Smarts Application Discovery Manager (nLayers) IT ......– Passive, active, agent-less, analytic – No agents required WAN Passive network traffic capture – Statistical sampling

Smarts Application Discovery Manager (nLayers)

IT Compliance Analyzer

Tom Tsarfati, EMC

p y

1© Copyright 2008 EMC Corporation. All rights reserved.© Copyright 2008 EMC Corporation. All rights reserved.

Visibility and Control in the Data Center

EMC Smarts ApplicationEMC Smarts Application Discovery Manager

• Market-leading application dependency• Market-leading application dependency mapping solution

• Fully supports and complements VMware Infrastructure environmentsVMware Infrastructure environments

EMC IT Compliance Analyzer p y– Application Edition

• Policy-based engine that ensures compliance with internal governancecompliance with internal governance, regulatory, and industry best practice requirements

2© Copyright 2008 EMC Corporation. All rights reserved.© Copyright 2008 EMC Corporation. All rights reserved. 2

Management Challengesfor IT Operations

Virtualization and web-based applicationsVirtualization and web-based applications break old management models

– Majority of new servers will be virtualized by 2009– Need to also manage virtual and physical

Virtual Machines

APP APP APP APP APP

relationships between application services

Discovery and configuration management pain– 78 percent of outages are caused by self-inflicted

i fi ti VM ESX S

OS OS OS OS OS

mis-configurations– Compounded pain in a physical or virtual environment

Change and compliance management d t

VMware ESX Server

pressures and costs– Change management accounts for greater than

60 percent of data center costs– Only one in 10 companies can effectively measure

compliancePhysicalserver


EMC Smarts Application Discovery Manager

Description and Capabilities

Passively discover your virtual and physical infrastructure without agents

– Hosts, application services and dependenciesRelate virtual machine (VM) infrastructure to the– Relate virtual machine (VM) infrastructure to the different application components

Actively collect configuration detail– Hardware, OS– Installed software– Leverage Virtual Center

Customize discovery scope and methods to suit requirementssuit requirements

Analyze discovered configuration items and dependencies

– Virtual and physical dependencies– Application Patterns, Groups, Reports

Track changes to the IT infrastructure– Hosts, application components, and dependencies


Application Discovery Approach

Hybrid discovery modelHybrid discovery model– Passive, active, agent-less, analytic– No agents required

WAN

Passive network traffic capture– Statistical sampling – Uses core switch mirror ports– Extracts details for packet structure

Active discovery adds high definition configuration detailsdefinition configuration details

– WMI, SSH, Telnet, SNMP and VI-SDK

Discovered data analysisADM

– Flexible grouping definitions– N-Tier business application pattern

definitionsR ti

DATA CENTER


– Reporting

Deployment Options: Standalone vs. Distributed

ADM AggregatorADM Stand-Alone

Local

ADM CollectorADM CollectorADM Collector

LocalDeploymentor Roving

Data Center 3Data Center 2Data Center 1


Application Infrastructure Taxonomy

MQ S i SOAP Cit i ICADependencies Connections,

relationships, protocols

MQ Series, SOAP, Citrix ICA, JBoss RMI, DB2 SQL,

virtualization relationships…

Usage andD t il

Server and application component utilization

Time-based usage, server and application usage, software and Details component utilization pp g ,

configuration file details

Application Components

Application services, components

JBoss, Apache, Web Logic, SQL Server, Oracle, FTP Server,

DNS Server, Virtual Center…

Core Application Application Servers IPs ESX Servers VMs


Infrastructure infrastructure, hosts Servers, IPs, ESX Servers, VMs

Discovery and Dependency Mapping Taxonomy

Application Passive Discovery Active DiscoveryInfrastructure Passive Discovery Active Discovery

Dependencies and Connections: Software Dependencies:Application CI Dependencies

Dependencies and Connections:Time-based relationships, protocols, network services (e.g.,MQSeries, SOAP, Citrix ICA,

JBoss RMI, DB2, SQL, HTTP, TCP)

Software Dependencies:Documented dependencies,

deployed-on, runs-on relationships, virtualized on relationships

CI Usage andDetails

Host and Application Usage:Time-based usage, server and application

usage

Software Configuration Details:Installed path, vendor, version,

database instances, configuration files and contents, URLs, changes

Application Components CIs

Application Components and Services:Including JBoss, Apache, Weblogic App and

Web servers, SQL, Oracle, FTP, DNS, DHCP

Installed Software:Including MySQL server, Tomcat, Ruby, Weblogic, Samba, Python, Components CIs

