FEATURE REQUEST: Router support for Security Information & Event Management capabilities

[bryonbaker]

User Story

As a Security Operations Analyst I need to be able to detect events such as data loss, malicious activity, and undertake security forensics on data transmitted over the network.

My team currently uses SPAN ports and network TAPs to use "man in the middle" security-monitoring tools to decrypt and analyse encrypted traffic. Skupper complicates this capability because:

1. The certificate used for the AMQ mesh is self signed.
2. When an application is encrypting the payload (e.g. HTTPS) there is a double encryption

A successful solution would enable SIEM tools to be able to inspect the data that flows between Skupper routers and gateways.

[ted-ross]

A couple of questions:

• Would this problem be solved by using user-supplied CAs instead of the default self-signed CAs?
• Do you want to be able to tap all traffic or specific services?
• Are your SIEM tools able to meaningfully parse AMQP traffic?

[bryonbaker]

Sorry @ted-ross - I missed your follow up questions...

Would this problem be solved by using user-supplied CAs instead of the default self-signed CAs? If there are user-supplied certs for the mtls connection then yes, SecOps can install those on their SIEM tools to decrypt the traffic. All I am uncertain of is what happens for inter-router traffic within a cluster. But in my experience this is less of a concern to SecOps teams.

Do you want to be able to tap all traffic or specific services? Given the nature of RHAI - once you expose a service is is exposed to the whole mesh - I would suggest the former is the minimum requirement.

Are your SIEM tools able to meaningfully parse AMQP traffic? I cannot answer definitively, but RabbitMQ uses AMQP and QRadar and Sysdig can analyse that traffic.