This page lists important aspects of the database target passthrough access.
The Passthrough mode can be used with any database wire protocol.
Because in Passthrough mode the protocol stream is not interpreted, PrivX cannot explicitly authenticate the database client connection and therefore cannot manage the target database user credentials. Instead the end user must know the database target user credentials.
Due to this mode of operation the following points should be considered carefully:
Enabling session recording for hosts DB services using Passthrough mode risk the target database user credentials ending up in the session recording and thereby being exposed to users that have the permission to download the session recording log file. To mitigate this risk PrivX admin should either verify that the database protocol stream does not contain unencrypted credentials and / or set a proper value for Audit Skip (Bytes) host DB service setting to omit the database protocol authentication phase from the session recording.
Because access to the target database is not restricted by knowledge of the credentials, the end user should be blocked from accessing the target database directly. This can be achieved by network isolation or in some cases by configuring the database server to accept connections only from PrivX server.
The TLS mode can be used with database wire protocols that start with a TLS handshake. With such protocols, PrivX can terminate the client side TLS connection, establish a separate server side TLS connection and forward the decrypted protocol stream between the two TLS connections.
The TLS mode can session record the decrypted protocol stream, which gives the visibility inside encrypted database connections. This however means that any target database user credentials sent in the protocol stream end up in the session recording. This risk can be mitigated by setting a proper value for Audit Skip (Bytes) host DB service setting.
Updated 6 months ago