Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

Is there a limitation on blocking when my windows server + MSSQL has DH?

  • 1.  Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-03-2020 14:02
    Hi Everyone

    I come again for your help.  I just install an agent in:

    Windows 2016 + MSQL (it's in the list of the ACP)
    Agent versión: Imperva-ragent-Windows-b14.4.0.20.0.596392

    The issue:  agent is not blocking. 

    It has the advance monitoring configured as follow:
    <external-traffic-monitoring-in-kern>1</external-traffic-monitoring-in-kern>
    <mssql-advanced-monitoring>1</mssql-advanced-monitoring>

    agent  in sniffing mode ( should it be in inline mode?)

    Also we hace DH enable in the server

    Any idea of what Im missing


    #DatabaseActivityMonitoring
    #ImpervaAgent

    ------------------------------
    Freddy Brito
    Daitek S.A.
    Buenos Aires, Argentina
    ------------------------------


  • 2.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-03-2020 14:08
    when you apply this configuration

    <external-traffic-monitoring-in-kern>1</external-traffic-monitoring-in-kern>
    <mssql-advanced-monitoring>1</mssql-advanced-monitoring>

    Have you restarted the agent after to put this command???

    ------------------------------
    alejandro hernandez
    Mexico City
    ------------------------------



  • 3.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-03-2020 14:11
    Hi Alejandro.

    YEs. I  restarted the agent

    Best regards

    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 4.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-04-2020 04:01
    Hello,

    Have you checked your operation mode? It should be active in order to block requests, not simulation.

    https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/458.htm

    Br,

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 5.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-04-2020 08:49
    Hi Sabajete

    Yes, I'm in active mode

    image.png

    And the Agent

    image.png
    image.png




    Any idea?

    Best regards


    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 6.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-04-2020 11:53
      |   view attached
    Hi Everyone

    Here I come with the reason of this issue in Windows + MSSQL

    This is related to a knowned bug AGNT-9013

    For Agent - v14.4 Patch 10 it was fix according with the Agent-14.4-release notes (Check the attachment).  However, the documentation (online) says the following
    https://docs.imperva.com/bundle/v14.4-agent-release-notes/page/release-highlights.htm

    And support told me that blocking is only supported with agent in sniffing mode, hence, this is best-effort only and we cannot guarantee 100% blocking.

    But also I noticed blocking in win2012 and not in win2016.  

    Regards



    ------------------------------
    Freddy Brito
    Daitek S.A.
    CABA AGU
    ------------------------------

    Attachment(s)



  • 7.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-08-2020 15:58
    Freddy,
    In this scenario, the agent has to be in sniffing mode.  Because this is a best effort blocking, some items will get through.  I find it very useful to pair a short or long block to a block event.  In this scenario, if an IP triggers a block action, with a long block followed action, that IP will be unable to do anything against the DB for a while.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 8.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-09-2020 15:31
    Thanks Paul

    But I'm not able to block yet. Once I resolve this I'll try what you suggested.

    Thanks

    Best regards





    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 9.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 09-10-2020 12:29
    Freddy,
    When testing this, remember, the first attempt will probably not be blocked, you should try it multiple times.
    A great test for this is to block on a query that returns a large dataset.  If the dataset is large enough it gives our system time to initiate the block on, even in sniffing mode.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 10.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 10-16-2020 09:06
    I have the similar problem.
    It looks like agent can't work in inline mode with MsSQL: when I'm testing policy which block "select" request, DB is answering with about 150 rows of table before agent terminate connection. No matter if agent set as inline or sniffing
    I have not met this problem with other types of databases (Oracle, MySQL)

    ------------------------------
    Gregory Badin
    Softprom
    ------------------------------



  • 11.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 10-16-2020 11:46
      |   view attached
    Hi Gregory

    There is a solution.  

    1. There is no need for disabling DH on the server.
    2. Disable advance monitoring in the agent.
    3. You have to upload a certificate (you own or Customer's CA) in the MSSQL instance. Follow the PDF I have attached.
    4. Agent should be in inline mode.
    5. Try to block. 
    That's the workaround we found.

    Regards

    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 12.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 10-19-2020 10:40
      |   view attached
    Freddy,
    The certificate is only the first part of the equation to resolve this issue.  You also have to disable the DHE ciphers, otherwise the installed certificate can still use these ciphers.  I am attaching a quick how-to for you.  So this is a three step proces:
    1. Upload your own certificate and assign it to the SQL instance you want to monitor.  (This is more complex for a SQL cluster)
    2. Disable the DHE ciphers on the SQL server so the clients do not negotiate DHE when connecting.
    3. Set this agent advanced config to false.  <mssql-advanced-monitoring>false</mssql-advanced-monitoring>

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------

    Attachment(s)

    docx
    SSL Cipher Suite Fix.docx   52 KB 1 version


  • 13.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 10-19-2020 11:08
    Thanks Paul

    Best Regards





    --
    Freddy Brito
    freddy.brito@daitek.com.ar

    Avda Corrientes 3360 Piso 12

    C1193AAS - CABA - Argentina

    t + 54 11 5275 9710 | c +54 11 9 2653 9420 

    info@daitek.com.ar | www.daitek.com.ar






  • 14.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 10-19-2020 10:32
    Gregory,
    When using SQL advanced mode, the agent is only in sniffing mode and cannot be placed in-line.  Blocking is done on a "best effort" basis, in this case.  Some things can slip through.  This is unique to SQL advance monitoring.  This blocking rule is more effective if you include a "short" or "long" block in combination with a block.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 15.  RE: Is there a limitation on blocking when my windows server + MSSQL has DH?

    Posted 10-21-2020 15:15
    Thanks Freddy and Paul, this solution works.

    ------------------------------
    Gregory Badin
    Softprom
    ------------------------------