Open bryonbaker opened 2 years ago
ted-ross
commented
2 years ago A couple of questions:
bryonbaker
commented
1 year ago Sorry @ted-ross - I missed your follow up questions...
Would this problem be solved by using user-supplied CAs instead of the default self-signed CAs? If there are user-supplied certs for the mtls connection then yes, SecOps can install those on their SIEM tools to decrypt the traffic. All I am uncertain of is what happens for inter-router traffic within a cluster. But in my experience this is less of a concern to SecOps teams.
Do you want to be able to tap all traffic or specific services? Given the nature of RHAI - once you expose a service is is exposed to the whole mesh - I would suggest the former is the minimum requirement.
Are your SIEM tools able to meaningfully parse AMQP traffic? I cannot answer definitively, but RabbitMQ uses AMQP and QRadar and Sysdig can analyse that traffic.
User Story
As a Security Operations Analyst I need to be able to detect events such as data loss, malicious activity, and undertake security forensics on data transmitted over the network.
My team currently uses SPAN ports and network TAPs to use "man in the middle" security-monitoring tools to decrypt and analyse encrypted traffic. Skupper complicates this capability because:
A successful solution would enable SIEM tools to be able to inspect the data that flows between Skupper routers and gateways.