Create New.l Edit an existing report.

Click (Edit) button at the end of the row where the report to be edited resides.

NOTE

For a built-in report, you can only modify the number of reports that are displayed in the report.

Step 4 Enter the report name in the Report Name text box, enter the report name.The report isdisplayed in the report list.

Step 5 Select the following report types from the Report Type drop-down list box:

Table 10-5 Report types

Report Type Description

Activity MonitoringLog

Specifies all activity monitoring event logs that are listed in thereport.

Masking Events Specifies all data masking event logs that are listed in the report.

Blocked Queries Lists the blocked queries in the report.

Allowed Queries Lists the allowed queries in the report.

System Login Events Specifies the login attempts of the database listed in the report.

Traffic Logs Specifies the query event results generated by the databasefirewall policy.

Intrusion Logs Lists the results of query events that identify and block SQLinjection attempts.

System Logs Contains details about administrative system activities, such aslogin to and logout from the administrative console, configurationchanges (creation, modification, or deletion of proxies, databases,objects, and rules), and HexaTier updates.

Users settings Specifies the user settings listed in the report.

User access rights Specifies the user access rights listed in the report.

Inactive DatabaseUsers

Specifies the inactive database users listed in the report.



85

Report Type Description

DB users withPasswords that havenot changed more thanX days

Specifies the database users whose passwords have not beenchanged for a specified number of days.

Latest DatabaseAdministrator Actions

Specifies the latest database administrator operations that arelisted in the report.

Step 6 Set the number of entries and then click Next.

Step 7 Set report properties and then click Update.

Table 10-6 Report properties parameters


Time Criteria Specifies the time range of the report. The options are as follows:l You can define the start and end for the report by certain period.

You can collect information in the last n days.l By time

You can define the start and end for the report by certain period.

Source Criteria Determines the event sources. Based on the report type, the optionsare as follows:l Any (The source condition is not limited.)l IP Addressl DB Usernamel APP NameClick More to add multiple source criteria. If multiple source criteriaare added, you can click Remove next to the source condition todelete the criterion.

Destination Criteria Determines the destination of the event. Based on the report type,the options are as follows:l Any (The source condition is not limited.)l Databasesl ProxiesClick More to add multiple source criteria. When multipledestination criteria are added, you can click Remove next to thedestination criteria to delete the criterion.

----End



86

10.4.2 Generating and a Viewing Report

ScenarioGenerate and view a report.

PrerequisitesYou have configured the log storage location, see Configuring the Log Repository.

Procedure


Step 2 In the navigation tree, choose Manage Reports.

Step 3 Click at the end of the row where the report to be generated resides.

The Generated Reports page is displayed.

Step 4 Click a report and view details about the report on a new tab.

----End

10.4.3 Exporting a Report

ScenarioExport a report.

PrerequisitesThe user has configured the log storage location, see Configuring the Log Repository.

Procedure


Step 2 In the navigation tree, choose Generated Reports.

Step 3 In the workspace, find the generated report that you want to export, and then click (generate) at the end of the row.



87

----End

10.5 Configuring the Active DirectoryYou can create and use active directory users.

If the LDAP or domain integration mode is enabled,you can set HexaTier as the authorizationproxy. The authentication proxy feature allows you to connect to database instances far fromthe active directory network and to maintain the authentication mechanism in the Windowsdomain.

Use one of the following integration modes to control users and maintain credentials:

Table 10-7 Integration modes

IntegrationMode Name

Description

Disabled HexaTier runs as a part of the network.

LDAP HexaTier verification uses the LDAP server.

DomainIntegration

HexaTier runs on a computer that is part of the domain.

You can also switch between the integration modes.

10.5.1 Setting the LDAP Mode

Scenario

Set the LDAP integration mode.

In this mode, HexaTier authenticates identity using the LDAP server.

You can add active directory users only after you set the LDAP integration mode.

NOTE

While you configure LDAP mode, the SSL connection is used by default.



