Product Documentation
Abstract
This document establishes the technical requirements for Guardium v10.0 - CPUs, RAM.
Content
- Hardware offering – fully configured physical appliance provided by IBM.
- Software offering – software images deployed on customer hardware either directly or as virtual appliances.
The scope of this document is the “Software Offering”, and the requirements listed in this document apply to both the physical appliance and the virtual appliance unless specified otherwise.
Product overview
IBM® Security Guardium® is a unified, cross-platform solution that both protects databases in real time and automates the entire compliance auditing process. The solution supports all major database platforms, enterprise applications, and operating systems (UNIX, Linux, Windows, and z/OS).
IBM Security Guardium can be deployed in a variety of operational modes:
- Collector – In Database Activity Monitoring or Vulnerability Assessment, the collectors monitor and analyze database activity to provide continuous fine-grained auditing and reporting, real-time policy-based alerting and database access controls.
- Central Manager/Aggregator –The Central Manager is a single point of management for the entire IBM InfoSphere Guardium deployment. With the Central Manager, customers can define enterprise-wide policies, alerts, queries and reports, install patches, push configuration and perform a variety of other administrative tasks from a single console. In addition, data from multiple collectors can be aggregated to the Aggregation Server to provide holistic views and generate enterprise-level reports.
Hardware Requirements
The following hardware requirements are necessary for the IBM Security Guardium solution to work properly. Unless specified otherwise, the requirements are for both the physical installation and the virtual installation.
Installation on Physical Appliances
The IBM Guardium solution works only on x86 Intel-based or AMD-based platforms (for example, x86_64). Only platforms and hardware that are officially supported by RedHat Linux 6.5 (64-bit) are expected to work properly (See links to RedHat Support documentation, listed at end of this document). However, not all officially supported platforms are guaranteed. Platforms that require additional drivers or specialized post-install configuration are not supported at this time (see note below).
Note: If a customer has an appliance they know will require additional configuration beyond the standard RedHat 6.5 (64-bit) installation, then that customer should install RedHat 6.5 (64-bit) and record all the installation time choices and any post-install configuration steps. Send this information to Guardium Technical Services for analysis and, based on the analysis, they may be able to provide a software update to support this platform.
Deviations from the specifications in this document may result in failure to install the solution, in such cases, the appliance might not be accessible over the network and IBM Guardium Technical Support engineers will not be able to assist in troubleshooting and remediation.
Appendix A lists examples of platforms that were tested and approved by IBM.
Installation on Virtual Appliances
While IBM Guardium can be installed on any VMware product, the VMware ESX server is the recommended platform for a virtual solution. Only VMware is supported by Guardium as the platform for a virtual solution.
Notes:
1. Hardware requirements for the virtual solution are restricted to the platforms supported by VMware. ESX 4.0 Update 4 and higher is the minimum to run Guardium 10.0.
2. When using the virtual solution, Database Activity Monitoring must be done via S-TAP agents. Over-the-network inspection through SPAN port or Tap device is not supported for the virtual offering.
3. VMware introduces additional complexity. The overall performance and utilization of your Guardium virtual appliance may vary based on VMware configuration, resource allocation, and/or sizing planning.
Recommended Resources per software/virtual appliance
Resource | Required Range * | Comments |
Physical CPUs | Minimum 4 cores | x86 (Intel or AMD) processors required |
Virtual CPUs | Minimum 4 vCPUs | |
RAM | (64-bit)
24 GB (min) to motherboard max |
Some of Guardium's newer features are memory intensive. In order to take full advantage of these features, Guardium strongly encourages customers to have a minimum of 24 GB of RAM and a minimum of 4-core CPU. |
Ports (NICs)
1 Gbit or 10 Gbit per second card recommended 10 Gbit per second card can be used in 64-bit system with sufficient memory |
1-4 | Each port can be an actual NIC, or a virtual switch that can be configured to use multiple NICs, optionally with failover IP teaming.
Optional: The third port may also be configured to team with the primary interface in order to provide failover IP teaming. Alternatively, the last port on the device may be configured as a secondary management interface with a different IP, NETMASK and GW from the primary. When using Inspection Engines to capture traffic (not Multiple network interfaces are supported on: (1) a Guardium hardware appliance; (2) a customer's software appliance (the customer installs Guardium software on their hardware appliance); or (3) VMware solution with ESX Server. |
Disk Size | 300 GB to <2 TB | Use of RAID is recommended.