Core Application

Servers, VirtualCenter

Application Infrastructure:

Checkpoint VPN, Java 2 SDK

System Infrastructure:


Core ApplicationInfrastructure CIs

Application Infrastructure:Servers, IPs, VMs Hardware, OS, memory, CPU, ESX

servers, VirtualCenter

Dependency Maps across Hosts and Application

CI: Connection ProtocolCI: Connection Protocol

Virtualized On Relationship

App Demand Interactive map shows drill-down dependency relationshipsrelationships

TimeAnalysis

Relationships (1-way) CI: Server with Resident Apps


Drill down to Oracle database instances

ADM Discovers VMware Environments

Discover VMs ESX servers dependencies configuration detailsDiscover VMs, ESX servers, dependencies, configuration details– Relate individual parts of a VM infrastructure to the different application services/

components– Map dependencies between the physical environment and the VMware environmentMap dependencies between the physical environment and the VMware environment– Map dependencies of:

ESX servers to VirtualCenterVMs to ESX serversVMs to VMs

– VMs, ESX servers, VirtualCenter, configuration files

Detect relationships between VMs on the same physical serverDetect relationships between VMs on the same physical server– Uses vCollector to listen to internal ESX traffic without agents


Discover VMware Environmentsand Dependencies

High Definition Discovery for Drill Down Details

Virtualized On RelationshipESX servers

VMs and ApplicationComponents

Discover instances of DBs,


,Application servers, etc

Change Management Example

Track changes at parameter-level

Change tracking– Track configuration changes for apps, services, hardware

Old and new values , time of change

Imperative for incident management and problem management– Alert to RCA tools when a change occurs

Incident triage: what changed and what should be changed back?


– Incident triage: what changed and what should be changed back?– Problem forensics: post-mortem analysis to determine root cause

IT Compliance Analyzer –Application Edition

Policy-based applicationPolicy-based application infrastructure validation

– User-defined policies– Preconfigured policy

Compliance Officer,IT Operations Manager

templates

Uses ADM as its data source

Policy is:Compliant

Non-Compliant ION

S

Automatic, continuous analysis for ongoing compliance

Non Compliant

NO

TIFI

CAT

I

E-mail

Rule

Rule

Real-time violation alerts Violations

TER

NA

L N

SNMPTraps

Rule

Rule

RuleMDR

Application C fi ti &

Policy

EXTRule


Configurations & Dependencies

Application Discovery ManagerIT Compliance Analyzer –

Application Edition

Operational Benefits



Application Discovery Manager

Discover your real IT infrastructure

Accurately manage change impact

Precisely control configuration drift

Quickly correlate infrastructure incidents t li ti i tto application impact

Enrich your CMDB with real-time dependency mappingdependency mapping

– Physical, virtual CIs

Drive consolidation, data center moves, rationalization virtualization projectsrationalization, virtualization projects



IT Compliance Analyzer – Application Edition

Are my applications running in the wrong locations?

Data center-only applications running in unauthorized field offices

Applications incorrectly runningApplications incorrectly running across a WAN, impacting performance

Applications not licensed for use outside certain locations

Virtual Machine was vMotion ed toVirtual Machine was vMotion-ed to an insecure zone




Are my servers configured correctly before a major

li ti ll t?application rollout? Minimum hardware requirements met

C t OS iCorrect OS version

Correct drivers, patches and utilities installedinstalled

Servers all identical




Are my applications communicating correctly?

Across the right security zones

Only to clients in authorized groups

Using secure protocols

Only to other services in their business applicationsbusiness applications

Development systems not accessing production systemsp y




Are my applications configured for high availability and

f ?performance? Multiple servers available for critical applicationsapplications

Minimum number of service instances (e.g., databases) in a b i li tibusiness application

Running on a cluster

Using high performance hard areUsing high-performance hardware




Is my environment up to date?Application versions

Operating system versions

Virtualization platform versions

Patch, driver and utility versions


Application Discovery ManagerIT Compliance Analyzer –

Application Edition

Use Cases


Key Use Cases

Audit data center application infrastructureAudit data center application infrastructure– Migration, consolidation, rationalization,

virtualization projects

P l t CMDB ith fi ti dPopulate CMDBs with configuration and dependency data

– Passive, active discovery CIs– Physical and VMware interdependencies

Manage change impact and compliance– Discover unexpected or unwanted relationships, p p ,

connections, and configurations


Audit Data Center Application Infrastructure

USE CASE

ChallengesChallengesManually intensive, time consuming consolidation projects

Preparing for merger and acquisition events

Building out disaster recovery sites

Pl i d i dPlanning and executing data center moves and migrations

EMC SolutionsEMC SolutionsEMC Smarts ADM audit services

– Basic passive inventory services– Advanced active configuration inventory


Populate CMDBs with Configuration and Dependency Data

USE CASE

g p y

ChallengesChallenges Accurately populating Configuration Management Database (CMDB) CIs and dependenciesdependencies

