Information Management

Configuring Port Mirroring

Monitoring
InfoSphere Guardium Technical Document
Contents

1. OVERVIEW.........................................................................................................3

2. PORT MIRRORING............................................................................................3
2.1 Physical Setup...........................................................................................3
2.2 Network Inspection Engine Configuration.................................................4
3. REFERENCES...................................................................................................6

2
1. Overview
The preferred way for monitoring databases with Guardium is by setting up S-TAP on
the database servers. However, for some platforms such as iSeries and NCR UNIX,
there currently does not exist a S-TAP package. For these platforms, database
monitoring of network traffic can still still be achieved through port mirroring. Local traffic
can be monitored via the "Custom Data Upload" facility of Guardium. Port mirroring
should also be used if a performance impact on the database server is a huge concern
as S-TAP does have a slight performance impact on the database server.

2. Port Mirroring
– For network traffic, we can use port mirroring, which is mirroring through SPAN
(Switched Port Analyzer) ports.

– This requires a network switch with port mirroring capability.

– A physical setup and configuration of the inspection engine is needed to make port
mirroring work.

2.1 Physical Setup

– The LAN containing the desktop used for connecting to the Guardium collector GUI
should be connected to the eth0 port on the Guardium collector appliance.

– The SPAN port from the network switch should be connected to the eth1 port of the
Guardium collector appliance. You can also connect additional SPAN ports to the
remaining ethernet ports of the Guardium appliance, in order.

– The network switch must then be configured to mirror all traffic to and from the
databases to be monitored, to a port on which the appliance is connected. A
network administrator should be able to perform this configuration. You may need to
consult the switch vendor's documentation on the exact process for setting up this
configuration.

3
Conceptual overview of port mirroring for network traffic. The SPAN port of the network switch is
connected to the eth1 port of the appliance.

2.2 Network Inspection Engine Configuration

– To monitor network traffic between database server(s) and clients accessing the
database server(s), an inspection engine needs to be configured through the
Guardium GUI.

– To configure the inspection engine:

1. Log into the Guardium user interface as the admin user. Click on the
Administration Console tab, then click on Inspection Engines from the
Configuration menu on the left hand panel.

4
 2. Expand the Add Inspection Engine section. Fill out the required fields and
click on the Add button. A description of the required fields follows:

• Name – Enter an unique name and its recommended to only use letters and
numbers in the name.
• Protocol – Select the database protocol (IBM iSeries, DB2, etc).
• DB Client IP/Mask – Enter a list of clients to be monitored by specifying their
IP and subnet masks.
• DB Server IP/Mask – Enter a list of database servers (database host
machines) to be monitored by specifying their IP and subnet masks.
• Port – Enter a single or a range of ports over which traffic between the listed
clients and database servers will be monitored.
• Active on startup – Mark this box if the inspection engine should be
automatically started on start-up.
• Exclude DB Client IP – Mark this box if you want the inspection engine to
monitor traffic from all clients except for those listed in the DB Client IP/Mask
list.

3. References

Guardium Administration Help Book for v8.0.1 – pages 7-21, 26-30

5
© Copyright IBM Corporation 2011
All Rights Reserved.

IBM Canada
8200 Warden Avenue
Markham, ON
L6G 1C7
Canada

IBM, the IBM logo, ibm.com and Tivoli are trademarks or

registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. If
these and other IBM trademarked terms are marked on their
first occurrence in this information with a trademark symbol
(® or ™), these symbols indicate U.S. registered or common
law trademarks owned by IBM at the time this information
was published. Such trademarks may also be registered or
common law trademarks in other countries. A current list of
IBM trademarks is available on the Web at “Copyright and
trademark information” at ibm.com/legal/copytrade.shtml

Other company, product and service names may be

trademarks or service marks of others.

References in this publication to IBM products and services

do not imply that IBM intends to make them available in all
countries in which IBM operates.

No part of this document may be reproduced or transmitted

in any form without written permission from IBM
Corporation.

Product data has been reviewed for accuracy as of the date

of initial publication. Product data is subject to change
without notice. Any statements regarding IBM’s future
direction and intent are subject to change or withdrawal
without notice, and represent goals and objectives only.

THE INFORMATION PROVIDED IN THIS DOCUMENT IS

DISTRIBUTED “AS IS” WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY
DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-
INFRINGEMENT.

IBM products are warranted according to the terms and

conditions of the agreements (e.g. IBM Customer
Agreement, Statement of Limited Warranty, International
Program License Agreement, etc.) under which they are
provided.