RAID-0, RAID-1, RAID 0+1, RAID 1+0 are supported. Note: Larger disks may hold more audit records for longer periods of time, but are more likely to impact performance. At least 9 GB of free disk space on the /var partition is required. |
Disk Speed | 7200 RPM to 15,000 RPM | To use 7200 RPM, scale back the sizing ratio by 70% (see Sizing table on the next page) |
DVD Drive | 1 |
Important: The installation of the software appliance will wipe the disk, repartition and reformat the disk, and install the InfoSphere Guardium solution as a newly installed operating system.
Refer to the Appliance Installation Guide for step-by-step instructions on configuration and installation. The separate Appliance Installation Guide also provides information on how to customize the partitioning on the appliance and how to install on a remote drive (SAN). Installation on a SAN is supported; installation on a NAS is not supported.
Guardium support for 10G network cards
The 10G network cards must be supported by the appropriate version of RedHat Enterprise Linux (RHEL) (RedHat 6.5 for Guardium v10x series).
Sizing Recommendations
Standard Appliance Specification
There are four configurations of the IBM m3550 M4 shipped by IBM:
· Collector x2000 64-bit
· Aggregator x2000 64-bit
· Collector x3000 64-bit
· Aggregator x3000 64-bit
Note: In general, hardware specifications and configuration should follow manufacturers' best-practices to optimize performance. For example on the topic of memory configuration, make sure that the DIMMs are both balanced and matched, otherwise you will not take advantage of the full capacity of the appliance.
Collector x2000 64-bit
QTY | Description |
1 | IBM System x Advanced Lightpath Kit |
8 | 8GB (1x8GB, 1Rx4, 1.35V) PC3L-12800 CL11 ECC DDR3 1600MHz LP RDIMM |
1 | x3550M4 4x 2.5" HS HDD Assembly Kit for 12Gb RAID |
2 | Rack power cable - 2.8m, 100-240V, C13 to IEC 320-C14 (WW) |
1 | IBM UltraSlim Enhanced SATA DVD-ROM |
1 | ServeRAID M5210 SAS/SATA Controller for IBM System x |
1 | Intel Xeon Processor E5-2630 v2 6C 2.6GHz 15MB Cache 1600MHz 80W |
1 | Intel Xeon Processor E5-2630 v2 6C 2.6GHz 15MB Cache 1600MHz 80W |
1 | IBM System x3550 M4 Planar |
1 | ServeRAID M5200 Series 1GB Cache/RAID 5 Upgrade for IBM Systems |
1 | Intel X540-T2 Dual Port 10GBaseT Adapter for IBM System x |
1 | x3550 M4 WW Packaging |
1 | IBM System x3550 M4 2.5" Base Without Power Supply |
2 | IBM System x 550W High Efficiency Platinum AC Power Supply |
1 | x3550 M4 System Level Code |
1 | x3550 M4 PCIe Riser Card 1 (1 x16 LP Slot) |
1 | x3550 M4 PCIe Gen-III Riser Card 2(1 x16 FH/HL Slot) |
1 | x3550 M4 ODD Cable |
1 | IBM System x Gen-III Slides Kit |
1 | IBM System x Gen-III CMA |
2 | IBM 600GB 10K 6Gbps SAS 2.5" SFF G2HS HDD |
Aggregator x2000 64-bit
QTY | Description |
2 | IBM 1.2TB 10K 6Gbps SAS 2.5 G2HS HDD |
1 | IBM System x Advanced Lightpath Kit |
8 | 8GB (1x8GB, 1Rx4, 1.35V) PC3L-12800 CL11 ECC DDR3 1600MHz LP RDIMM |
1 | x3550M4 4x 2.5" HS HDD Assembly Kit for 12Gb RAID |
2 | Rack power cable - 2.8m, 100-240V, C13 to IEC 320-C14 (WW) |
1 | IBM UltraSlim Enhanced SATA DVD-ROM |
1 | ServeRAID M5210 SAS/SATA Controller for IBM System x |
1 | Intel Xeon Processor E5-2630 v2 6C 2.6GHz 15MB Cache 1600MHz 80W |
1 | Intel Xeon Processor E5-2630 v2 6C 2.6GHz 15MB Cache 1600MHz 80W |
1 | IBM System x3550 M4 Planar |
1 | ServeRAID M5200 Series 1GB Cache/RAID 5 Upgrade for IBM Systems |