88

Prerequisites

You have disabled the HA mode.

Procedure


Step 2 In the navigation tree, choose Active Directory.

Step 3 In the Integration Mode drop-down list, select LDAP.


Table 10-8 LDAP parameters


Server IPAddress

Specifies the LDAP server IP address.

Port Specifies the port through which the LDAP server is connected.

Encryption Specifies the encryption mode of the connection to the LDAP server.The options are as follows:l Nonel LDAPS: HexaTier services credentialed via an LDAP over SSL.l STARTTLS: This extension of the text communication protocol

upgrades insecure connections to encrypted ones.

Username Specifies the user name for connecting to the LDAP server.

Password Specifies the password for connecting to the LDAP server.

Step 5 Click Test Connection.

A status message is displayed, indicating that the test succeeded or failed.

Step 6 After the test succeeded, click Update.



89

Click Update automatically tests the connection you set. A status message is displayed,indicating that the test succeeded or failed.

----End

10.5.2 Setting the Domain Integration Mode

Scenario

Set the integrate mode of the active directory to Domain Integration.

In this mode HexaTier runs on a computer that is part of the domain,and add active directoryto the HexaTier.

Prerequisites

You have to disable the HA mode.

Procedure


Step 2 In the navigation tree, choose Active Directory..

Step 3 In the Integration Mode drop-down list, select Domain Integration.


Table 10-9 Domain integration parameters


Domain Settings



90


Address Specifies the LDAP server IP address.

Port Specifies the port through which the LDAP server is connected.

Encryption Specifies the encryption mode of the connection to the LDAPserver. The options are as follows:l Nonel LDAPS: HexaTier services credentialed via an LDAP over SSL.l STARTTLS: This extension of the text communication protocol

upgrades insecure connections to encrypted ones.

Service User

Create New Creates a user having the required roles and rights.NOTE

This option andUse Existingcannot be selected at the same time.

Use Existing Uses an existing user having the following roles and rights in thespecified domain:l Valid passwordl Delegatel SPN registration and deregistrationl ImitateNOTE

This option and Create New cannot be selected at the same time.

Service User Specifies the service user in any of the following formats:l Usernamel User domain\User namel User name@DomainBy default, the service user is "HexaTierSvc".

Service password Specifies the password of the defined service user.

Computer Name

Computer Name Specifies the name of the computer to be added.

Step 5 Click Join.

HexaTier checks the settings and displays a message to request administrator credentials.

Step 6 Enter the user name and password for logging in to the privilege domain.

A message is displayed, indicating that the operation succeeded or failed.

Step 7 Restart the service as prompted.NOTE

After the connecting is set up, HexaTier does not save the administrator credentials.

----End



91

10.5.3 Switching Between Integration Modes

Scenario

Switch between the three integration modes.

Prerequisites

You have changed the current policies.

The following table lists the policies to be disabled or deleted before switching modes.

Table 10-10 Operations before switching modes

OriginalMode

TargetMode

Policy Disabled or Deleted Before Switching

Disabled LDAP None

Disabled DomainIntegration

None

LDAP DomainIntegration

None

LDAP Disabled l Dependenciesl Active directory objects in rulesl Authentication termination

DomainIntegration

LDAP l Proxies and instances using Windows authenticationl Log repositories using Windows authenticationl Authentication terminationl HA mode

DomainIntegration

Disabled l Proxies and instances using Windows authenticationl Log repositories using Windows authenticationl Active directory objects in rulesl Authentication terminationl HA mode

Procedure


Step 2 In the navigation tree, choose Active Directory.

Step 3 In the Integration Mode drop-down list, select:l Disabledl LDAP



92

l Domain Integration

NOTE

To switch from Domain Integration to LDAP mode, restart the HexaTier service.

