Скачать презентацию Jan Kristian Nielsen — Client Architect 24 04 2012 IBM Скачать презентацию Jan Kristian Nielsen — Client Architect 24 04 2012 IBM

0e1e8ac9564c6776d69c0bc9074f2bfc.ppt

  • Количество слайдов: 30

Jan Kristian Nielsen - Client Architect 24/04/2012 IBM System Software © 2012 IBM Corporation Jan Kristian Nielsen - Client Architect 24/04/2012 IBM System Software © 2012 IBM Corporation

IBM System Software Hierarchy Enterprise-wide IBM Tivoli IBM Systems Director VMControl Power. HA Operating IBM System Software Hierarchy Enterprise-wide IBM Tivoli IBM Systems Director VMControl Power. HA Operating Systems Power. VM Power. SC Hypervisor (Firmware) Single System Hardware © 2009 IBM Corporation

System Management © 2009 IBM Corporation System Management © 2009 IBM Corporation

IBM Systems Director 6. 3 § Simplify platform management across server and storage infrastructure IBM Systems Director 6. 3 § Simplify platform management across server and storage infrastructure § Focus on health, status, automation § Manage physical and virtual resources § Common navigation, look and feel § Enable upward integration to enterprise service management 4 © 2009 IBM Corporation

IBM® Systems Director provides platform lifecycle management § Consolidation of Platform Management Tools – IBM® Systems Director provides platform lifecycle management § Consolidation of Platform Management Tools – Single consistent cross-platform management tool – Simplified tasks via Web based interface – Manage many systems from one console § Physical and Virtual Management – – – Discovery and Inventory of physical and virtual resources Configuration and provisioning of platform resources Status, Health, and Monitoring of platform resources Visualization of server resource topologies Move virtual servers between systems without disruption to running workloads § Platform Update Management – Simplified consistent cross-platform tools to – acquire – distribute – install – firmware, driver and OS updates 6 © 2009 IBM Corporation

What can IBM® Systems Director manage? § Blade and Modular System resources: – – What can IBM® Systems Director manage? § Blade and Modular System resources: – – Blade. Center, Blade servers (x, Power, Cell), I/O modules System x servers VMware ESX, VMware 3 i, MSVS, Xen Windows, Linux § POWER System resources: – HMC, IVM, Virtual I/O Server, System i/p Servers – AIX, POWER Linux, IBM i § Mainframe System resources: – Linux on z. Series – z/VM § HP, Dell, and other OEM x 86 systems § SNMP-based devices: – Network, storage, power distribution units, etc. § CIM-based devices – CIM = Common Information Model § Storage resources (SMI-S) – LSI (IRC), DS 3000, DS 4000, DS 6000, RSSM – SAS Switch (NSSM, RSSM), Brocade FC Switch, Qlogic FC Switch © 2009 IBM Corporation

IBM Systems Director - End-to-End Management – Other Systems Management Software Integrated Service Management IBM Systems Director - End-to-End Management – Other Systems Management Software Integrated Service Management Configuration Automation Update System x & Blade Center Status Remote Access System z Virtualization Core Director Services Power Systems Discovery Configuration Storage Control Additional Plug-Ins WPAR Manager VMControl Image Manager BOFM Transition Mgr for HP SIM Network Control Active Energy Manager VMControl Service & Support Manager IBM® Systems Director Editions $$ Enterprise Service Management Advanced Managers & Priced Plug-Ins Base Systems Director Managers & Hardware Platform Managers Resource Management Managed virtual and physical environments Hardware 8 IBM and non-IBM hardware © 2009 IBM Corporation

IBM Systems Director topology IBM System Director Server Web-based Interface Deploying agents: • Common IBM Systems Director topology IBM System Director Server Web-based Interface Deploying agents: • Common Agent • Platform Agent • (No Agent) Database (Local or Remote) Management Interface – Apache Derby (local default), SQL, DB 2 or Oracle IBM Systems Director Agents Managed Systems (All IBM Server platforms, Desktops, Laptops, SNMP devices, CIM devices ) § § § Three-tier architecture Thousands of managed end-points Upward Integration modules supporting: – IBM Tivoli, Computer Associates, Hewlett Packard, Microsoft © 2009 IBM Corporation 9