1 | Intel X540-T2 Dual Port 10GBaseT Adapter for IBM System x |
1 | x3550 M4 WW Packaging |
1 | IBM System x3550 M4 2.5" Base Without Power Supply |
2 | IBM System x 550W High Efficiency Platinum AC Power Supply |
1 | x3550 M4 System Level Code |
1 | x3550 M4 PCIe Riser Card 1 (1 x16 LP Slot) |
1 | x3550 M4 PCIe Gen-III Riser Card 2(1 x16 FH/HL Slot) |
1 | x3550 M4 ODD Cable |
1 | IBM System x Gen-III Slides Kit |
1 | IBM System x Gen-III CMA |
Collector x3000 64-bit
QTY | Description |
1 | IBM System x Advanced Lightpath Kit |
8 | 8GB (1x8GB, 1Rx4, 1.35V) PC3L-12800 CL11 ECC DDR3 1600MHz LP RDIMM |
1 | x3550M4 4x 2.5" HS HDD Assembly Kit for 12Gb RAID |
2 | Rack power cable - 2.8m, 100-240V, C13 to IEC 320-C14 (WW) |
1 | IBM UltraSlim Enhanced SATA DVD-ROM |
1 | ServeRAID M5210 SAS/SATA Controller for IBM System x |
1 | Intel Xeon Processor E5-2667 v2 8C 3.3GHz 25MB Cache 1866MHz 130W |
1 | Intel Xeon Processor E5-2667 v2 8C 3.3GHz 25MB Cache 1866MHz 130W |
1 | IBM System x3550 M4 Planar |
1 | ServeRAID M5200 Series 2GB Flash/RAID 5 Upgrade for IBM Systems |
1 | Super Cap Cable 925mm for ServRAID M5200 Series Flash |
1 | Intel X540-T2 Dual Port 10GBaseT Adapter for IBM System x |
1 | x3550 M4 WW Packaging |
1 | IBM System x3550 M4 2.5" Base Without Power Supply |
2 | IBM System x 550W High Efficiency Platinum AC Power Supply |
1 | x3550 M4 System Level Code |
1 | x3550 M4 PCIe Riser Card 1 (1 x16 LP Slot) |
1 | x3550 M4 PCIe Gen-III Riser Card 2(1 x16 FH/HL Slot) |
1 | x3550 M4 ODD Cable |
1 | IBM System x Gen-III Slides Kit |
1 | IBM System x Gen-III CMA |
2 | IBM 600GB 10K 6Gbps SAS 2.5" SFF G2HS HDD |
Aggregator x3000 64-bit
QTY | Description |
4 | IBM 1.2TB 10K 6Gbps SAS 2.5 G2HS HDD |
1 | IBM System x Advanced Lightpath Kit |
16 | 8GB (1x8GB, 1Rx4, 1.35V) PC3L-12800 CL11 ECC DDR3 1600MHz LP RDIMM |
1 | x3550M4 4x 2.5" HS HDD Assembly Kit for 12Gb RAID |
2 | Rack power cable - 2.8m, 100-240V, C13 to IEC 320-C14 (WW) |
1 | IBM UltraSlim Enhanced SATA DVD-ROM |
1 | ServeRAID M5210 SAS/SATA Controller for IBM System x |
1 | Intel Xeon Processor E5-2667 v2 8C 3.3GHz 25MB Cache 1866MHz 130W |
1 | Intel Xeon Processor E5-2667 v2 8C 3.3GHz 25MB Cache 1866MHz 130W |
1 | IBM System x3550 M4 Planar |
1 | ServeRAID M5200 Series 2GB Flash/RAID 5 Upgrade for IBM Systems |
1 | Super Cap Cable 925mm for ServRAID M5200 Series Flash |
1 | Intel X540-T2 Dual Port 10GBaseT Adapter for IBM System x |
1 | x3550 M4 WW Packaging |
1 | IBM System x3550 M4 2.5" Base Without Power Supply |
2 | IBM System x 550W High Efficiency Platinum AC Power Supply |
1 | x3550 M4 System Level Code |
1 | x3550 M4 PCIe Riser Card 1 (1 x16 LP Slot) |
1 | x3550 M4 PCIe Gen-III Riser Card 2(1 x16 FH/HL Slot) |
1 | x3550 M4 ODD Cable |
1 | IBM System x Gen-III Slides Kit |
1 | IBM System x Gen-III CMA |
For complete information on the IBM x3550 m4 appliance, including physical and environmental information, see:
http://www.redbooks.ibm.com/abstracts/tips0851.html#physical or
http://www.redbooks.ibm.com/abstracts/tips0851.html
Sizing: Number of collectors for DAM
The collectors analyze database traffic in real-time. To guarantee full coverage, there must be enough capacity to handle the traffic without buffering or delay.
Use the table below to define the number of collectors needed for your environment. The table lists the number of database PVUs or VUs that can be handled by a single collector for each of the audit modes.