----End

10.6 Configuring the Administrative SettingsYou can create users in HexaTier and grant them specified permissions based on informationprovided in the configuration file. Each configuration file specifies a group of permissions.The configuration file contains the following information:

l Administrators: have all rights of a HexaTier system administrator.l Read Only: has the read-only permission on data in HexaTier.

You can create the following types of users:

l Local users: who are created in HexaTier.l Active directory users: who exist in an LDAP server defined in the system. For details,

see Configuring the Active Directory.

10.6.1 Creating or Editing User

Scenario

Create or edit a local user. You can grant a local user the administrator or read-onlypermission in HexaTier.

Procedure


Step 2 In the navigation tree, choose Administrators > Users.

Step 3 Perform one of the following:l Create a local user.

In the command bar, click Create New, and in Authentication Type, select local.

NOTE

If the active directory integration is not configured, the authentication type option is not displayed.You can create only local users.

l Creating an Active Directory User



93

In the command bar, click Create New, then in Authentication Type, select ActiveDirectory.

NOTE

You can add active directory users only after the LDAP integration mode is configured in thesystem. For details about how to configure the active directory integration, see Configuring theActive Directory.

l Edit an existing user.

Click at the end of the row where the user to be edited resides.

Step 4 Set the user information parameters as required.

Table 10-11 User information parameters


Login password Specifies the current administrator's password.

Profile Specifies the configuration file to be applied.

User Specifies the user logging in to the HexaTier console.

New Password Specifies the password used by the user to be created to log in to theHexaTier management console.The new password must contain 8~16 characters and contain any 3 ofthe following character types:l Lowercase lettersl Uppercase lettersl Digitsl Special characters`~!@#$%^*()-_=+|[{}];:',./? and spaceThe password cannot be the same as the username or its reverse.

Confirmpassword

Specifies the password that needs to be entered again during the usercreation.

User mustchange passwordat next login.

If the parameter check box is selected during the user creation, the usermust change the password upon the next HexaTier login.

Email Specifies the user's email.

First Name Specifies the first name of the current user.

Last Name Specifies the last name of the current user.

User Language Specifies the default language used by the user after the user logged into the HexaTier console, The language can be 中文 or English.

Management IP (Optional) Specifies the IP address used by the user to access theHexaTier management console.If this parameter is not set, the user can access the HexaTier consoleusing any IP address.



94


User is locked. Only admin users display this parameter.If the parameter check box is selected, the user can not log in, and theadmin user can unlock the user.

Disable User Only admin users display the parameter.If the parameter check box is selected, the user is temporarily disabled.


----End

10.6.2 Changing Your Password

Scenario

Change the password used for logging in to the HexaTier console.

It is recommended that your password be changed periodically (less than 90 days isrecommended) to prevent password leakage.

Procedure

Step 1 On the task bar, click .

Step 2 In the Current Password, enter your current password used for logging in to HexaTier login.

Step 3 In New Password and Confirm Password enter your new password.

The new password must contain 8~16 characters and contain any 3 of the following charactertypes:

l Lowercase letters

l Uppercase letters

l Digits

l Special characters`~!@#$%^*()-_=+|[{}];:',./?and space character

The password cannot be the same as the username or its reverse.

NOTE

While you set the password, the system checks the password complexity (Weak, Strong, or Very Strong),If the password does not meet these password requirements, then HexaTier prohibits the password andgenerates an alarm.


----End



95

10.6.3 Changing Password for Other Users

Scenario

Change the password for other users.

NOTE

Only users having administrator rights can change password for other users.

Procedure


Step 2 In the navigation tree, select Administrators > Users.

Step 3 Click at the end of the row where the user's password to be edited resides.

Step 4 In theLogin password text box, enter your password.

Step 5 In New Password and Confirm Password enter your new password.

The new password must contain 8~16 characters and contain any 3 of the following charactertypes:

l Lowercase letters

l Uppercase letters

l Digits

l Special characters`~!@#$%^*()-_=+|[{}];:',./?and space character

The password cannot be the same as the username or its reverse.

