Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Jul 09, 2019

Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS

We have a DB2 database that we need to scrub/mask SSN (Social Security) and CCN (CreditCard). Note: This is a TCP Virtual Server as it is a database via JDBC.   iRules that work scrubbing HTTP Req...
application delivery
BIG-IP
CCN
DB2
iRules
PAN
SSN
  • jba3126's avatar
    jba3126
    Icon for Cirrostratus rankCirrostratus
    Jul 09, 2019

    Jason, Thank you for the quick response. Question, being that this is a Database i.e. a standard TCP VS would ASM be able to inspect this being that it is not HTTP?

     

    /jeff

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Jul 09, 2019

      Ah, hasty response on my part, didn’t fully read your question. Let me do a little digging. Not super familiar with db2...will numbers be in the clear or need binary inspection?

    • jba3126's avatar
      jba3126
      Icon for Cirrostratus rankCirrostratus
      Jul 09, 2019

      Jason, No worries at all. I updated the post to make the TCP requirement more evident. The format is ASCII and EBCDIC and the numbers are in plain text.

       

      /jeff

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Jul 10, 2019

      Ok, so this is tcp and cleartext data, so you have options. Looks in wireshark to be a well-understood protocol, so you can parse out by field with a TCP::collect and binary scan on the request to look for queries to any table that might have that information in it, and then activate a stream profile and use a stream match to sanitize the response data. You have to do the collection work and change the events to be TCP appropriate rather than HTTP, but this article has what you need for the CC replacement info. To add SSN for the iRule shared above, you can use this regex from this codeshare entry:

      set static::ssn_regex {\d{3}-\d{2}-\d{4}}