A baseline is a profile of access commands executed in the past, helping to identify normal activity and anomalous behavior. The Baseline Builder generates a baseline by examining activity previously logged and currently available, on the Guardium appliance.
When included in a security policy, the baseline becomes a baseline rule, which allows all database access that has been included in the baseline.
A baseline rule in a policy has the following characteristics:
There can be only one baseline rule.
The baseline rule action is always Allow, which means accept the command and do not continue to the next rule in the policy.
When the baseline rule is added to the policy, it is positioned at the top of the list of rules. It can be moved anywhere in the set of rules (which are evaluated in sequence), as appropriate for the policy.
Once a baseline rule has been included in a policy, it cannot be removed.
The Policy Builder can generate suggested policy rules from the baseline. The suggested rules can be edited and included in the policy ahead of the baseline rule, so that alternative actions (alerts, for example) can be taken for some commands that were seen in the baseline period. In addition, an examination of the suggested rules provides valuable insight into the actual traffic patterns observed (types of commands and frequency). Suggested rules are described in more detail below.
The Baseline Builder provides the ability to control what gets included in the baseline, in several ways:
By specifying a threshold to control how many occurrences of a command must be seen before the command will be included in the rule. A threshold of one includes every command observed, while a threshold of 1,000 includes only those commands occurring 1,000 times or more.
By controlling sensitivity to one or more attributes. For example, if the baseline is sensitive to the database user, it will include commands for specific users only. Users who did not execute the command during the baseline period would not be allowed by the baseline rule.
By limiting the connections included to subsets of server and client IP addresses. The baseline always specifies a single client network mask and a single server network mask. Each mask can be as inclusive or as exclusive as required.
By merging data from different time periods. There may be traffic that occurs during non-contiguous time periods that should be included in the baseline. You can merge the data from any number of time periods into a single baseline. In addition, the data can be filtered for specific client and server addresses.
Baseline sensitivity can be based on any combination of the following (each will be described in more detail, later):
Database User
Database Protocol
Database Protocol Version
Time Period
Source Program
Sequence
Baseline sensitivity depends on a specified threshold, which defines the minimum number of times a command must be observed during the baseline period in order to include that command in the baseline.
With no sensitivity selected, each command that exceeds the threshold will be included in the baseline.
If a single type of sensitivity is selected, a separate count of each command will be maintained for each value of the sensitivity type (database user, for example).
If multiple types of sensitivity are selected, separate counts of each command are maintained for each combination of values for each selected type (for each combination of database user and source program, for example). Thus for each type of sensitivity included, the number of combinations can increase dramatically.
If the baseline is sensitive to command sequence, then when included in a policy the baseline rule will allow only the sequences of commands observed during the baseline period. To illustrate with a very simple example: if the only two sequences of commands observed in the baseline period are A-B and B-C, the following table illustrates which sequences of commands would be allowed by that baseline rule.
Command Sequence |
Allowed |
A - B |
Y |
A - anything else |
N |
B - C |
Y |
B - anything else |
N |
Anything but A |
N |
When the baseline is sensitive to the time period, separate counts are maintained for each time period defined. If overlapping time periods are defined (which is a normal situation), a command will be counted only once, in the most restrictive time period during which it occurs. If the time-period is non-contiguous – for example, from 00:00 to 08:00 each day of the week – only one contiguous segment of the time period is considered (eight hours in the example).
To illustrate how the Baseline Builder assigns requests to time periods, assume that Saturday is included in three time periods:
24x7 (24 hours, 7 days a week)
Saturday (24 hours only)
Week End (48 hours - Saturday + Sunday)
Since the time period named Saturday is the most restrictive (24 hours only), all requests time-stamped on Saturday will be counted in that time period, and not in the more inclusive Week End or 7x24 time periods.
If there are multiple Guardium appliances in an Aggregation and/or Central Manager environment, there is a single important point to keep in mind when generating and using baselines:
Baselines are generated using only the data currently available on the appliance that is generating the baseline.
This means that:
A baseline generated on a collector will be built using the traffic available on that unit only.
A baseline built on an aggregator will be built from the data currently available on the aggregator, which typically will have been sent from multiple collectors over a period of time.
A baseline generated on a Central Manager that is not also an aggregator will be empty, since a Central Manager does not collect data (unless it is also an aggregator).
In a Central Management environment, a baseline generated on a managed unit will be built using data from that unit only, but the baseline will be stored on the Central Manager, and it will be available for use on any other unit.