NOTE

While you set the password, the system checks the password complexity (Weak, Strong, or Very Strong),If the password does not meet these password requirements, then HexaTier prohibits the password andgenerates an alarm.

Step 6 (Optional) If the User must change password at next logon check box is selected, the usermust change the password upon the next HexaTier login.


----End

10.7 System Configuration

10.7.1 Configuring Management Settings

Scenario

Configure management settings.



96

Procedure


Step 2 In the navigation tree, choose Management.

Step 3 Set the parameters in the following table:

Table 10-12 Management parameters


Login password Specifies the password of the current user. You can update parameterconfiguration on the current page only after entering the login password.

Certificate Specifies the default management certificate generated by HexaTier.

Address Specifies the IP address of HexaTier server network interfaces (NICs)which are exposed to the clients (using the default IP address 0.0.0.0,allows you to access any NIC on HexaTier).

Port Specifies the port that is being listened on (The default port is 5000).

Session IdleTime

Specifies the time you spent on logging in to HexaTier again when nosession exists. The default value is 15 Minutes, and you can modify it asrequired.

SessionPersistence

l Single login without session override: only one user can be active atany one time and another user cannot overtake the session.

l Single login with session override: only one user can be active at anyone time, but another user can overtake the session.

l Allow multiple logins: more than one user can be activesimultaneously.

Lock Time Select the time the user is locked out and cannot log back after too manybad password attempts.

Max LoginRetries

Select the number of login attempts the user is allowed.

DoS Protection Denial of service protection, select whether to enable or disable denial-of-service protection.


----End

10.7.2 Configuring Syslog

Scenario

Configure the Syslog.

You can configure the system to send information to remote computer, on which the Syslogserver runs. The Syslog standard is used to capture logs from network devices.



97

Procedure


Step 2 In the navigation tree, choose Logs > Syslog Settings.

Step 3 In the Syslog setting area, set the following parameters:

Table 10-13 Log parameters


Status Specifies whether the data writing by Syslog server is enabled.

Host/IP Specifies the IP address of the remote Syslog server.

Syslog Server Port(UDP)

By default, the Syslog server listens on port514forcommunication using User datagram protocol (UDP). You canmodify this port as required.

Minimum Severity Specifies the minimum severity of events sent to the Syslogserver.

Facility Specifies the types of alerts sent to the Syslog server.

Events Specifies the types of events sent to the Syslog server, including:l Intrusion eventsl Activity monitoring eventsl Blocked SQL eventsl Data masking eventsl System events

Step 4 Click Test to send test messages to the Syslog server.

Step 5 Click Update to apply the configuration.

----End

10.7.3 Configuring System Parameters

ScenarioThis section describes how to configure the system parameters.

The user can set the Global Default Error, Primary and Secondary SMTP Server which aresent to the client through this configuration.

Procedure


Step 2 In the navigation tree, choose Configuration.

Step 3 In the work area, set parameters as required, and then click Update.



98

Table 10-14 System configuration parameters


Global DefaultError

Specifies the default error sent to a client. It is recommended that thisoption be used to enhance SQL injection protection, preventingsensitive data from being disclosed to offensive clients.Select from the following:l Original Error Response: HexaTier sends the client the original

response generated by the database management system, notmodified.

l General Error Response: HexaTier sends a general error to theclient, The error text is "Generic SQL error detected".

l Sanitized Error Response: HexaTier sends the client the originalerror generated by the database while masking the sensitive data.

Primary SMTPServer

Specifies the SMTP server used for sending alerts. For details abouthow to create an SMTP server, see Configuring an SMTP Server.

SecondarySMTP Server

(Optional) Specifies the secondary SMTP server used when the primarySMTP server cannot be accessed.

ObjectsAssociation

l If this parameter is set to Disabled, the association between objectscreated in the rule and the database type, proxy, and databasespecified in the rule is disabled.

l If this parameter is set to Enabled, the association between objectscreated in the rule and the database type, proxy, and databasespecified in the rule is enabled.