Number of PVUs/VUs per collector | ||
Audit Mode | PVU (distributed) | VU (zOS) |
Comprehensive | 4000 | 110 |
Sensitive Objects | 8000 | 220 |
Privileged Users (Windows) | 8000 | 220 |
Privileged Users (Unix) | 12000 | 380 |
For more Information on PVU and VU metrics:
- http://www-01.ibm.com/software/lotus/passportadvantage/pvu_licensing_for_customers.html
- http://www-03.ibm.com/systems/z/resources/swprice/zipla/vue.html
Sizing notes:
- For virtual solutions, add at least 50% more collectors
This is due to known limitations of VMware with parallel processing. Adding hardware to the host or the virtual appliance is not as efficient as adding resources to a physical server.
- For Data-Level Access Control (S-GATE), add at least 50% more collectors to guarantee minimal latency
- When using servers with a different hardware configuration than the standard one, the sizing metrics should be adjusted to reflect the difference in performance between this configuration and the standard appliance as listed in the previous table.
- Based on resource allocation and performance on your VMware ESX, you may need further configuration changes or additional appliances.
Sizing: Number of collectors for Vulnerability Assessment Solution
The Vulnerability Assessment solution scans the databases in scope one by one. This solution does not analyze database traffic and does not require as many resources as Database Activity Monitoring.
Use this sizing metric: One collector for every 255 database instances
Sizing: Number of Aggregators
Use this sizing metric: 1 aggregator for every 8 collectors.
Appendix A: Certified Hardware, Detailed Specifications
The table below lists examples of platforms for IBM Guardium tested by IBM and approved as suitable for running the Guardium solution. Some platforms listed here are no longer offered, but give a sense of what types of configurations have worked in the past. It is impossible to test all possible platforms.
The choice of hardware may impact the total throughput of how many PVUs a collector can handle. The standard configuration is an IBM x3550 M4.
When selecting one of the listed systems, make sure the CPU, RAM, Cores, Disk Size and other configuration requirements are used (see the Recommended Resources table earlier in this document).
Hardware changes rapidly, for example, quad-core to eight-core. The InfoSphere Guardium application is fairly tolerant of the kind of changes seen in hardware platforms over the past few years.
This list is continually updated and subject to change.
Model | Memory | CPU Type | # of CPU's | # NIC Cards | NIC Types | Disk/RAID Controller | Disk Types | Fibre |
Dell R610 | 12 GB | 4 | 2 | 2 x 300 GB | ||||
IBM x3550 | 12 GB | 6 core min | 6 | 4 | 2 – BC ext II 1 GB Ethernet port on-board | IBM RAID 8k | 136GB RAID 0 | 1 – QLE2460 FC CARD |
IBM x3650 | 16 GB | 4 core min | 4 | 4 | 2 – BC ext II 1 GB Ethernet port on-board | IBM RAID 8i | 556GB RAID 0 | 1 – QLE2460 FC CARD |
NEC Express5800/ R120e-20 | 16 GB | 4 | LSI SAS-based MegaRAID driver | |||||
NEC Express5800/ B120a | 8 GB | 4 | LSI SAS-based MegaRAID driver | |||||
IBM x3850M2/x3950M2 | 4 core min | Broadcom BCM5709C | LSI 1078 ServeRAID-BR10i V2 | 2 x 250 GB | ||||
IBM x3850X5/x3950X5 | 4 core min | 16 | 4 | Broadcom BCM5709C | ServeRAID-BR10iL SAS Controller v2 | 2 x 600 GB | ||
DELL BLADE | 4146556 kB | Intel(R) Xeon(R) CPU E5420 @ 2.50GHz | 8 | 4 | ||||
IBM x3250M3 | 8 GB | Intel Xeon X3430 2.4 GHZ/1333MHz-8MB 4c | 4 | 6 | Intel Ethernet Quad Port Server Adptr I340-T4 | ServeRAID-BR10iI SAS/SATA Contlr v2 | 2 x 250 GB | Brocade 4GB FC Dual- port HBA for IBM systems |
