External S-TAP

IBM® Guardium® External S-TAP® is a component of Guardium that can intercept traffic for cloud and on-premises database services without installing an agent on the database server. The External S-TAP component is available as a Docker image that can be installed in any supported environment.

External S-TAP intercepts traffic between clients and the database server, and forwards a copy of the traffic to a Guardium collector for analysis and policy application. As shown in Figure 1, you can use External S-TAP with either cloud and on-premises databases.

Figure 1. External S-TAP overview
Data from client data stores is sent to a load balancer and then to one or more External S-TAP monitors. Data from the External S-TAP is sent to both the Guardium collector and the host data store, which can also be on-premises or in the cloud.

As shown in Figure 1, all elements of a Guardium system that use External S-TAP can be either on premises or in the cloud.External S-TAP is highly configurable. During deployment, you can configure most options, as discussed in External S-TAP deployment scripts. Balancing the load can either be done through a hardware appliance or software. For more information about deploying a load-balancing solution, see Load balancer scripts.

The Guardium External S-TAP Docker container

Docker containers provide a way to package software solutions so that you can easily download and manage them. Depending on your site configuration, a Guardium External S-TAP Docker container can either be downloaded directly from the Docker store or for computers without internet access, from a private image repository.

A Docker container runs an image, which is a packaged software solution (in this case, an External S-TAP) that can be installed on your host database. You can install multiple containers on the machine that serves as the External S-TAP host.

Before you deploy an External S-TAP

Assuming that your site is already using Guardium, the following steps are needed for each database where you want to run an External S-TAP container.
  1. If your site manages encrypted traffic (that is, is SSL-enabled), you need to work with a certificate authority (CA) to prepare the Guardium collector with the appropriate security certificates. This step can take some time, since you need to work with an outside company (the CA). For more information, see Obtain SSL certificates for External S-TAP. If your environment is not SSL-enabled, you can skip this step.
  2. Make sure that a Linux environment is available. Docker must be installed and running under Linux. For more information, see https://www.docker.com/ and Download the Docker container.
  3. Prepare the load balancer and External S-TAP deployment scripts. For more information, see External S-TAP deployment scripts.

After you deploy the External S-TAP, it runs automatically. You can manage the External S-TAP from Guardium. For more information, see The External S-TAP user interface.

External S-TAP requirements

External S-TAP is available for Microsoft SQL (SSL-enabled) or Oracle databases (with or without SSL), either on-premises or cloud-based (AWS for Oracle, Azure for MSSQL).

A load-balancing solution is required. A script to help configure your load balancer is provided for your convenience.

If the External S-TAP container host is an on-premises or virtual machine, the host must meet the following requirements:

  • An x86_64 processor.
  • Minimum RAM memory 500 MB and 2 GB storage.
  • Linux kernel version 3.10 or higher (latest is recommended).
  • Iptables 1.4 or higher.
  • Docker (either Docker CE or Docker EE) 1.12.16 or higher.
  • Ability to use UNIX domain sockets.
    Important: For on-premises installations, it is recommended that you enable pubkey authentication for the user who starts the containers on the host systems. The deployment script calls ssh for the host systems multiple times; pubkey authentication simplifies the process.

In addition, all installations, either on-premises or in the cloud, must meet the following requirements:

  • For Docker, make sure that the installing user has the necessary privileges to create a container across systems.
  • Ensure that network access is available to either the Docker store or to a private Docker registry where an admin can push images from the Docker store.
  • Using TCP, database clients must be able to connect to the External S-TAP host and the External S-TAP host must be able to connect to the database server.
  • Locate all External S-TAP hosts in the network topology in such a way that they can be placed between the client and database host. Ideally, the latency between the client, the External S-TAP host, and the database service is as brief as possible.
  • Be sure that access to the External S-TAP host is secured.
  • Docker uses the kernel core pattern of the host to determine where to place core files. On some systems, the default path is not appropriate from the container's perspective. To make sure that core files are stored correctly, use the following pattern:
    '/tmp/core.%t.%e.%p'
    For example, on the External S-TAP host where a container runs, enter the following command to set the core pattern:
    echo '/tmp/core.%t.%e.%p' | sudo tee /proc/sys/kernel/core_pattern'