----End

10.7.4 Backing up and Restoring System Configuration

Scenario

This section describes how to generate HexaTier backup file, and if needed you can restoresystem configuration by the backup file.

Backing up system configuration


Step 2 In the navigation tree, choose Backup and Restore > Backup.

Step 3 In the Login password text box, enter your HexaTier password.

Step 4 In the File encryption password text box, enter a password to encrypt the backup file.

The password must contain 8~16 characters and contain any 3 of the following charactertypes:l Lowercase lettersl Uppercase letters



99

l Digitsl Special characters`~!@#$%^*()-_=+|[{}];:',./?and space character

Step 5 Click Backup.

Step 6 Save the file in the required folder and note down the path so that you can restore it ifnecessary.

----End

Restoring system configuration


Step 2 In the navigation tree, choose Backup and Restore > Restore.

Step 3 In the workspace, click Choose the historical backup file.

Step 4 Enter Login password and File encryption password.

Step 5 (Optional) Select Purge System Logs to delete all historical system logs.

Step 6 Click Restore.

----End

10.7.5 Generating a Support File

Scenario

You can generate a encrypted compressed support file and send it to the support team. Thesupport file mainly contains log files and does not contain any sensitive information fromyour computer.

You can generate the following two types of support files:

l Compact: creates a compressed file that contains a minimal amount of information andexcludes protected database schema information.

l Full: creates a complete compressed file. Send this type of support file only if requested.

Procedure


Step 2 In the navigation tree, choose Support.

Step 3 Enter Login password and File encryption password.

The password must contain 8~16 characters and contain any 3 of the following charactertypes:l Lowercase lettersl Uppercase lettersl Digitsl Special characters`~!@#$%^*()-_=+|[{}];:',./?and space character



100

Step 4 In the Support file drop-down list box, select Compact or Full.

Step 5 Click Download.

The file is downloaded to the default download path of the browser.

----End

10.7.6 Restarting Service

Scenario

Restart HexaTier service.

Procedure


Step 2 In the navigation tree, choose Support -> Restart..

Step 3 Type your Login password.

Step 4 Click Restart.

After restart,the user need to login the console again.

NOTICEAll traffic will be blocked during service restart.

----End

10.8 Other Informations

10.8.1 Viewing License Information

Scenario

View the license information.

Procedure


Step 2 In the navigation tree, choose License Information.

Details about the license are displayed in the workspace.

----End



101

10.8.2 Viewing System Logs

Scenario

View system logs.

System logs display the information about activities managed by the HexaTier managementconsole, including:

l Login and logout information in HexaTier.

l Configuration modification, such as the creation, modification, or deletion of proxies,databases, objects, and rules.

l HexaTier Update.

The following information is displayed in the log list.

Table 10-15 Logs

Option Description

Log ID Specifies the ID of an event in the system log event list.

Date Specifies the time the event occurred.

Module Specifies the name of the module that is being visited.

User Specifies your current user name.

Description Specifies the description of the task being executed.

Severity Specifies the severity of an event.

Procedure


Step 2 In the navigation tree, choose Logs >System Logs.

Step 3 Click an event to view its details.

----End

10.8.3 Sorting

Scenario

Sort a specific list.

NOTE

Only columns with blue headings can be sorted.



102

Procedure

Step 1 Click a blue heading in the workspace.

An arrow appears next to the heading to indicate that the list is being sorted by that column.

Step 2 Clicking the heading again can reverse the sort order.

----End

10.8.4 Customizing Views

Scenario

Customize a view.

On certain pages (such as log and report pages), you can customize the columns and thenumber of items displayed on a page in the workspace.

Configuring Columns Displayed in the Workspace

Step 1 In the command bar, click Customize.

Step 2 Select check boxes next to the items to be displayed.

You can select a maximum of 10 items.