IBM Tivoli and Systems Director Together deliver a comprehensive, ultra-scalable end-to-end systems and service IBM Tivoli and Systems Director Together deliver a comprehensive, ultra-scalable end-to-end systems and service management solution Physical/Virtual Resources and Applications “Care and feeding” of platform hardware Functionality Middleware Let me configure, install and tweak it Tell me if it’s working Let me update it IBM Systems Director Tell me what I have Network Operating System Hardware Functionality IBM Tivoli IBM Systems Director IBM Tivoli Integrated visibility, control & automation across business and technology assets See the business with real-time dashboards Govern the business with integrated asset control solutions Optimize the business with automated solutions © 2009 IBM Corporation

Performance Advisors © 2009 IBM Corporation Performance Advisors © 2009 IBM Corporation

Performance Advisors § Run advisors on test or production systems. § Advisors will evaluate Performance Advisors § Run advisors on test or production systems. § Advisors will evaluate the environment for performance optimization opportunities – Gives guidance on how to make the necessary changes. § Three advisors available…. – Java, – VIOS & Virtual Ethernet – Virtualization. § “Built in Smarts” to detect some of the most common problems that are encountered § Available on Developer Works – FREE OF CHARGE § Link: https: //www. ibm. com/developerworks/wikis/display/Wiki. Ptype/Other+ Performance+Tools © 2009 IBM Corporation

Introducing the VIOS Advisor § What is it? The VIOS advisor is a standalone Introducing the VIOS Advisor § What is it? The VIOS advisor is a standalone application that polls key performance metrics for minutes or hours, before analyzing the results to produce a report that summarizes the health of the environment and proposes potential actions that can be taken to address performance inhibitors. • How does it work? STEP 1) Download VIOS Advisor STEP 2) Run Executable STEP 3) View XML File VIOS Advisor VIOS Partition Only a single executable is required to run within the VIOS The VIOS Advisor can monitor from 5 min and up to 24 hours Open up. xml file using your favorite web-browser to get an easy to interpret report summarizing your VIOS status. https: //www. ibm. com/developerworks/wikis/display/Wiki. Ptype/VIOS+Advisor © 2009 IBM Corporation

Screenshot: 1 Overview Get a comprehensive summary of your VIOS’ health on a single Screenshot: 1 Overview Get a comprehensive summary of your VIOS’ health on a single page. https: //www. ibm. com/developerworks/wikis/display/Wiki. Ptype/VIOS+Advisor © 2009 IBM Corporation

Power. SC © 2009 IBM Corporation Power. SC © 2009 IBM Corporation

IBM Power Systems Power. SC SECURITY AND COMPLIANCE The Foundation of Trust for AIX IBM Power Systems Power. SC SECURITY AND COMPLIANCE The Foundation of Trust for AIX Power is Performance Redefined 16 Illustration by Chris Short © 2012 IBM Corporation

IBM Power Systems Security Concerns in a virtualized environment 1. 2. 3. 4. 5. IBM Power Systems Security Concerns in a virtualized environment 1. 2. 3. 4. 5. Trusted Boot How can I be sure that a VM’s OS has booted in a known-trusted state? Trusted Execution How can I be sure that the application binaries are safe to run? Trusted Logging How can I be sure that audit files are safe from malicious modification? Compliance Automation How can I raise alerts in when security policies are violated? Trusted Network Connect How do I ensure that a new system is trustworthy when it attempts to join a secure network? 17 Power is Performance Redefined Power. SC Platform Management TNC App App Trusted Logging OS OS VM 1 VM 2 VM 3 VM 4 Hardened VIOS SVM Hypervisor v. Trusted Platform Module © 2012 IBM Corporation

