You are previewing Managing Security and Compliance in Cloud or Virtualized Data Centers Using IBM PowerSC.
O'Reilly logo
Managing Security and Compliance in Cloud or Virtualized Data Centers Using IBM PowerSC

Book Description

IBM® PowerSC provides a security and compliance solution that is optimized for virtualized environments on IBM Power Systems™ servers, running IBM PowerVM® and IBM AIX®. Security control and compliance are some of the key components that are needed to defend the virtualized data center and cloud infrastructure against ever evolving new threats. The IBM business-driven approach to enterprise security used in conjunction with solutions such as PowerSC makes IBM the premier security vendor in the market today.

This IBM Redbooks® deliverable helps IT and Security managers, architects, and consultants to strengthen their security and compliance posture in a virtualized environment running IBM PowerVM.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Part 1 Business drivers and solution overview
    1. Chapter 1. IT security and compliance management business context
      1. 1.1 Drivers that influence security
        1. 1.1.1 Business drivers that influence security
        2. 1.1.2 IT drivers that influence security
      2. 1.2 Introducing the IBM Security Framework
        1. 1.2.1 Infrastructure
      3. 1.3 IBM Security Blueprint
      4. 1.4 Security and compliance management
      5. 1.5 Conclusion
    2. Chapter 2. Introducing the IBM PowerSC solution
      1. 2.1 Overview
      2. 2.2 Components
        1. 2.2.1 Security and Compliance Automation
        2. 2.2.2 Real Time Compliance
        3. 2.2.3 Trusted Boot
        4. 2.2.4 Trusted Firewall
        5. 2.2.5 Trusted Network Connect and Patch Management
        6. 2.2.6 Trusted Logging
        7. 2.2.7 Trusted Surveyor
      3. 2.3 Deployment use case scenarios
        1. 2.3.1 The challenge
        2. 2.3.2 Addressing the challenge by using PowerSC
  5. Part 2 Technical concepts and deployment guidelines
    1. Chapter 3. Security and Compliance Automation
      1. 3.1 Component architecture
        1. 3.1.1 PowerSC using AIX Security Expert
        2. 3.1.2 PowerSC using AIX Profile Manager
      2. 3.2 Detailed implementation
        1. 3.2.1 Requirements to install the software
        2. 3.2.2 Necessary filesets
        3. 3.2.3 Installing components by using smitty
      3. 3.3 Deployment considerations
        1. 3.3.1 Extracting profiles
        2. 3.3.2 Content and structure of profiles
        3. 3.3.3 Customizing XML profiles
      4. 3.4 Working with compliance automation
        1. 3.4.1 Applying XML profiles
        2. 3.4.2 Reporting the applied XML profile
        3. 3.4.3 Unapplying the previously applied profile
        4. 3.4.4 Troubleshooting failed rules
      5. 3.5 Deploying profiles using AIX Profile Manager
        1. 3.5.1 Requirements to install the software
        2. 3.5.2 Installing AIX Profile Manager
        3. 3.5.3 Preparing AIX Profile Manager
      6. 3.6 Conclusion
    2. Chapter 4. Real Time Compliance
      1. 4.1 Component architecture
      2. 4.2 Detailed implementation
      3. 4.3 Deployment considerations
        1. 4.3.1 Requirements to install the software
        2. 4.3.2 Necessary filesets
      4. 4.4 Installation
      5. 4.5 Working with Real Time Compliance
        1. 4.5.1 Configuring the software
        2. 4.5.2 Configuring the files policy
        3. 4.5.3 Advanced options
        4. 4.5.4 Notifications
      6. 4.6 Troubleshooting
      7. 4.7 Conclusion
    3. Chapter 5. Trusted Logging
      1. 5.1 Component architecture
        1. 5.1.1 Built on virtual SCSI foundations
        2. 5.1.2 Virtual Log devices
        3. 5.1.3 Virtual logs
        4. 5.1.4 Virtual log directory and file structure
        5. 5.1.5 Virtual log repositories
        6. 5.1.6 Shared storage pools
      2. 5.2 Deployment considerations
        1. 5.2.1 Deploying Trusted Logging on a dedicated Virtual I/O Server
        2. 5.2.2 Securing the Virtual I/O Server
        3. 5.2.3 Local virtual logs or shared storage pools
        4. 5.2.4 Where to store local virtual logs
      3. 5.3 Detailed implementation
        1. 5.3.1 Virtual log target devices
        2. 5.3.2 Virtual log devices
        3. 5.3.3 Messages that are written to the state files
        4. 5.3.4 Multipath presentation on the client LPAR
        5. 5.3.5 Workload partitions (WPARs)
        6. 5.3.6 Performance
      4. 5.4 Installation
        1. 5.4.1 Installing the Client LPAR component
        2. 5.4.2 Verifying the version of the Virtual I/O Server
      5. 5.5 Working with Trusted Logging
