Windows: Capturing encrypted MSSQL traffic
Understand the correlation driver that is used for capturing encrypted MSSQL traffic.
The correlation driver facilitates the communications between the Guardium® DLLs that are injected into the SQL Server Process and the Guardium traffic drivers (WFP, NMP). The Guardium DLLs get the encryption key used by the S-TAP to decrypt the SQL Server traffic, but the DLLs do not know which session (IPs, ports) that the encryption key belongs to. The correlator driver matches the encryption key to the session in the traffic drivers (WFP, NMP) so that the DLLs can then apply the proper key to the proper session. Finally, the DLLs supply the encryption key to the proper session in the traffic drivers that use the correlation driver so the traffic drivers can deliver the encryption key to the S-TAP. The S-TAP uses the encryption key to decrypt the SQL Server traffic for the session and sends it to the appliance.
The correlation DLLs in an SQL Server depend on the correlation driver, which depends on the traffic drivers (WFP, NMP). Without either the correlation DLLs or the correlation driver, Guardium cannot decrypt traffic. In all cases, the login packet for an SQL Server session is always encrypted. Missing or malfunctioning correlation DLLs or driver results in sessions that are missing their DB username, source program, and a few other fields. If the entire session is encrypted, and the correlation DLLs or the driver are missing or malfunctioning, then no traffic for this session reaches the collector.
The S-TAP holds traffic back for a session until it receives the encryption key. After it receives the encryption key, it decrypts the traffic it's holding and releases it to the appliance. It then decrypts any subsequent traffic and sends that to the appliance as well. However, if the encryption key does not show up before the guard_tap.ini parameter CORRELATION_TIMEOUT threshold, then the S-TAP gives up and sends the traffic to Guardium as is. In that case, for unencrypted traffic, the sessions are missing DB username, source program, and other fields. With fully encrypted traffic, no traffic is seen.