IBM Power Systems Power. SC Answers These Questions 1. Trusted Boot How can I IBM Power Systems Power. SC Answers These Questions 1. Trusted Boot How can I be sure that a VM’s OS has booted in a known-trusted state? 2. Trusted Execution How can I be sure that the application binaries are safe to run? 3. Trusted Logging How can I be sure that audit files are safe from malicious modification? 4. Compliance Automation How can I be sure data security standards are being followed? 5. Trusted Network Connect How do I ensure that a new system is trustworthy when it attempts to join a secure network? 18 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems Power. SC – Trusted Boot and Trusted Execution Challenge: Ensure that IBM Power Systems Power. SC – Trusted Boot and Trusted Execution Challenge: Ensure that every virtual machine image in your datacenter hasn’t be altered either by accident or maliciously. Applications O/S Power. SC Solution: Trusted Boot forms the core root of trust for the image, i. e. a foundation for trust. Each stage of the boot process measures the next, starting at the firmware. Kernel BIOS How Power. SC works: 1. Measure the boot process and securely store the results in a Virtual Trusted Platform Module(v. TPM) 2. Provide a sealed set of measurements to the requestor 3. Verify these measurements against a reference manifest 19 Power is Performance Redefined • Power. SC offers the only solution on the market to form a chain of trust for VMs all the way from boot to application! • Improve Qo. S by reducing the risk of accidental or malicious image tampering • Reduce the time it takes to ensure that every VM in your datacenter is running authorized and trusted software. © 2012 IBM Corporation

IBM Power Systems Power. SC Moves to “Known Good Model” Only Allow Known Trusted IBM Power Systems Power. SC Moves to “Known Good Model” Only Allow Known Trusted Software to Run § Security Vulnerability Detection tends to work on a “Known Bad Model” This reactive model blocks intrusions based on historical break-ins. § Power. SC Trusted Boot employs a more efficient “Known Good Model” which only allows trusted images to run. Power Systems are “hermetically sealed” with tight interlocks between the hardware, virtualization and software. 20 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems “But I’ve already written Scripts to check Security and Compliance” A: IBM Power Systems “But I’ve already written Scripts to check Security and Compliance” A: Home Grown scripts are expensive to maintain and error prone: § Who certifies to auditors that these scripts match security standards? § Are scripts secure to modification or tampering? § What is the cost of maintenance of scripts? § Who monitors data security standards and ensures that the scripts are updated? § Is there a standard set of scripts in the company or does every group roll their own? § What happens when the author of the scripts leave the company? § Do all administrators understand what the scripts do and what are the expected results? 21 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems Power. SC – Security Compliance Automation Challenge: Demonstrate compliance to Regulatory IBM Power Systems Power. SC – Security Compliance Automation Challenge: Demonstrate compliance to Regulatory standards by setting security configurations on systems in a uniform manner. Power. SC solution: Compare settings across all of the systems in the datacenter against prebuilt profiles, e. g. Payment Card Industry (PCI), Do. D STIG and COBIT. How Power. SC works: • A single dashboard monitors compliance and generates audit reports. • Sets and checks compliance for systems based on prebuilt security profiles 22 Power is Performance Redefined • Lower Administration costs by setting security configs in a repeatable manner • Lower Admin costs by automating compliance reporting • Automatic remediation of servers that are out of compliance © 2012 IBM Corporation

IBM Power Systems Power. SC – Trusted Network Connect Challenge: Ensure that images are IBM Power Systems Power. SC – Trusted Network Connect Challenge: Ensure that images are trusted and at the proper patch level when they connect to the network. Out of compliance How Power. SC works: • An image that does not meet trusted measurements and patch levels will trigger an alert to the administrator. Power. SC Solution: Trusted Network Connect and Patch Management detects noncompliant virtual machines during activation and alerts administrators immediately. • Reduce business risk by active notification of down level systems via email and SMS. • Lower admin costs by automatically spotting non compliant systems within the virtual data center and cloud environments • Lower costs of demonstrating compliance. Monitoring at virtual machine activation proves compliance to patch policy 23 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems Power. SC – Trusted Logging Challenge: Prevent malicious users from “covering IBM Power Systems Power. SC – Trusted Logging Challenge: Prevent malicious users from “covering their tracks. ” Power SC Solution: Move log events to a secure external VM via the hypervisor. Centralized logging ensures that even when virtual machines are discarded the audit logs remain on the central location for audit purposes. How Power. SC works: • Trusted Logging provides tamperproof secure centralized protection for AIX audit and system logs and is integrated with Power. VM virtualization. • Limited access to the Secure VM to a few privileged super users • Guest VM logs can be managed and backed up from a single location within each physical server. • Log scraping agents and reporting agents can be removed from guest OS. 24 Power is Performance Redefined • Discourage malicious activity by ensuring individual accountability; trace actions to authenticated individuals. • Reduce the time it takes to identify tampering and/or unauthorized changes • Reduce the time it takes to demonstrate Security Compliance by maintaining strict control over audit logs. © 2012 IBM Corporation

