IBM Security Guardium

  • 1.  External S-TAP is not logging On-Premises DB Traffic

    Posted Mon June 21, 2021 04:56 AM
    Hi Folks,

    I have created a Demo for External S-TAP using manual Docker deployment.
    Environment Details: Collector v11.1, RedHat Linux V5.8 running DB2 V10.5, Ubuntu v18 running Dockers External S-TAP 1 Container without Load Balancer.

    So, after deployment of External S-TAP Container on Docker i am able to see entry and green status in Collector but when i perform some activity in DB2 Database i am unable to see any logs in Guardium and i am unable to track where is the issue.

    Any suggestion for resolving this will be helpful.

    Thanks in Advance!

    Best Regards,
    Rizwan

    ------------------------------
    Rizwan Ali
    ------------------------------


  • 2.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Wed June 30, 2021 03:36 PM
    External S-TAP inspects traffic that is routed through it.  After deployment, it is necessary to either configure the database client to explicitly connect to the External S-TAP deployment, or use DNS changes to transparently send new client connections through the External S-TAP deployment.  If there is any doubt about whether or not a connection is routed through External S-TAP, the containers include netstat and you can check to see what connections are currently open inside of it.

    ------------------------------
    RICHARD JERRELL
    ------------------------------



  • 3.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Fri July 02, 2021 02:16 AM
    Edited by PHANENDRA RAO CHAVANA Fri July 02, 2021 02:17 AM
    HI Rizwan,

    Please connect the linux machine while you try to connect the database. This Linux machine will act as proxy between database and guardium.
    See below screenshot, if you have mentioned port while you run script, you need to connect with the same port and external stap machine IP.
    If port is not mentioned in the script you ran I think it runs on 32768 port. Just connect external stap ip and 32768.
    sample : mysql -h 10.0.0.150 -p 32768 - (10.0.0.150 is the external stap IP).

    Let me know if it works


    Thanks,
    Panendar Rao.C

    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------



  • 4.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Fri July 02, 2021 06:54 AM
    Hi Rao,

    Thank you for your input!

    As you know all my machines are running on premises.

    I have used this script:

    ./container_mgmt.sh \
    --ni \
    --c \
    --svc-image store/ibmcorp/guardium_external_s-tap:v11.2.0.137 \
    --repo-user rizwanjoo1 \
    --repo-pass MyDesire.1 \
    --svc-host 192.168.12.128 \
    --svc-host-user ubuntu \
    --svc-container-num 2 \
    --db-host 192.168.12.129 \
    --db-type db2 \
    --db-port 50000 \
    --sqlguard-ip 192.168.12.130 \
    --state-file cluster.state

    So now i should connect to db2 machine using port 32768 and Host ip of External STAP i.e 192.168.12.128??

    Best Regards,
    Rizwan

    ------------------------------
    Rizwan Ali
    ------------------------------



  • 5.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Wed July 07, 2021 10:02 AM
    The management script will print the port number assigned, but the port actually used depends on which ports are currently available on the service host.  The IP address to use for the client is the address of the service host.  Since you are not using a load balancer, you will be directly connecting to the External S-TAP container through the exposed port on the service host.  I notice that your command indicates two service instances, though, which is difficult to utilize fully without a load balancer, especially when both are deployed on the same system.

    ------------------------------
    RICHARD JERRELL
    ------------------------------



  • 6.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Wed July 07, 2021 10:12 AM
    Thanks for the valuable information guys. I have identified that i was connection directly to the db server instead of connection to External Stap server.

    another thing i want to know, can we deploy 1 external stap for multiple db server?

    Regards,
    Rizwan





  • 7.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Wed July 07, 2021 10:31 AM
    Not really, no.  External S-TAP can only accept a single endpoint to which it will relay traffic.  You can, however, deploy External S-TAP multiple times to the same set of service hosts.

    ------------------------------
    RICHARD JERRELL
    ------------------------------



  • 8.  RE: External S-TAP is not logging On-Premises DB Traffic

    Posted Wed July 07, 2021 10:36 AM
    Thanks it helped.