Step 3 Click Apply.

The workspace displays the items you selected.

----End



103

Configuring the Number of Items Displayed on Each Page

Step 1 At the bottom right corner of the workspace, select a number from thePer Page drop-downlist.

----End

10.8.5 FilteringThis section describes how to filter items.

The filter function is used to filter log information. You can view information about eventsthat occurred within a specific period or about a specific type of events.

10.8.6 Key Management System (KMS)The Key Management System (KMS) is an encryption device in HUAWEI CLOUD. Itinterconnects with the Object Storage Service (OBS) (compatible with Amazon S3 APIs)applications and provides data encryption and key management functions.

The activation validity period of KMS is 180 days. Ensure that KMS is connected every 180days to activate certain keys. Restart HexaTier, see Restarting Service.



104

11 FAQs

11.1 Function

11.1.1 What Databases Does DBSS Support?DBSS supports the following database types:l Microsoft SQL Server 2008 - 2014l MySQL 5.5 - 5.7l PostgreSQL 9.4 - 9.5

11.1.2 What Databases Can DBSS Protect on HUAWEI CLOUD?DBSS can protect user-installed databases and RDS instances on ECSs within the same VPCand its subnets. Due to network restrictions, DBSS cannot protect user-installed databases andRDS instances on ECSs and BMSs not within the same VPC and its subnets.

11.1.3 How Do I Protect My EIP Against DDoS Attacks?Advanced Anti-DDoS is a network security service that defends IP addresses againstdistributed denial of service (DDoS) attacks.

You are advised to interconnect each of your EIP with Advanced Anti-DDoS.

11.1.4 Why Cannot I View DBSS Instances Immediately After IPurchase a Set of DBSS Instances?

When you purchase a set of DBSS instances, a system disk will be created on the virtualmachine (VM) where the instances reside. In addition, the network will be configured. Thecreation and configuration may take some time. Therefore, the instances are not immediatelydisplayed.

11.1.5 What Fine-Grained Functions Does DBSS Provide?DBSS provides the following fine-grained functions:

Database Security ServiceUser Guide 11 FAQs


105

l Table-specific access control by IP address, user, and applicationl Column-level audit by IP address, user, and applicationl Column-level dynamic data masking

11.1.6 What Is the Configuration Process on HexaTier?After logging in to HexaTier, you must configure your DBSS instance for it to connect to,protect, and audit your database on HUAWEI CLOUD.

Figure 11-1 illustrates the configuration process.

Figure 11-1 Configuration process

11.1.7 Does DBSS Require Rights of User root from a MySQLDatabase?

No, DBSS only requires read and write permissions from your MySQL database.

11.1.8 Can I Import Logs Generated by DBSS to My Own LogAnalysis Platform?

Yes, the logs can be archived to a remote log database. Then you can use your own platformto read logs from the database.

11.1.9 What Database-Side Configurations Are Required byDBSS?

Perform the following configurations on your database:

1. Configure proxy when you create a protected database on HexaTier. Ensure that theproxy status is Active.



106

2. Modify your database to point it to the proxy address and port configured on HexaTier.

11.1.10 What Is the Difference Between DBSS and WAF in SQLInjection Prevention?

Web Application Firewall (WAF) uses a rule library to identify SQL injection attacks. DBSS,in comparison, uses a built-in database engine to cover all types of database statements.Compare with WAF, DBSS is more accurate in the identification of attacks.

11.1.11 Will My Raw Data in the Database Changed by theDynamic Data Masking Function?

No, DBSS changes the data returned by the database. It does not change the raw data in thedatabase.

11.1.12 How Will DBSS Affect My Service Latency?Typically, the service latency is shorter than 3 ms. The service latency may change in peakhours.

