How to Check if DataSunrise Receives Traffic From the Client Application and Protected Database
Basically, the first thing to be done is to check the Dashboard to determine if a connection is established with DataSunrise Security Suite proxy. The established connections count is shown in the Dashboard section:
For example, in this screenshot you can see that there are 3 connections established, they can be seen in the Proxies list -> Sessions columns. Also according to the Active Audited Sessions section, 2 of these belong to the DBeaver application which is connected to the proxy.
Further, from this document you will learn in more detail how to check if all the required connections are established correctly.
You will need to install the specific tools that will help you capture the required traffic.
All of the installations should be made on a machine where DataSunrise Security Suite is installed.
In case traffic capture is done on a machine running Windows OS, it is recommended to use the tool called Wireshark: https://www.wireshark.org/download/
In case the capture is done on a UNIX-based OS the recommended tool is Tcpdump: https://en.wikipedia.org/wiki/Tcpdump
sudo yum install –y tcpdump
To determine if traffic flows between a database, client and DataSunrise, it is necessary to know the IP addresses of:
- Database server
- DataSunrise server
- Client application machine
- Proxy port number
As soon as you get the information about the IP-addresses you can start the checking process.
IMPORTANT: make sure that all the preparations on the DataSunrise side (the instance is configured, and Proxy is listening on the desired port number) and the Client Application side (client application is configured to connect to the DataSunrise proxy) are made correctly.
Linux Checking Process
After the Tcpdump package is correctly installed execute the following command replacing the IP values with those that correspond to your environment:
sudo tcpdump -nn --number \(host DatabaseIP and host DataSunrise\) or \(host DataSunriseIP and host ClientIP\) and ProxyPort
The Tcpdump application will start listening for the connections that are established according to the filter you have specified.
Now you need to establish a connection with the DataSunrise proxy and check if the desired connection has been established properly from the client application IP address to the DataSunrise IP address and from the DataSunrise IP address to the Database IP address.
Let us try to run a test and see what happens when I try to connect to an Amazon EC2 machine where DataSunrise is installed and DataSunrise is configured to protect a MySQL database. The IP addresses for the test environment:
172.31.17.62 - Database 172.31.14.182 - DataSunrise 18.104.22.168 - Client application 3306 – Proxy port
As you can see here, on establishing a connection the Client application connected from port 27217 to the DataSunrise machine IP address to port 3306 (line 1) and after this DataSunrise connected to the Database itself from port 47000 to port 3306 (line 4). The MySQL database also answers to DataSunrise (line 5) and doesn’t answer to the client application directly. This means that the connection has been established correctly and the client application connects right to the DataSunrise hostname.
In the WireShark user interface, you will need to specify a filter in the filter text field.
To identify the traffic correctly you will need to enter the following filter replacing the IP values with those that correspond to your environment:
((ip.addr==DataSunriseIP and ip.addr==ClientIP) and tcp.port == ProxyPort) or (ip.addr==DatabaseIP and ip.addr==DataSunriseIP)
After the filter is specified, just like for Linux you will need to try to establish a connection with the DataSunrise proxy and check if all the connections go properly to the desired targets.
Let us try to run a test and see what happens when I try to connect to the machine where DataSunrise is installed and DataSunrise is configured to protect a PostgreSQL database. The IP addresses for the test environment:
22.214.171.124 - Database 192.168.1.35 - DataSunrise 192.168.1.109 - Client application 5433 – Proxy port
As you can see in the screenshot, when I press on the test connection button on the client machine, the traffic goes from ClientIP to the DataSunriseIP address through port 5433 (line 191). After that DataSunrise starts to resent traffic to the DatabaseIP (line 194). There are also many other lines that prove that the traffic goes to the PostgreSQL server (Protocol Column). For example, line 198 shows that DataSunrise sent traffic to the Database and then line 200 shows that the Database sent its response to DataSunrise using the PGSQL protocol.
This means that the traffic goes directly to the desired DataSunrise machine IP address.