IBM Security Guardium

We are building a PoC Guardium system within AWS to monitor an RDS Oracle database.

We have stood up a Guardium Collector (10.179.252.124) that is being used for internal kernel based STAPs and that works.

The issue we have is that we cannot connect to any ports on the GC appliance from certain subnets within our VPC. The VPC CIDR is 10.179.252.0/23.

To test connectivity to that machine I have stood up an EC2 instances in each of our available subnets.

We have changed the Security groups on the Instance (10.179.252.109) also in in Subnet (10.179.252.96/27) to exactly match the Guardium Collector (with one additional rule from SG GuardiumEC2Test2 which allows SSH access).

The connectivity tests are below.

Instance Name Instance IP Connect Test Connect Test
(includes SN) 10.179.252.124 10.179.252.109
                                    16018 16018
test - 10.179.252.0/27 10.179.252.12 Fail Success
test - 10.179.252.128/27 10.179.252.154 Fail Success
test - 10.179.252.160/27 10.179.252.180 Fail Success
test - 10.179.252.192/27 10.179.252.222 Fail Success
test - 10.179.252.224/27 10.179.252.234 Fail Success
test - 10.179.252.32/27 10.179.252.53 Fail Success
test - 10.179.252.64/27 10.179.252.87 Fail Success
test - 10.179.252.96/27 10.179.252.109 Success Success
test - 10.179.253.0/27 10.179.253.8 Success Success
test - 10.179.253.32/27 10.179.253.62 Success Success
test - 10.179.253.64/27 10.179.253.94 Success Success
test - 10.179.253.96/27 10.179.253.112 Success Success

As can be seen, connections to the test machine 10.179.252.109 are all successful with connections to the GC 10.179.252.124 fail if the traffic is coming from certain subnets. As we have identical NACL, Security Groups and Route tables for all machines, they can be eliminated as the issue.

Basically, we can connect to Guardium from machines in it's own subnet and from machines in the 10.179.253.X subnets but not from the other 10.179.252.X subnets.

We are fairly confident that this would indicate that it is something in the Guardium appliance itself that is dropping the connections.

Any clues as to what this may be?

Thanks

Dave



​

------------------------------
Dave MacRae
------------------------------

We "resolved" the issue by moving our Kubernetes cluster into the set of subnets we knew can talk to the collector. Not ideal but it will do for our PoC.

Thanks

Dave

------------------------------
Dave MacRae
------------------------------

Original Message:
Sent: Wed June 22, 2022 06:49 AM
From: Dave MacRae
Subject: Unable to connect to Guardium Collector in AWS

We are building a PoC Guardium system within AWS to monitor an RDS Oracle database.

We have stood up a Guardium Collector (10.179.252.124) that is being used for internal kernel based STAPs and that works.

The issue we have is that we cannot connect to any ports on the GC appliance from certain subnets within our VPC. The VPC CIDR is 10.179.252.0/23.

To test connectivity to that machine I have stood up an EC2 instances in each of our available subnets.

We have changed the Security groups on the Instance (10.179.252.109) also in in Subnet (10.179.252.96/27) to exactly match the Guardium Collector (with one additional rule from SG GuardiumEC2Test2 which allows SSH access).

The connectivity tests are below.

Instance Name Instance IP Connect Test Connect Test
(includes SN) 10.179.252.124 10.179.252.109
                                    16018 16018
test - 10.179.252.0/27 10.179.252.12 Fail Success
test - 10.179.252.128/27 10.179.252.154 Fail Success
test - 10.179.252.160/27 10.179.252.180 Fail Success
test - 10.179.252.192/27 10.179.252.222 Fail Success
test - 10.179.252.224/27 10.179.252.234 Fail Success
test - 10.179.252.32/27 10.179.252.53 Fail Success
test - 10.179.252.64/27 10.179.252.87 Fail Success
test - 10.179.252.96/27 10.179.252.109 Success Success
test - 10.179.253.0/27 10.179.253.8 Success Success
test - 10.179.253.32/27 10.179.253.62 Success Success
test - 10.179.253.64/27 10.179.253.94 Success Success
test - 10.179.253.96/27 10.179.253.112 Success Success

As can be seen, connections to the test machine 10.179.252.109 are all successful with connections to the GC 10.179.252.124 fail if the traffic is coming from certain subnets. As we have identical NACL, Security Groups and Route tables for all machines, they can be eliminated as the issue.

Basically, we can connect to Guardium from machines in it's own subnet and from machines in the 10.179.253.X subnets but not from the other 10.179.252.X subnets.

We are fairly confident that this would indicate that it is something in the Guardium appliance itself that is dropping the connections.

Any clues as to what this may be?

Thanks

Dave



​

------------------------------
Dave MacRae
------------------------------