Linux-UNIX: S-TAP to collector encryption

S-TAP agents can be configured to communicate with collectors over the network in an encrypted (TLS) manner.

Guardium recommends encrypting network traffic between the S-TAP and the collector whenever possible, only in cases where the performance is a higher priority than security should this be disabled. There is a small impact on performance when enabling encryption. The default S-TAP configuration is no encryption, to avoid any performance impact.

Before you determine the best choice for your environment, consider the following factors:

  • Configuring the S-TAP with TLS requires extra time for encryption that might affect performance on the database server where the S-TAP agent is installed. The appliance (collector) also requires time to decrypt this traffic.
  • If applications and database users are communicating with the database in an unencrypted manner, configuring the S-TAP agent to communicate over the network with encryption may not make your network safer.

In general, it makes sense to encrypt S-TAP traffic if the data that is sent to an appliance on a different network is encrypted, or if the database traffic that is monitored is network encrypted.

Encryption is enabled during the inspection engine configuration, and can be modified at any time.