Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS

Question

We have a DB2 database that we need to scrub/mask SSN (Social Security) and CCN (CreditCard).

Note: This is a TCP Virtual Server as it is a database via JDBC.

iRules that work scrubbing HTTP Requests.

https://devcentral.f5.com/s/articles/irule-ccn-scrubber

https://devcentral.f5.com/s/articles/credit-card-scrubber

The challenge as I see it is either modifying one of iRules above to work with this TCP VS or seeing what other options we have to protect these VIPs. This box has ASM loaded; however I have not found anything outside of it's primary usage for protecting Web oriented traffic.

Sample text output from packet capture:

.X.Q...R

.D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!....!F..7.S...1$P....'FOR READ ONLY WITH EXTENDED INDICATORS ..*.C...$$......SELECT * FROM tblAccounts..S.A...M ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!F..[.....U ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!.......!]..n.C...h$......00000SQL11014......................... ..TESTDB ..............U................................................ACCTINT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTINT......................................ACCTCHAR..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTCHAR......................................COMMENTS..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....COMMENTS......................................DT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....DT..........C....$...2.R...,"....I....!.$...!....!P...![..........$`$B.(.S..."$..v....>..?..%.. q.T......q.....B.S...<$....q........1111111111111111...Contains an account number 1111-1111-1111-1111.2019-07-08-16.15.29.444000.....[......2111111111111111...Contains an account number 2111-1111-1111-1111.2019-07-08-16.15.53.382000...q...

....3111111111111111...Contains an account number 3111-1111-1111-1111.2019-07-08-16.18.25.071000.&.R... "....I....!.......@@@@@@@@@@@@.Y.....S$..d...02000SQLRI01F......................... ..TESTDB ............. ..........+.R...%"....I....!....!.......@@@@@@@@@@@@...S....$.......................U.X.Q...R

.D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!....!F..7.S...1$P....'FOR READ ONLY WITH EXTENDED INDICATORS ..*.C...$$......SELECT * FROM tblAccounts..S.A...M ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!F..[.....U ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!.......!]..n.C...h$......00000SQL11014......................... ..TESTDB ..............U................................................ACCTINT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTINT......................................ACCTCHAR..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTCHAR......................................COMMENTS..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....COMMENTS......................................DT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....DT..........C....$...2.R...,"....I....!.$...!....!P...![..........$`$B.(.S..."$..v....>..?..%.. q.T......q.....B.S...<$....q........1111111111111111...Contains an account number 1111-1111-1111-1111.2019-07-08-16.15.29.444000.....[......2111111111111111...Contains an account number 2111-1111-1111-1111.2019-07-08-16.15.53.382000...q...

....3111111111111111...Contains an account number 3111-1111-1111-1111.2019-07-08-16.18.25.071000.&.R... "....I....!.......@@@@@@@@@@@@.Y.....S$..d...02000SQLRI01F......................... ..TESTDB ............. ..........+.R...%"....I....!....!.......@@@@@@@@@@@@...S....$.......................p.X.Q...R

.D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!....!F..7.S...1$P....'FOR READ ONLY WITH EXTENDED INDICATORS ..*.C...$$......SELECT * FROM tblAccounts..S.A...M ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!F..[.....U ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!.......!]..n.C...h$......00000SQL11014......................... ..TESTDB ..............U................................................ACCTINT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTINT......................................ACCTCHAR..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTCHAR......................................COMMENTS..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....COMMENTS......................................DT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....DT..........C....$...2.R...,"....I....!.$...!....!P...![..........$`$B.(.S..."$..v....>..?..%.. q.T......q.....B.S...<$....q........1111111111111111...Contains an account number 1111-1111-1111-1111.2019-07-08-16.15.29.444000.....[......2111111111111111...Contains an account number 2111-1111-1111-1111.2019-07-08-16.15.53.382000...q...

....3111111111111111...Contains an account number 3111-1111-1111-1111.2019-07-08-16.18.25.071000.&.R... "....I....!.......@@@@@@@@@@@@.Y.....S$..d...02000SQLRI01F......................... ..TESTDB ............. ..........+.R...%"....I....!....!.......@@@@@@@@@@@@...S....$.......................R

/jeff

jrahm · Answer

If you already have ASM, the correct option for you is the Data Guard feature which is purpose-built for exactly your use case. See here: https://devcentral.f5.com/s/articles/the-big-ip-application-security-manager-part-8-data-guard

jba3126 · Answer

Jason,  Thank you for the quick response.  Question, being that this is a Database i.e. a standard TCP VS would ASM be able to inspect this being that it is not HTTP?&nbsp;/jeff

jrahm · Answer

Ah, hasty response on my part, didn’t fully read your question. Let me do a little digging. Not super familiar with db2...will numbers be in the clear or need binary inspection?

jba3126 · Answer

Jason,  No worries at all.  I updated the post to make the TCP requirement more evident.  The format is ASCII and EBCDIC and the numbers are in plain text.&nbsp;/jeff

jrahm · Answer

Ok, so this is tcp and cleartext data, so you have options. Looks in wireshark to be a well-understood protocol, so you can parse out by field with a TCP::collect and binary scan on the request to look for queries to any table that might have that information in it, and then activate a stream profile and use a stream match to sanitize the response data. You have to do the collection work and change the events to be TCP appropriate rather than HTTP, but this article has what you need for the CC replacement info. To add SSN for the iRule shared above, you can use this regex from this codeshare entry:set static::ssn_regex {\d{3}-\d{2}-\d{4}}

Forum Discussion

Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS

8 Replies

Recent Discussions

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Related Content

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

Kubernetes architecture options with F5 Distributed Cloud Services

Edge to Pulse: IP Geolocation Database Migration

F5 BIG-IP deployment with OpenShift - platform and networking options

F5 BIG-IP deployment with OpenShift - publishing application options