11.2 Restriction

11.2.1 What Constraints Does HexaTier Have?Pay attention to the following constraints when using HexaTier:l If you choose RDS as the remote log database, you must change the value of database

configuration parameter local_infile to ON (the default value is OFF).l If you want to protect an RDS instance, you must change the value of database

configuration parameter lower_case_table_names to 1 (the default value is 0).l Advanced activity monitoring

Chinese names of data tables are not supported.

11.2.2 What Browser Versions Does HexaTier Support?Table 11-1 lists browsers supported by the HexaTier management system.


Browser Version

Google Chrome -



11.3 Management



107

11.3.1 How Do I Log In to HexaTier?If an EIP has been associated with a DBSS instance, two methods are available for going tothe HexaTier login page: either directly from the DBSS console or using an ECS in the VPCwhere the instance resides.

If no EIP has been associated with the DBSS instance, one method is available: using an ECSin the VPC where the instance resides.

Going to the HexaTier Login Page on the Internet from the DBSS ConsoleStep 1 Log in to the management console.


Step 3 In the square of the desired set of DBSS instances, click Login to go to the HexaTier loginpage, as shown in Figure 11-2.

Figure 11-2 Logging in to HexaTier




108

----End

Using an ECS in the VPC Where the Instance Resides

Step 1 In the VPC where the DBSS instance you want to use to log in to HexaTier resides, checkwhether there are more ECSs.l If yes, go to Step 2.l If no, create an ECS in this VPC and go to Step 2.

Step 2 In the address box of one of the browsers listed in Table 11-2, enter https://private IP addressof the newly created ECS:5000. Then press Enter to go to the HexaTier login page.

NOTICEIf you fail to access port 5000, add Transmission Control Protocol–based (TCP-based) accesspermissions on the port to the corresponding security group. For details, see the VirtualPrivate Cloud User Guide.


Browser Version

Google Chrome -






109

----End

11.3.2 What Should I Do When I Fail to Log In to HexaTier?Check your network for any fault:l If the network is functioning properly, contact Huawei technical support.l If the network is not working properly, remove the fault and try to log in again. If the

failure persists, contact Huawei technical support.



110

A Change History

Released On Description

2018-04-27 This is the sixth official release.l Added chapter "Audit."l Updated screenshots and descriptions in chapter

"Operations Related to DBSS Instances" and sections"Login to HexaTier" and "Configuration Process."

2018-03-22 This is the fifth official release.Changed the document structure and some description.

2018-01-30 This is the fourth official release.l Changed section "Applying for a DBSS Instance":

updated some screenshots and changed somedescription.

l Changed chapter "Operations on the DatabaseProtection Platform": changed some description.

2017-12-04 This is the third official release.l Added section "Associating an EIP to a DBSS

Instance."l Added section Disassociating an EIP from a DBSS

Instance."l Changed chapter "Management": updated some

screenshots and changed some description.

Database Security ServiceUser Guide A Change History


111

Released On Description

2017-11-02 This is the second official release.l Changed section "Application Scenarios."l Changed chapter "Management": updated some

screenshots and changed some description.l Changed section "Login to HexaTier": changed the

operation procedures.l Changed section "Configuring HexaTier HA":

changed the procedure.l Changed chapter "FAQs": added the following FAQs:

– What Fine-Grained Functions Does DBSSProvide?

– What Is the Configuration Process of DBSS?– Does DBSS Require Rights of User root from a

MySQL Database?– Can I Import Logs Generated by DBSS to My

Own Log Analysis Platform?– What Database-Side Configurations Are Required

by DBSS?– What Is the Difference Between DBSS and WAF

in SQL Injection Prevention?– Will My Raw Data in the Database Changed by

the Dynamic Data Masking Function?– How Will DBSS Affect My Service Latency?

2017-09-15 This is the first official release.

Database Security ServiceUser Guide A Change History


112

User Guidestatic.huaweicloud.com/upload/files/pdf/20180205/...The purchased products, services and...

Documents

Transcript of User Guidestatic.huaweicloud.com/upload/files/pdf/20180205/...The purchased products, services and...