Best practices for using External S-TAPs with on-premises databases

To use External S-TAPs with on-premises databases, you need to take a few steps to prepare both your database and the External S-TAP. Examples are shown using PostgreSQL.

To use an External S-TAP solution with an on-premises database, make sure that:
  • All remote traffic can be directed through the External S-TAPs by using TCP/IP.
  • Determine whether to use mutual authentication for the on-premises databases. If you do use mutual authentication, local traffic to the database is allowed only through an unencrypted named pipe protocol, which is monitored by an S-TAP. For more information, see Manage certificates for mutual authentication.
  • Your site uses TCP/IP to configure the firewall to block both local and remote traffic except from the External S-TAP host. For more information, see Set up a firewall on Linux.

Prepare the deployment

Gather the following information about your database:
  • The database IP address or host name and ports.
  • Determine whether your database is SSL-enabled (encrypted).
  • Determine whether your database is using mutual authentication.

Set up the solution to monitor databases

To monitor databases with an External S-TAP, you need both an S-TAP and an External S-TAP. The S-TAP is required to monitor local traffic, and the External S-TAP monitors remote traffic.

To prepare the solution, take the following steps:

  1. Install an S-TAP on the database host and add (or modify) an inspection engine to accept local traffic to monitor the local connection to the database. Use an unencrypted named pipe (npipe) for the S-TAP.
    Note: When you install an S-TAP to use with an External S-TAP, set the intercept type to npipe for each database you want to monitor, as follows:
    • From the GUI, underInspection Engine, set Intercept Types to npipe.
    • From the interactive installer, set intercept_types=npipe in the guard_tap.ini file.

    For more information about installing an S-TAP, see Linux-UNIX: Install S-TAP agents installation flow.

  2. Deploy the External S-TAP to monitor remote connections by using TCP/IP protocol. For more information, see Inspection engine tab or External S-TAP deployment scripts, depending on your deployment method. Optionally, to use mutual authentication, the root certificates that are used by the External S-TAPs must be the same as the root certificates for the database.
  3. Secure your database by setting up the firewall. Make sure that all remote traffic goes through the External S-TAPs.

Manage certificates for mutual authentication

To use the mutual authentication option with External S-TAPs, the External S-TAP certificate must be signed by the same certificate authority (CA) as the host database certificate.

When you create the External S-TAP certificate, the CN (Common Name) parameter is required. For mutual authentication, make sure that the CN of the certificate that is used by the External S-TAP is the same as the External S-TAP host name. In addition, if you use a load balancer, use the same certificate CN as the end point of the load balancer.

Set up a firewall on Linux

Use the following example to configure iptables to prevent direct access to your on-premises database. For the following example:
  • The PostgreSQL database listen port is 5432.
  • External S-TAPs are installed on 172.17.0.3. and 172.17.0.4.

The following code example configures the iptables to prevent direct access to PostgreSQL:

# Reject access to MongoDB container
iptables -I INPUT -p tcp --dport 5432 -j REJECT
# Allow access to MongoDB container from External S-TAP (IP needs to match)
iptables -I INPUT -p tcp --src 172.17.0.3 --dport 5432 -j ACCEPT
iptables -I INPUT -p tcp --src 172.17.0.4 --dport 5432 -j ACCEPT
iptables -I DOCKER-USER -p tcp --src 172.17.0.3 --dport 5432 -j ACCEPT
iptables -I DOCKER-USER -p tcp --src 172.17.0.4 --dport 5432 -j ACCEPT

Additional notes about certificates for External S-TAPs

The host parameter of certificate for External S-TAP must match the CN of the certificate that the database client gets in the TLS handshake, that is:

  • If the client connects to the server directly, the host parameter must match the CN of the certificate on the PostgreSQL or MySQL server.
  • If the client connects to the server via an External S-TAP, set the host parameter to the host of the External S-TAP. Make sure that the CN of the External S-TAP certificate matches the host parameter in the command.
  • If the External S-TAP uses a TCP-IP load balancer, set the host parameter to the host or domain name of the load balancer. Make sure that the CN of the External S-TAP certificate matches the host parameter.

PostgreSQL notes

To use PostgreSQL with mutual authentication, make sure that the host parameter that is used by client matches the CN of the certificate of the External S-TAP.
Note: You can use a wildcard to match the certificate CN.
For PostgreSQL, the METHOD field in the pg_hba.conf file controls the client authentication method. External S-TAP supports the following methods:
  • trust, trust clientcert=1
  • md5, md5 clientcert=1
  • password, password clientcert=1