IBM Security Guardium
Guardium External S-TAP:
Overview, deployment, and architecture
Rich Jerrell
Technical lead, Guardium UNIX and
External S-TAP
Agenda
Overview of the external S-TAP
External S-TAP deployment
System architecture
Additional Slides (not covered):
•
Deployment resources
•
Certificate, client setup
•
FAQ on external S-TAP
•
Troubleshooting
Guardium Agent-based Monitoring
With External S-TAP
Objectives
•
Support modern environments: DBaaS, Containers
•
Agent capabilities when S-TAP can’t be installed
IBM Security / © 2021 IBM Corporation
3
Guardium Agent-based Monitoring
With External S-TAP
•
Organic solution based on S-TAP
technology
•
Supports containerized databases +
databases consumed as a service
•
Modern architecture
•
Auto-deploy & Auto-scale with
Kubernetes
•
Easy to integrate with SecDevOps
pipeline
•
Certified on Docker and RHOS.
Available on Docker Hub, and IBM
Cloud Registry (planned)
IBM Security / © 2021 IBM Corporation
•
Real-time interception of SSL and plain text
TCP/IP Traffic
•
Supports Redaction, Blocking and Alerting
•
Local TCP traffic can be monitored by configuring
DNS rules/ingress rules
Guardium External S-TAP
Deployment using Docker
x
User
Activity
External
S-TAP
Load
Balancer
Database
Service
Guardium
Collector
Reports
Alerts
AI
IBM Security / © 2021 IBM Corporation
5
Guardium External S-TAP V11.x
Deployment using Kubernetes orchestration
TCP/TLS
External
S-TAP
TCP/TLS
User
Activity
Database
services
Guardium
Collector
Reports
Alerts
AI
IBM Security / © 2021 IBM Corporation
6
Guardium External S-TAP V11.x
Existing client/server flow
IBM Security / © 2021 IBM Corporation
7
Guardium External S-TAP V11.x
Inserting External S-TAP into client/server flow


Simplest method with no networking requirements other
than connectivity
External S-TAP service and database service can be
available via the same or different IP addresses
Change client connection parameters
 Connection parameters modified to
specify External S-TAP IP and Port
IBM Security / © 2021 IBM Corporation
8
Guardium External S-TAP V11.x
Inserting External S-TAP into client/server flow


Simplest method with few networking requirements other
than connectivity
 External S-TAP service and database service must be
available via different IP addresses
 IP and Port pairs must be unique per service
 If IPs were the same, ports would need to differ and
would necessitate changing client connection
parameters
Selective DNS rules could be used to support multiple
deployments of External S-TAP
 Can be used to create fast/slow lanes or aide in
migrating clients to External S-TAP
Change DNS entry for DB service
 IP address of External S-TAP
returned from DNS for database
service hostname
IBM Security / © 2021 IBM Corporation
9
Guardium External S-TAP V11.x
Inserting External S-TAP into client/server flow




Add external load balancer

Supplied by customer (e.g. F5, HAProxy,
NGINX, etc)
Change DNS entry for DB service

IP address of load balancer returned
from DNS for database service hostname
IBM Security / © 2021 IBM Corporation
Most flexible method via an external, customer-supplied load
balancer
External S-TAP service and database service can be available via
the same or different IP addresses

DNS target is the external load balancer, allowing complete
flexibility for database service and External S-TAP IP
addresses and ports
Allows fine-grained control and simplifies migrating service to
using External S-TAP

Switching target of client traffic in load balancer is not
dependent on TTL of DNS or client caching of DNS results
External load balancer is separate from any NodePort service
provided by kubernetes (if applicable)

NodePort service provided with Kubernetes orchestration
provides resilience and reliability by splitting load across a
replicaSet

External load balancer can further improve resilience by
configuring a failover route