In a Central Management environment, to generate a single baseline from multiple managed units, the baseline can be built with data from the first managed appliance, and then merged using data from the other appliances, one at a time.
When a baseline is included in a policy, the Policy Builder can generate suggested rules from the baseline. It will generate the minimum number of rules necessary to represent everything that is included in the baseline. You can then accept any or all of the suggested rules, and modify the accepted ones as necessary. In addition to being a convenient way to generate an explicit policy (rather than an implicit policy based on a baseline only), this is an important step in validating that a baseline does not include malicious or erroneous activity that may have occurred during the baseline period.
You may want to modify the suggested rules if you discover an activity that occurred during the baseline period that you would like to monitor or alert upon in the future. You simply tailor the appropriate rule suggested from the baseline, and assign the desired action. By default, the suggested rules will be positioned before the baseline rule, so that the action specified will be taken before the baseline rule executes to allow that command with no further testing of rules.
Note: The Policy Builder can also generate rules from the database ACL. See Policies for more information.
When generating suggested rules from either the baseline or the database ACL (access control), the Policy Builder minimizes the number of suggested rules by creating suggested object groups. For example, assume the baseline includes a particular command that references only three objects: AAA, BBB, and CCC, and that there is not already an object group defined consisting of only those three objects. The Policy Builder will create a suggested object group for those objects, and will generate a single rule for the command, which references the suggested object group.
You can display the membership of a suggested object group, and you have the option of accepting or rejecting each group. In the example just given, if you reject the suggested object group, the single rule that references it will be replaced by three suggested rules (one each for AAA, BBB, and CCC).
Navigate to the Baseline Finder:
Users, select: Protect > Security Policies > Baseline Builder.
Administrators, select: Tools > Config & Control > Baseline Builder.
Click the New button to open the Baseline Builder panel.
Enter a unique baseline name in the Baseline Description box. Do not include apostrophe characters in the baseline description.
In the Baseline Sensitivity pane, mark each element to which the baseline will be sensitive. The more sensitive the baseline, the more complex the testing that will be done both when creating the baseline and more importantly, when inspecting traffic. See the Overview above, for more information about baseline sensitivity.
In the Baseline Threshold
pane, enter the minimum number of occurrences for a command during the
baseline period for that command to be included in the baseline. If one
or more sensitivity boxes have been marked (see above), this count applies
to the combination of sensitive values.
If the approach you are taking in building your security policy is
to always allow the most commonly issued commands from the past, then
set this number upwards to the appropriate level. If, on the other hand,
you want to ensure that the baseline is comprehensive, then leave this
value set to 1. In either case, you can have the Policy Builder suggest
rules from the baseline. The suggested rules are sorted in descending
order by frequency in the baseline period, so you can decide at that time
whether to include or modify rules for each unique command issued.
Use the Baseline Network
Information pane to identify the servers and clients to be included
in the baseline. The method used to select which IP addresses to use to
construct the baseline is the same for servers and clients.
For each address encountered in the baseline data, membership in an
optional tagged group is considered first. A tagged
group is a specific list of IP addresses for which baseline constructs
will be generated. If a tagged group is selected, and if an IP address
encountered in the baseline data is included in the corresponding tagged
group, that element will be included in the baseline for that specific
IP address. For example, assume that the Tagged Client IP Group named
ZoneAGroup has been selected, and that group includes a client address
of 192.162.14.33. If the baseline generator encounters the command SELECT abc FROM xyz from that IP address,
that command will be counted for that specific address.
In contrast, if no tagged group is selected, or if an IP address is
encountered in the baseline data that is not a member of the selected
tagged group, that command may be counted with identical commands from
other IP addresses as directed by the corresponding network mask.
The network mask is required
to group both client and server IP addresses.
You must always:
Enter a subnet mask in the Server Network Mask box.
Enter a subnet mask in the Client Network Mask box.
To illustrate how the baseline builder uses network masks to group addresses, assume that:
The Client Network Mask is 255.255.0.0, meaning that the first two octets must match, but the second two octets can be anything.
In the baseline data, a request with the client IP address 192.168.3.211 is encountered.
That client IP address is not in the selected Tagged Client IP Group (or there is no Tagged Client IP Group selected).
The command is SELECT abc FROM xyz.
When generating the baseline, this command will be included in the count of all SELECT abc FROM xyz commands for all client IP addresses from the 192.168.0.0 subnet.
Click the Save button to validity-check and save the baseline definition. If you have omitted required fields or entered invalid values, the definition will not be saved and you must resolve any problems before attempting to save again.
