Linux-UNIX: S-TAP to collector encryption
S-TAP agents can be configured to communicate with collectors over the network in an encrypted (TLS) manner.
Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible, only in cases where the performance is a higher priority than security should this be disabled. There is a small impact on performance when enabling encryption. The default S-TAP configuration is no encryption, to avoid any performance impact.
Before you determine the best choice for your environment, consider the following factors:
- Configuring the S-TAP with TLS requires extra time for encryption that might affect performance on the database server where the S-TAP agent is installed. The appliance (collector) also requires time to decrypt this traffic.
- If applications and database users are communicating with the database in an unencrypted manner, configuring the S-TAP agent to communicate over the network with encryption may not make your network safer.
In general, it makes sense to encrypt S-TAP traffic if the data that is sent to an appliance on a different network is encrypted, or if the database traffic that is monitored is network encrypted.
Encryption is enabled during the inspection engine configuration, and can be modified at any time.