IBM x3620M3 | 12 GB | Intel Xeon Processor X5650 6C 2.66GHZ 12MB Cache 1333MHZ 95w | 6 | 2 | On board Ethernet | ServeRAID M1015 SAS/SATA Contlr | 2 x 600 GB | Emulex 8GB FC Dual- port HBA for IBM systems |
IBM x3650* | 12 GB | Quad-Core Intel Xeon Processor X5450 3.0GHz 12MB L2 1333MHZ 120W | 4 | 6 | PRO/1000 PT Quad Port Server Adptr | IBM ServeRAID 8k-I SAS Contlr | 4 X 300 GB | Qlogic 4GB FC Dual-Port PCIe HBA for IBM systems |
IBM x3550M2* | 12 GB | Intel Xeon Processor E5506 4c 2.13GHz 12MB L2 1333MHz 120W | 4 | 8 | NetXtreme II 1000 Express Quad Port Ethernet Adptr | ServeRAID-MR10i SAS/SATA Contlr | 4 X 300 GB | DS4000 FC 4GB PCI-x Dual Port HBA |
IBM x3550M3* | 12 GB | Intel Xeon Processor E5507 4c 2.26GHz 4MB Cache 800MHz 80w | 4 | 8 | PRO/1000 PT Quad Port Server Adptr | ServeRAID-BR10iL SAS Controller v2 | 4 X 300 GB | Brocade 4GB FC Dual- port HBA for IBM systems |
IBM x3850M2* | 12 GB | Quad Core Intel Xeon Processor E7420 (2.13GHz 8MB L3 90w) | 8 | PRO/1000 PT Quad Port Server Adptr | ServeRAID-MR10K SAS/SATA Contlr | 4 X 300 GB | Qlogic 4GB FC Dual-Port PCIe HBA for IBM systems | |
IBM x3850X5* | 12 GB | Intel Xeon Processor E7520 4C 1.86GHz 18MB Cache 95w | 4 | 8 | Intel Ethernet Quad Port Server Adptr I340-T4 | ServerRAID M5025 SAS/SATA Contlr | 8 x 146 GB | Qlogic 4GB FC Dual-Port PCIe HBA for IBM systems |
HP Proliant DL160 G6 | 8 GB | Intel Xeon E5504 (6 core, 2.0 Ghz, 12 MB) | 6 | 2 | On board Ethernet dual port | HP P410/ZM FIO Smart Array Contlr | 4 x 1TB | HP FC1242SR 4gb PCI-E DC HBA Dual Port |
HP Proliant DL380 G7 | 8 GB | Intel Xeon E5620(4 core, 2.66 Ghz, 12MB ) | 4 | 6 | 1 -HP NC360T PCIe DP Gigabit Server Adptr Quad Port | Embedded RAID Controller (P410i) | 4 x HP 1TB 3G SATA 7.2K 3.5in MDL HDD | HP FC2242SR PCI-e DC HBA |
HP Proliant DL580 G7 | 8 GB | Intel Xeon E7520(4 core, 2.13 Ghz, 8MB L3) | 4 | 6 | 1 -HP NC360T PCIe DP Gigabit Server Adptr Quad Port | Embedded RAID Controller (P410i) | 8 x HP 500GB 6G SATA 7.2K 2.5in DP MDL HDD | HP FC2242SR PCI-e DC HBA |
HP Proliant DL785 G5 | 16 GB | AMD Opteron Processor 8378, Quad-core (2.4 Ghz, 75 W ACP) | 4 | 6 | HP NC360T PCIe DP Gigibit Server Aptr | HP P410 w/512MB Flash Backed Cache Ctrlr | 8 x HP 500GB 6G SAS 7.2K 2.5in DP MDL HDD | HP FC1242SR 4Gb PCI-E DC HBA |
Sun Netra X4270 | 8 GB | 1 Quad-Core Intel Xeon E5620, 2.13 GHZ | 4 | 6 | Intel 82571EB | ESB-2/Sun PCIe SAS HBA | 2 x 300 GB | Qlogic Dual port HBA |
Sun Fire X4470 | 16 GB | 2 Intel Xeon X7550 8-core 2.0 Ghz CPU's | 2 | Intel 82801JB | PCIe SAS/RAID Cont | 2 x 300 GB | Qlogic Dual port HBA |
For more information, go to the following online resources:
IBM Security Guardium home page: http://www.ibm.com/software/data/guardium/
Technical Support home page: http://www.ibm.com/support/entry/portal/Overview/Software/Information_Management/InfoSphere_Guardium
The "Deployment Guide for IBM Guardium" was released in Dec. 2013 and is now available for the general public at the IBM Redbooks link below.
http://www.redbooks.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg248129.html
RedHat hardware compatibility, http:/www.redhat.com/rhel/compatibility/hardware/
RedHat Enterprise Linux (RHEL) Release notes/ Technical notes
2015 August
IBM Guardium Version 10.0 Licensed Materials - Property of IBM. © Copyright IBM Corp. 2015. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” (www.ibm.com/legal/copytrade.shtml)
Was this topic helpful?
Document Information
Modified date:
19 November 2019
UID
swg27046184