External load balancer can support multiple deployments for
fast/slow lanes
10
Additional deployment details
IBM Guardium External S-TAP
Click here to download the latest IBM Guardium
External S-TAP
– Documentation (for v11.4) is here
– Quick technical demo of External S-TAP is here
– Support Matrix is here
– Deployment External S-TAP on-prem using script
is here
– Deployment External S-TAP on
Kubernetes/Openshift by Helm chart is here
– Deployment on cloud demo using GUI is here
– Notes on monitoring AWS Oracle RDS with
external S-TAP are here
IBM Security / © IBM Corporation 2021
12
External S-TAP Deployment methods and the end point
– Deployment on-prem (Host can be vm in cloud)
– Deployment in cloud
On prem
Deployment of
External S-TAP
Deployment on host
with docker/podman
Option:External load
balancer
Deployment on
kubenates /openshift
cluster/nps/cp4d
Nodeport or External
loadbalancer
AWS EKS
Native load balancer
AZURE AKS
Native load balancer
Google GKE
Native load balancer
IBM Cloud
Native load balancer
In cloud
IBM Security / © IBM Corporation 2021
13
External S-TAP deployment on-prem
Find on-prem deployment scripts:
https://github.com/IBM/Guardium_External_S-TAP
– Script supports both docker and podman
– Deployment script requires the setup of ssh-login-withoutpassword on the host system
– Deployment script requires a login account docker login
authentication
– Best practices for using External S-TAP for on-perm
databases
IBM Security / © IBM Corporation 2021
14
Deployment on-cloud Kubernetes/Openshift
Best practices
Kubernetes/Openshift cluster should be created close to the
database (same some/region/zone).
If virtual network/private network is used, the cluster should be in
the same virtual network as the database, and should be able to
connect to guardium collector
1. Recommend deploy with two pods and 4-6 threads in each
pod for most workloads.
2. The network requirements cluster nodes<==>database on db
port, cluster nodes<==>Guardium Collector on 16018 and 443
( Firewall ports open requirements)
3. Auto-scale setup horizontal and install metrics server
IBM Security / © IBM Corporation 2021
Deployment External S-TAP on Cloud
The following Cloud providers are supported
1. Azure AKS
2. AWS EKS and ECS
3. Google GKE
4. IBM Cloud kubernetes/openshift cluster
15
External S-TAP certificate
There are three way to store the External S-TAP certificate:
1. Certificate stored on collector
Method 1 :
store certificate external_stap
Method 2: (recommend)
store certificate external_stap_signing
2. Certificate stored on persistent storage
Set the location of certificate by
:STAP_CONFIG_PROXY_PEM_PATH
3. Certificate using Kubernetes secret (new)
Deployment using helm chart
IBM Security / © IBM Corporation 2021
The certificate is required for SSL enabled
transactions. For non SSL connection, certificate is
required for MYSQL.
Since only SSL enabled transaction is supported for
MSSQL, certificate is required for using External
S-TAP with MSSQL
Addtional External S-TAP configurations:
notify_on_invalid_certificate
disconnect_on_invalid_certificate
16
External S-TAP Client Setup
It is required to route the traffic to external s-tap endpoint instead of directly to database
Recommend using DNS to route instead of
updating endpoint URL
Using DNS is required for some databases:
azure sql server/mongodb cluster
If the database is using SSL, Import
CA/intermediate ca of signed certificate of
external s-tap for verification
Example for how to create a self signed certificate:
To create your own CA:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -sha256 -new -key rootCA.key -days 3650 -out rootCA.pem
and self-sign you CSR:
openssl x509 -sha256 -req -days 3650 -CA rootCA.pem -CAkey rootCA.key CAcreateserial -CAserial serial -in proxy.csr -out proxy.pem
If you need a SAN w ith DNS entries, create a config file request_config.cnf containing:
[ req ]
req_extensions = req_ext
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS = yourcompany.com
Sign your certificate:
openssl x509 -sha256 -req -days 3650 -CA rootCA.pem -CAkey rootCA.key CAcreateserial -CAserial serial -in proxy.csr -out proxy.pem -extfile request_config.cnf extensions req_ext
IBM Security / © IBM Corporation 2021
17
External S-TAP FAQ
Q: What protocols are being used from DB client to External S-TAP?
A: The protocol is TCP/IP