        1. 5.5.1 Changing the local virtual log repository file system
        2. 5.5.2 Creating a virtual log on a single Virtual I/O Server
        3. 5.5.3 Accessing virtual log data on the Virtual I/O Server
        4. 5.5.4 Configuring shared storage pools
        5. 5.5.5 Demonstrating multipath failover
        6. 5.5.6 Configuring AIX auditing to use a virtual log
        7. 5.5.7 Configuring syslog to use a virtual log
        8. 5.5.8 The backup of Trusted Logging data on the Virtual I/O Server
        9. 5.5.9 Deleting virtual logs and virtual log target devices
      6. 5.6 Troubleshooting
      7. 5.7 Conclusion
    4. Chapter 6. Trusted Network Connect and Patch Management
      1. 6.1 Component architecture
      2. 6.2 Detailed implementation
      3. 6.3 Deployment considerations
        1. 6.3.1 Requirements to install the software
        2. 6.3.2 Necessary filesets
      4. 6.4 Installation
        1. 6.4.1 Configuring the patch management server
        2. 6.4.2 Configuring the Trusted Network Connect server
        3. 6.4.3 Configuring the Trusted Network Connect client
        4. 6.4.4 Configuring Trusted Network Connect server email notification
        5. 6.4.5 Configuring the IP referrer on the Virtual I/O Server
      5. 6.5 Working with Trusted Network Connect and Patch Management
        1. 6.5.1 Managing patch management repositories
        2. 6.5.2 Starting verification for the Trusted Network Connect client
        3. 6.5.3 Viewing the Trusted Network Connect server logs
        4. 6.5.4 Creating policies for the Trusted Network Connect client
        5. 6.5.5 Viewing the verification results of the Trusted Network Connect
        6. 6.5.6 Importing Trusted Network Connect certificates
        7. 6.5.7 Updating the Trusted Network Connect client
        8. 6.5.8 Verifying the update logs
      6. 6.6 Troubleshooting
      7. 6.7 Conclusion
    5. Chapter 7. Trusted Boot
      1. 7.1 Component architecture
        1. 7.1.1 Trusted Boot technical overview
      2. 7.2 Detailed implementation
      3. 7.3 Installation
        1. 7.3.1 Installing the collector
        2. 7.3.2 Installing the verifier
      4. 7.4 Working with Trusted Boot
        1. 7.4.1 Configuring SSH
        2. 7.4.2 Enabling Virtual Trusted Platform Module (vTPM)
        3. 7.4.3 Enrolling a system
        4. 7.4.4 Attesting a system
        5. 7.4.5 Attesting multiple systems
        6. 7.4.6 Simulating a failure
      5. 7.5 Troubleshooting
        1. 7.5.1 Common problems
        2. 7.5.2 Diagnosis
      6. 7.6 Conclusion
    6. Chapter 8. Trusted Firewall
      1. 8.1 Component architecture
        1. 8.1.1 Firewall technologies
        2. 8.1.2 Deny and permit
        3. 8.1.3 Packet filtering rules
        4. 8.1.4 Security policies
      2. 8.2 Detailed implementation
      3. 8.3 Deployment considerations
      4. 8.4 Installation
        1. 8.4.1 Trusted Firewall installation
        2. 8.4.2 Verifying the Trusted Firewall installation
      5. 8.5 Working with Trusted Firewall
        1. 8.5.1 Configuring the Secure Virtual Machine (SVM)
        2. 8.5.2 Configuring the filter rules
        3. 8.5.3 Removing Trusted Firewall
      6. 8.6 Troubleshooting Trusted Firewall
      7. 8.7 Conclusion
    7. Chapter 9. Trusted Surveyor
      1. 9.1 Component architecture
        1. 9.1.1 Naming conventions for Trusted Surveyor resources
        2. 9.1.2 Domains
        3. 9.1.3 Probes
        4. 9.1.4 Snapshots
      2. 9.2 Detailed implementation
        1. 9.2.1 Basic components
        2. 9.2.2 System requirements
      3. 9.3 Installation
        1. 9.3.1 Configuring Trusted Surveyor
        2. 9.3.2 Assigning roles
      4. 9.4 Working with Trusted Surveyor
        1. 9.4.1 Logging on to Trusted Surveyor
        2. 9.4.2 Creating a domain
        3. 9.4.3 Viewing a domain
        4. 9.4.4 Changing the properties of a domain
        5. 9.4.5 Removing a domain
        6. 9.4.6 Viewing a snapshot
        7. 9.4.7 Saving a snapshot
        8. 9.4.8 Comparing snapshots
        9. 9.4.9 Removing a snapshot
        10. 9.4.10 Creating a probe
        11. 9.4.11 Viewing a probe
        12. 9.4.12 Changing the properties of a probe
        13. 9.4.13 Automatically deploying a public key for a probe
        14. 9.4.14 Manually deploying a public key for a probe
        15. 9.4.15 Generating a report
        16. 9.4.16 Using the CLI
      5. 9.5 Troubleshooting
        1. 9.5.1 Authentication problems
        2. 9.5.2 Command-line interface
      6. 9.6 Conclusion
  6. Appendix A. Trusted Firewall addendum
    1. ICMP codes
    2. ICMPv6 codes
  7. Related publications
    1. IBM Redbooks
    2. Online resources
    3. Help from IBM
  8. Back cover