IBM Power Systems Power is performance redefined Deliver new services faster Power. SC accelerates IBM Power Systems Power is performance redefined Deliver new services faster Power. SC accelerates secure system creation and compliance. Deliver higher quality services Power. SC reduces your business risk from accidental or malicious image tampering while minimizing the impacts to system performance. Deliver services with superior economics Power. SC dramatically reduces the operational expense to establish and maintain security assurance over your virtualized datacenter. 25 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems Power. SC Editions Security and Compliance Options § Power. SC Express IBM Power Systems Power. SC Editions Security and Compliance Options § Power. SC Express – Basic compliance for AIX § Power. SC Standard – Security and compliance for virtual & cloud environments Power. SC Editions Security and Compliance Automation Express Standard Trusted Logging Trusted Boot** Trusted Network Connect and Patch Management * ** Requires POWER 7 System with e. FW 7. 4 26 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems Click here to learn more about Security in a Virtual World! IBM Power Systems Click here to learn more about Security in a Virtual World! Power. SC SECURITY AND COMPLIANCE The Foundation of Trust for AIX Power is Performance Redefined 27 Illustration by Chris Short © 2012 IBM Corporation

IBM Power Systems Learn more about Power. SC on the Web http: //www. ibm. IBM Power Systems Learn more about Power. SC on the Web http: //www. ibm. com/systems/power/software/security/ Put Page here 28 Power is Performance Redefined © 2012 IBM Corporation

IBM Power Systems END 29 Power is Performance Redefined © 2012 IBM Corporation IBM Power Systems END 29 Power is Performance Redefined © 2012 IBM Corporation

Power. SC Business Requirements Guarantee that the OS has not been hacked or compromised Power. SC Business Requirements Guarantee that the OS has not been hacked or compromised in any way Power. SC provides a security and compliance solution to protect datacenters virtualized with Power. VM enabling higher quality services Capabilities Trusted Boot images and OS are cryptographically signed and validated using a virtual Trusted Platform Module (v. TPM) Trusted Logging Compliance and Audit Ensure that every Virtual System has appropriate security patches Compliance and Audit to External Standards The VIOS capture all LPAR audit log information in real time. Trusted Network Connect and Patch Management With the Trusted Network Connection protocol imbedded in the VIOS, we can detect any system attempting to access the network and determine if it is at the correct security patch and update level. Security Compliance Automation Pre-built compliance profiles that match various industry standards such as Payment Card Industry, DOD and Sox/Cobit. Activated and Reported on centrally using AIX Profile Manager ü Defense against tampering ü Tamper-proof logs ü Notification of unpatched systems ü Compliance automation and reporting © 2012 IBM Corporation

AIX V 7. 1 GA 09/2010 AIX V 6. 1 / 7. 1 Security: AIX V 7. 1 GA 09/2010 AIX V 6. 1 / 7. 1 Security: Role Based Access Control Provides greater security and increased administration flexibility – Authorizations Users Roles AIX Resources – Roles DBA • A container for authorizations that can be assigned to a user. PRINT – Privileges • Process attribute that allows process to bypass a security restriction. Not context aware. BACKUP aix device fs network proc ras security system wpar boot config install stat create halt info reboot shutdown • Mechanism to grant access to commands or certain functionality. Context aware. “create boot image” “halt the system” “display boot information “reboot the system” “shutdown the system” New in AIX 7: Domain Role Based Access Control New in Power. VM 2. 2: RBAC on the Virtual I/O Server # lssecattr -c -F /usr/sbin/bootinfo: accessauths = aix. system. boot. info innateprivs = PV_DAC_R, PV_DAC_W, PV_DEV_CONFIG, PV_KER_RA /etc/security/privcmd s 31 Networking and Security © 2012 IBM Corporation