Blocking rule actions
This section describes S-TAP Terminate and S-GATE rule actions.
S-TAP Terminate
The S-TAP Terminate action terminates a database connection (a session) and prevents additional requests on that session. This action is available in the S-TAP regardless of whether S-GATE is used.
Note: With S-TAP Terminate, the triggering request is not usually blocked but additional requests
from that session are blocked. With a high request rate, sometimes more than one request may go
through before the session is terminated.
S-GATE
S-GATE provides database protection via the S-TAP for both network and local connections. When
S-GATE is available, all database connections (sessions) are evaluated and tagged for monitoring in
one of the following S-GATE modes:
- Attached (S-GATE is "on"): S-TAP is in firewalling mode for that session, and it holds the database requests and waits for a verdict on each request before releasing its responses. Latency is expected in this mode, but it ensures that rogue requests are blocked.
- Detached (S-GATE is "off"): S-TAP is in normal monitoring mode for that session, and it passes requests to the database server without any delay. Latency is not expected in this mode.
It is possible to alter the default S-GATE configuration in real time using the following S-GATE
policy rule actions:
- S-GATE Attach: sets S-GATE mode to "Attached" for a specific session. Intended for use when a certain criteria is met that raises the need to closely watch (and if needed block) the traffic on that session.
- S-GATE Detach: sets S-GATE mode to "Detached" for a specific session. S-GATE Detach is intended for use on sessions that are considered safe or sessions that cannot tolerate any latency.
- S-GATE Terminate: applies only when the session is attached, S-GATE Terminate drops the reply of the firewalled request and terminates the session on some databases. The S-GATE TERMINATE policy rule action causes a previously watched session to terminate.
Notes:
- S-TAP and S-GATE Terminate actions do not work on a client IP group whose members have wild-card characters. S-TAP and S-GATE Terminate only work with a single IP address. Wildcards should be handled by groups if the customer wants to use multiple IP entries. Customer can create groups of trusted or untrusted users/clients to handle their business needs in the policies.
- There are limitations for using S-GATE with A-TAP with older Linux kernels. For S-TAP V10.1.2 and higher, S-GATE is supported everywhere except Linux with A-TAP using kernels earlier than 2.6.36.
- For MySQL databases, the default command line connection is
mysql -u <user> -p <pass> <dbname>
. In this mode, MySQL first maps all the objects and fields in the database to support tab-key auto-completion. A terminate rule on any object or field involved in this mapping immediately disables the connection session. To avoid this, connect to MySQL with the-A
flag, which disables the auto-complete feature and will not trigger the terminate rule. Another option is to fine-tune the rule and not terminate on any access to these objects or fields, instead defining a narrower criteria that does not trigger the rule on the login sequence.