Q: Where does the client configuration change take place to utilize External S-TAP?
A: The database application URL of database needs to be updated in order to utilize External S-TAP , it can be done by
replacing database endpoint/port with External S-TAP endpoint/port , or indirectly if port stays the same by adding an
entry in DNS server to route the traffic to
External S-TAP. For encrypted connection, root ca vs intermediate ca CA needs to be imported to the host of
database application.
For testing, when external stap endpoint port is the same as database, use local DNS entry by adding a line in /etc/hosts
on the database application host as following :
<external s-tap endpoint ip > <database endpoint>
Q: In case External STAP goes down if the application uses the External STAP URL then the application will also have
downtime? How can we overcome this situation ?
A: Recommend using kubernetes cluster as first layer of protection with failover and DNS failover as a by pass protection
Q: If we have the Databases in multi availability zones, do we need to have the External S-TAP configured in all the zones?
A: As long as database end point doesn’t change, there is no need to reinstall External S-TAP or install in all zones
IBM Security / © IBM Corporation 2021
18
External S-TAP Known Issues
1.) GUI deployment on cloud will Database Open to Internet, to deploy External S-TAP for private
virtual network
Update service.yaml. or use helm charts with annotation
service.beta.kubernetes.io/azure-load-balancer-internal:: “true”
service.beta.kubernetes.io/aws-load-balancer-internal: “true”
service.beta.kubernetes.io/ibm-load-balancer-cloud-privider-ip-type: “private”
networking.gke.io/load-balancer-type: “private”
For more known issues see:
https://www.ibm.com/docs/en/guardium/11.4?topic=tap-troubleshooting-external-s-issues
IBM Security / © IBM Corporation 2021
19
External S-TAP network troubleshooting
1. Verify the port open for collector:
telnet <collector ip/hostname> 16018
From within the docker container using “netstat -na”
[guardium@localhost ]$ netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 127.0.0.1:8080
0.0.0.0:*
tcp
0
0 172.17.0.2:34928
xx.xx.xx.xx:16018
tcp6
0
0 :::8888
:::*
State
LISTEN
ESTABLISHED
LISTEN
2. Verify the firewall open for database by the following
[guardium@localhost]$ gproxy_live
[guardium@localhost-gext0-snif-rh78- mongo1 ~]$ echo $?
0
The return value should be 0 in order to connect to database
3. Verify the load balancer endpoint if load balancer used open by:
telnet <load balancer endpoint> <target port>
IBM Security / © IBM Corporation 2021
20
External S-TAP certificate troubleshooting
1.) Test connection with by passing server certificate verification
JDBC driver param: trustServerCertificate =true/yes
2.) Import root ca / intermediate ca to java keystore:
openssl x509 -outform der -in rootCA.pem -out rooCA.der
keytool -import -alias mycert -keystore cacerts -file rooCA.der
3.) Install root ca / intermediate ca on local certificate authorities :
Put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run update-ca-certificates
4.) Verify the trusted chain of certificate:
openssl verify -CAfile rooCA.pem -untrusted Intermediate.pem ExternalCert.pem
5.) View certificate details
openssl x509 -in mycert.pem -text
6.)View server certificate
openssl s_client -showcerts -connect <server hostname> :<port>
IBM Security / © IBM Corporation 2021
21
Thank you
Follow us on:
ibm.com/security
securityintelligence.com
ibm.com/security/community
xforce.ibmcloud.com
@ibmsecurity
youtube.com/ibmsecurity
© Copyright IBM Corporation 2021. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty, of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM,
the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in
the United States, other countries or both. Other company, product, or service names may be trademarks or service marks
of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention,
detection and response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be considered completely secure and no single
product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve
additional operational procedures, and may require other systems, products or services to be most effective. IBM does not
warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious
or illegal conduct of any party.