Optionally click the Roles button to assign roles for the policy. See Assign Security Roles.
Optionally click the Comments button to add comments to the definition. See Commenting.
After a baseline has been saved successfully, the Baseline Generation and Baseline Log panes appear at the bottom of the panel.
Click anywhere on the Baseline Generation pane title to expand the pane.
Supply both From and To dates to define the time period from which the baseline is to be generated. There are a number of ways to enter dates (see Select or Enter a Date). Regardless of how you enter dates, any minutes or seconds specified will be ignored.
Click the Generate button to generate the baseline. If you have modified the baseline definition, you will be prompted to save the definition before generating the baseline.
Note: After you successfully generate the baseline for the first time, additional fields display in the Baseline Generation panel. These fields allow you to merge data from additional time periods into the baseline, and to restrict the client and server IP addresses used during each additional time period. For more information, see Merge Baseline Information, below.
To merge baseline information (to include information from additional time periods and/or from different groups of clients and servers, for example):
Navigate to the Baseline Finder:
Users, select: Protect > Security Policies > Baseline Builder.
Administrators, select: Tools > Config & Control > Baseline Builder.
From the Baseline Definition list, select the baseline into which additional baseline information is to be merged.
Click the Modify button to open the Edit Baseline panel.
Do not modify the Baseline Sensitivity selections. If you modify the baseline sensitivity, you will be prompted to generate a completely new baseline to replace the existing one.
Optional. Set the Minimum number of occurrences for addition to Baseline value in the Baseline Threshold pane. The value entered here has no impact on information previously included in the baseline. Once something has been added to the baseline, it is not removed during a merge operation.
Optional. Enter alternative network information in the Baseline Network Information pane. The values that display are from the last generate or merge operation. If the merged information comes from the same set of servers and/or clients, leave these fields unchanged. Otherwise, make the appropriate changes in this pane to select the traffic to be included in the baseline, as described previously. (See Create a Baseline, above.)
Click anywhere on the Baseline Generation pane title to expand the pane.
Supply both From and To dates to define the time period from which the baseline is to be generated. There are a number of ways to enter dates (see Select or Enter a Date). Regardless of how you enter dates, any minutes or seconds specified will be ignored.
Select the Merge radio button.
Optional. In the Filter Selection pane, limit the baseline generation to specific client and/or server IP addresses by entering an IP address followed by a network mask. For example, to select all client IP addresses from the 192.168.9.x subnet, enter 192.168.9.1 in the first Client IP box, and 255.255.255.0 in the second box. To include additional addresses, click the (Add) button, then enter the additional address information
Click the Generate button to generate the baseline. If you have modified the baseline definition, you will be prompted to save the definition before generating the baseline.
Caution: Before modifying a baseline definition, be sure that you understand the implications of modifying it, particularly if the baseline whose definition you want to modify and re-generate is used in an installed policy. If you modify and re-generate a baseline contained in an installed policy, when you re-install that policy it will use the new baseline. To provide a fall-back option for baselines used by installed policies, consider instead cloning these baselines and policies, and modifying and generating the cloned definitions. See Clone a Baseline, below, for more information.
Navigate to the Baseline Finder:
Users, select: Protect > Security Policies > Baseline Builder.
Administrators, select: Tools > Config & Control > Baseline Builder.
From the Baseline Definition list, select the baseline to be modified.
Click the Modify button to open the Edit Baseline panel. Apart from the panel title, this panel is identical to the Add Baseline panel described above. See Create a Baseline, above, for instructions on using this panel.
There are a number of situations where you may want to define a new baseline based on an existing one, without modifying the original definition. See the caution, above.
Navigate to the Baseline Finder:
Users, select: Protect > Security Policies > Baseline Builder.
Administrators, select: Tools > Config & Control > Baseline Builder.
From the Baseline Definition list, select the baseline to be cloned.
Click the Clone button to open the Clone Baseline panel.
Enter a unique name for the new baseline in the New Baseline Description box. Do not include apostrophe characters in the new baseline description.
To clone the baseline constructs (the commands, basically) that have been generated for the baseline being cloned, mark the Clone Constructs checkbox.
Click the Accept button to save the new baseline. You can then open and edit the new baseline via the Baseline Finder. See Modify a Baseline.
Navigate to the Baseline Finder:
Users, select: Protect > Security Policies > Baseline Builder.
Administrators, select: Tools > Config & Control > Baseline Builder.
From the Baseline Definition list, select the baseline to be removed.
Click the Remove button. You will be prompted to confirm the action.