IBM Security Guardium

 View Only

  • 1.  S-TAP parameters in External S-TAP deployment

    Posted Thu November 05, 2020 08:38 AM
    Hi,

    If we are using External S-TAP in AWS EKS or deploying using script in Linux machine, it supports features like blocking, redaction and quarantine. But, In normal deployment we use S-TAP parameters to control the blocking or redaction in Linux and windows operating systems.
    But my doubt is without installing any S-TAP parameters in External S-TAP deployment, does it supports all features by default or do we need to install some parameters and if it is how to do it?

    Thanks,
    Panendar Rao.C


    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------


  • 2.  RE: S-TAP parameters in External S-TAP deployment

    Posted Thu November 05, 2020 10:22 AM

    But my doubt is without installing any S-TAP parameters in External S-TAP deployment, does it supports all features by default or do we need to install some parameters and if it is how to do it?

        blocking --off by default , turn on/off blocking after install by External S-TAP configuration GUI firewall TAP  and params as following:
                              Firewall installed
                              Firewall timeout
                              Firewall default state
                              Firewall fail close
                              Firewall force watch/Firewall force unwatch
                              
        redaction and quarantine  --  no on/off switch, works when the equivalent policy installed on collector
         



    ------------------------------
    JENNIFER Peng
    ------------------------------

    Original Message


  • 3.  RE: S-TAP parameters in External S-TAP deployment

    Posted Tue November 10, 2020 11:34 PM
    Hi,

    May I know which parameters below to enable only for monitoring, blocking, redaction and quarantine for External S-Tap?
    Do we need to enable any of the below parameters to monitor traffic or  traffic monitoring works without enabling any parameters?


                              Firewall installed
                              Firewall timeout
                              Firewall default state
                              Firewall fail close
                              Firewall force watch/Firewall force unwatch

    Thanks,
    Panendar Rao.C

    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------

    Original Message


  • 4.  RE: S-TAP parameters in External S-TAP deployment

    Posted Wed November 11, 2020 07:42 AM
    Parameters to enable only for monitoring, blocking and quarantine:
             Firewall installed=1  ( Can be changed in GUI from External S-TAP control)
       But monitoring, blocking and quarantine will only when related policy installed on collector, and how it works will be decided by policy as well.

     
     Parameters to enable redaction:
           No parameter on External S-TAP , it works when redaction policy installed on collector


    ------------------------------
    JENNIFER Peng
    ------------------------------

    Original Message


  • 5.  RE: S-TAP parameters in External S-TAP deployment

    Posted Wed November 11, 2020 08:00 AM
    Hi Jennifer,

    Thank you so much your valuable information.
    I will change the parameter. My scenario is we have installed External S-TAP script(container_mgmt.sh) successfully in Linux machine hosted in AWS.
    It's status is good in AWS collector. My client is running mysql(8.0) in AWS RDS and using putty application they are connecting the database. It is not encrypted. How can we intercept traffic now? Could you assist me the procedure? below is the sample from IBM security learning academy once they connect database how external stap is intercepting traffic.


    Thanks,
    Panendar Rao.C

    ------------------------------
    PHANENDRA RAO CHAVANA
    ------------------------------

    Original Message


  • 6.  RE: S-TAP parameters in External S-TAP deployment

    Posted Wed November 11, 2020 08:20 AM

    AWS RDS MySQL has db server certificate installed , the traffic is encrypted when you use native client  or if you use jdbc connection,
    you need to make sure the URL enable encrypted by using driver properties :useSSL=true. Check the AWS RDS document for how to use SSL with its database, when using External S-TAP,  the only difference  is certificate imported to client keystore is one that you imported to collector during
    creating certificate for external s-tap and you need to use endpoint of external s-tap and port  to connect to database.   Once you stored a certificate in collector for external s-tap,    and make sure install external s-tap using token of certificate , External S-TAP can intercept encrypted  traffic of databases

    https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
    If you need further help , you can schedule a webex with me



    ------------------------------
    JENNIFER Peng
    ------------------------------

    Original Message