Maintaining and keeping CMDB data up to date

Reliable system of record and source of truth for data center infrastructure

EMC SolutionsApplication Discovery Manager

– Application infrastructure CIs and dependenciesApplication infrastructure CIs and dependencies

EMC Smarts Product Family– Network infrastructure CIs


CMDB integration services

24

Identify Change Impact and Compliance Issues

USE CASE

ChallengesChallenges Understanding the impact of planned changes

Avoiding outages due to unknownAvoiding outages due to unknown dependencies

Identifying unexpected or unwanted relationships and connectionsrelationships and connections

Assuring IT infrastructure conforms to regulatory standards (e.g., PCI)

EMC SolutionsApplication Discovery Manager

– Discover dependencies and relationships

IT Compliance Analyzer – Application Edition– PCI policy templates


Use Cases Related to VMware Environments

Comply with Best Practices VMware enabled Data Centers such as:Comply with Best Practices VMware-enabled Data Centers such as: – Viewing application dependencies to enhance configuration planning – Improving resource utilization by identifying VM’s no longer in use

Identifying “rogue” VMware ESX Servers not managed by VirtualCenter– Identifying rogue VMware ESX Servers not managed by VirtualCenter– Applying policies that check vMotion activity for optimal configurations – Understanding application dependencies and usage to optimally configure ESX

serversservers

Build data protection plans for VMware environments, including VMware Site Recovery Manager and VMware Consolidated Backup (VCB)

Populate CMDBs to Leverage and Maintain VMware and Physical Infrastructure Information


Comply with VMware Best Practices

USE CASE

ADM with IT Compliance Analyzer –Application Edition V1 1Application Edition V1.1Leverages ADM 6.0 VMware discovery

Example Rules:“All ESX servers must be actively managed by VirtualCenter”

“All VMs must have VMware Tools installed in the guest operating system”All VMs must have VMware Tools installed in the guest operating system

“All VMs must have VMware Tools running”

“Maximum of 30 VMs per ESX”

“Maximum of 4 network interfaces on a VM”

“Maximum of 100 ESX servers managed by one VirtualCenter”

“Maximum of 4 virtual CPUs per VM on an ESX”


Maximum of 4 virtual CPUs per VM on an ESX

Comply with VMware Best Practices

USE CASE

ADM with IT Compliance Analyzer –Application Edition V1 1Application Edition V1.1Leverages ADM 6.0 VMware discovery

More Example Rules:“ESX servers managed by VirtualCenter must not be accessed directly by any Virtual Infrastructure Clients. Administrators should be using VirtualCenter to manage their g gESX servers”

“The power-off state of a VM should not be set to ‘Hard’ on an ESX”

“Any ESX server used to run Exchange must be running ESX version 3.5 and haveAny ESX server used to run Exchange must be running ESX version 3.5 and have VMware Tools running in all of its VMs”

“VMs running Exchange on an ESX must be in the ACTIVE state”


Use Case:Comply with PCI DSS

USE CASE

PCI Requirement Description1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure

h ll (SSH) d i t l i t t k (VPN)shell (SSH), and virtual private network (VPN)

1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.

1.3.4 Placing the database in an internal network zone, segregated from the DMZ

1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes)traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes)

1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network

1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files)

2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate p e e t o y o e p a y u ct o pe se e ( o e a p e, eb se e s, database se e s, a d S s ou d be p e e ted o sepa ateservers)

2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)

4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL)/transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.

5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes

5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs

6.1 Ensure that all system components and software have the latest vendor supplied security patches installed. Install relevant security patches within one month of release

8 5 9 Change user passwords at least every 90 days8.5.9 Change user passwords at least every 90 days

8.5.10 Require a minimum password length of at least seven characters

8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used

8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts

8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID


10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date.

