IBM Security Guardium Cloud Deployment Guide AWS EC2 Getting the Public Guardium Images The official Guardium version 10.1.3 AMIs are listed publicly and are accessible to all other AWS accounts. To get the images go to the AMIs page and search for Guardium. 1. Log in to the AWS EC2 console page at https://console.aws.amazon.com/ec2/ 2. Under Images click on AMIs. 3. Next to the search bar select Public Images, then search for Guardium. 4. Select from either the Collector or Aggregator Guardium AMIs. 5. Right click on the select AMI then click on Launch to start the Instance creation wizard. Creating the Guardium Instance 1. On the Choose an Instance Type page select the instance size General Purpose m4.2xlarge (Guardium recommends a minimum of 4 vcpus and 24GB RAM). Click on Next to configure the instance details. 2. Next to network select a VPC. 3. Next to subnet select a subnet from the list. 4. Under Network Interfaces enter an IP address in primary IP address. 5. Click on Next to go to the Storage Configuration page. 1
6. Review the configuration for Storage, then click on Next. 7. Add a tag name for the instance, then click on Next to configure the Security Group. Configure the Security Groups 1. In the Security Configuration Page click on Assign a Security Group. 2. Next to Security Group Name enter a name for the Security Group. 3. Next to Description write a short description for the Security Group. 4. Guardium uses port 8443 to connect to the web UI and port 22 to connect to the CLI. Create these 2 rules: a. Type: SSH, Protocol: TCP, Port Range: 22, Source: Custom b. Type: Custom TCP, Protocol: TCP, Port Range: 8443, Source: Custom Note: It is recommended that security group rules allow access from known IP addresses only Security Group rules can also be configured for the following on an as needed basis: For GIM: tcp:8444-8446; tcp:8081 For FAM: tcp:16022-16023 For Unix STAP: tcp:16016-16018 For Windows STAP: tcp:9500-9501 For Quick Search: tcp:8983; tcp:9983 For MySQL: tcp:3306 For a complete list of ports that are utilized in IBM Security Guardium, please refer to the following Technote: http://www-01.ibm.com/support/docview.wss?uid=swg21973188 5. Click on Review and Launch. 6. Review the configuration settings then click Launch. 7. Select the Secret Key pair from the drop down list, then click Launch Instances. Accessing the Guardium Instance The instance will take a few minutes to deploy, you can check on the status of the deployment in the Instances page. Once the instance is ready you will see a green check next to it, we can now log in to the Guardium appliance. 2
Connecting to the Guardium Appliance in the Cloud In order to connect to the Guardium appliance via the private IP, you will need to establish VPN Access to the Amazon Network. For steps on how to create and configure a VPN connection to the Amazon Network, please refer to the following link: http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpn-connections.html Configuring the Guardium instance Before using the Guardium instance we will need to login to the CLI using the private IP and run the initial network configuration. Login into the CLI 1. Use the access key pairs to access associated with the instance. a. In Linux run: ssh -i <public key> cli@<private ip> b. In Windows/Putty you will need to convert the.pem key to.ppk http://docs.aws.amazon.com/awsec2/latest/userguide/putty.html 2. Login with the credentials provided by IBM Security Guardium. If this is the first time login into the Guardium instance you will be asked to change the password, change it and store the new password. ssh -i ~/mysecrekey.pem cli@172.31.64.100 IBM Guardium, Command Line Interface (CLI) cli@172.31.64.100's password: Welcome cli - this is your first login in this system. Your password has expired. Changing password for 'cli'. Enter current password: 3
Enter new password: Re-enter new password: ip-172-31-64-100> Run the network setup CLI commands From CLI we will run the following commands to setup the initial Guardium network configuration. You will need the internal IP, the netmask, gateway and DNS resolver of the appliance. 1. Setup the primary (eth0) IP ip-172-31-64-100> store net interface ip 172.31.64.100 Mar 24 00:40:31 guard-network[12148]: INFO Sanitizing Hosts This change will take effect after the next network restart. 2. Setup the Netmask ip-172-31-64-100> store net interface mask 255.255.240.0 This change will take effect after the next network restart. 3. Setup the Gateway ip-172-31-64-100> store network route defaultroute 172.31.64.1 This change will take effect after the next network restart. 4. Set the DNS resolver ip-172-31-64-100> store network resolver 1 172.31.0.2 This change will take effect after restart network. 5. Setup the system hostname ip-172-31-64-100> store system hostname guardium-aws-instance Mar 24 00:43:01 guard-network[13331]: INFO set_hostname Mar 24 00:43:01 guard-network[13331]: INFO Host is currently localhost Mar 24 00:43:01 guard-network[13331]: INFO Setting hostname to guardium-awsinstance.yourcompany.com for ip 172.31.64.100 4
6. Setup the system domain ip-172-31-64-100> store system domain ibm.guardium.aws.com Mar 24 00:43:41 guard-network[13374]: INFO set_hostname Mar 24 00:43:41 guard-network[13374]: INFO Host is currently guardium-awsinstance.yourcompany.com Mar 24 00:43:41 guard-network[13374]: INFO Setting hostname to guardium-awsinstance.ibm.guardium.aws.com for ip 172.31.64.100 7. Restart the network for all changes to take effect ip-172-31-64-100> restart network Do you really want to restart network? (Yes/No) yes Restarting network Shutting down interface eth0: [ OK ] Shutting down loopback interface: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0... done. [ OK ] Network System Restarted. In Standalone clause firewall/iptables rebuilt. setting solr Changing to port 8443 From port 8443 Stopping... success: true 8. If you selected a Secret Key pair option when launching the instance, run the following command to enable it for the CLI users in the system (cli, guardcli1-5 ): ip-172-31-64-100> store aws access_keys 5
Accessing the GUI To login to the web GUI interface use the private IP associated with the instance. Open a web browser to this address: https://<private-ip>:8443. Login with the credentials provided by IBM Security Guardium. If this is the first time login into the system you will be asked to change to admin password, change it and save the new password. Warnings and Known Limitations The following CLI commands will not work on an appliance deployed in the Amazon Cloud due to DHCP handling limitations: store network interface mtu show network verify show network interface inventory The following CLI command should not be run on the appliance as it may result in the appliance becoming inaccessible: store network interface reset store net interface inventory 6
2017 September 26 IBM Guardium Licensed Materials - Property of IBM. Copyright IBM Corp. 2017. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information (www.ibm.com/legal/copytrade.shtml) 7