Application Discovery Manager 6.0IT Compliance Analyzer –

Application Edition 1.1

Latest Features


External Reporting and Open Schema Access

Custom Querying/Reporting with External Reporting Database

External Reporting Database(Customer Provided)

ADM ApplianceDiscovery

Periodic Automated Export Custom SQL queries:

GUI/ADM Application

ReconciliationGUI/applicationOut-of-the-box reporting

Extract relevant dataScheme definitionDocumentation

Most discovered data Available as in ADM Hosts, servicesConnectionsServer attributes

Installed softwareDemand/usageFlat propertiesGroup informationURL/DB table calls

third-party reporting tools

ADM data replicated on external reporting databaseEasier to use reporting database schemaS h d l li ti d d

Server attributes URL/DB table calls

Schedule replication as neededCustomer can integrate their reporting tools to external reporting databaseUtilize SQL Queries for custom queries


Ready loaders for Oracle 10g/RH ES 4 and Microsoft SQL 2005/Windows 2003PS or customer can create loading tools for other databases

ADM 6.0 – New Capabilities Overview

Discover VMware environments ( Virtual Infrastructure VI 3 onwards )Discover VMware environments ( Virtual Infrastructure VI 3 onwards )

Enhance Application Patterns GUI definitions

Revamped Grouping mechanism and User InterfaceRevamped Grouping mechanism and User Interface– Out of the box grouping for common infrastructure and service components

Enhanced mapping to support VM environments– Export to VISIO

Role based access controlsAssociate Groups with users– Associate Groups with users

Aging of data


ADM 6.0 – New Capabilities Overview

User control of depth of discoveryUser control of depth of discovery

User control of file system search for active discovery

High performing Web Services API for complete database dump andHigh performing Web Services API for complete database dump and bulk queries

Supporting dependency mapping with active discovery alone

Enhanced SAP fingerprint/application pattern template


ITCA–Application Edition 1.1 New Features

Analyze VMware configurations and relationshipsAnalyze VMware configurations and relationships

Access control compliance– E.g., “Minimum password length must be ≥ 9 on windows servers”

UNIX file permission compliance– E.g., “/dev/mem must have permission 640, owner root, and group sys”

Multivalued attributes (“compensating controls”)( p g )– E.g., “All connections between Finance and HR must be SSL or SSH”

Support for user-defined policy templates

Additi l b ilt i li t l tAdditional built-in policy templates

Notifications as SNMP traps

Audit LogAudit Log

Improved policy builder GUI

Violation search


– Track violations for a specific object across all polices and rules

S t A li ti DiSmarts Application Discovery Manager

Screenshots


ADM 6.0 - Dashboard

Dashboard shows all discovered OS, ESX servers, app services and discovery counts


y

Dependency Maps across Hosts and Application

CI: Connection Protocol

Virtualized On Relationship

App Demand Interactive map shows drill-down dependency relationshipsrelationships

TimeAnalysis

Relationships (1-way) CI: Server w/Resident Apps


Drill down to Oracle database instances

ADM 6.0 – Inventory Screens

Inventory screen views include VMs, ESX servers and other out of the box and custom groups

Virtualized dependencies


ADM 6.0 – Inventory Screens

VMs with Virtualized On relationshipsOn relationships

Configuration details of VMsConfiguration details of VMs


Configuration Comparison

Web application running Same application runningWeb application running slow on Oracle server1

Same application running at spec on staging server

Patch levelsPatch levels out of sync

Memory std’s out of sync


Usage Analysis


ADM Detailed Discovery Dashboard


IT C li A lIT Compliance Analyzer –Application Edition 1.1

Screenshots


Active Policy Violations


VMware Configuration Example

“All ESX servers must be managed by VirtualCenter”



“All i t l hi t h VM T l i t ll d”“All virtual machines must have VMware Tools installed”



“No more than 30 virtual machines per ESX”



“Maximum of 4 network interfaces on a virtual machine”


VMware – Linked to Specific Applications Example

“Any ESX server used to run Exchange must have ESX version 3.5 and VMware Tools running in all of its VMs”


VMware – Linked to Specific Applications Example

“Virtual machines running Exchange must be in the ACTIVE state”


PCI Data Security Standard

1.3.4, “Placing the database in an internal network zone, segregated from the DMZ”


PCI Data Security Standard

1.3.4, “Placing the database in an internal network zone, segregated from the DMZ”

Launch ADM for Additional Information


Launch ADM for Additional Information

Documents

Smarts Application Discovery Manager (nLayers) IT ......– Passive, active, agent-less, analytic – No agents required WAN Passive network traffic capture – Statistical sampling