Publish an Internal Database to Users

This article will show you how to create a TCP service to enable access to an internal database via the Banyan Access Tier so a user can conveniently yet securely connect using their favorite DB management tool

This guide uses the Amazon RDS database as an example. However, Banyan supports any TCP-based protocol; the same steps can be extended to any database.

Motivation

Access to Infrastructure Services, such as SSH/RDP Servers, Kubernetes, Databases, and Generic TCP, is regularly needed by all Operations and Engineering team members. Traditionally, access relies solely on generating a long-lived passwords or, sometimes, long-lived SSH key-pair per user. Long-lived credentials and keys can be a security nightmare, given the ease with which they can be shared or lost.

With Banyan, you add on a modern mandatory access control layer that constantly evaluates the security posture of the device and integrates with your organization’s Single Sign On provider. All traffic to infrastructure services is transparently upgraded to Mutual-Auth TLS using short-lived X509 certificates. Security policies can then be continuously enforced, locking down access to specific servers based on user and device attributes and trust levels.

Access to Internal TCP Services

Setup

For this quick start guide we have a setup as in the diagram below:

  1. A Banyan Access Tier is installed in the same network segment as the Database server to be exposed using Banyan. This guide uses an Access Tier named product-team.

  2. A wildcard DNS record pointing to the Access Tier, so that the Access Tier can serve multiple services. This guide assumes the DNS record *.corp.example.com maps to the product-team Access Tier.

  3. The Database server that needs to be exposed is running. This guide uses a host named mydb with IP address 10.10.12.12 with the DB process listening on port 3306.

  4. The Banyan User Directory should be configured to integrate with your Identity Provider.

  5. The latest Banyan Desktop or Mobile App is installed and registered on devices from which users will access the Database.

  6. The Database credentials for the users who need to need access mydb have been provisioned and supplied to the users.

Steps

We will now enable secure access to the database in three steps.

Step 1. Create a Policy

1.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.

1.2 Create a new Policy using the template TCP Policy.

1.3 Enter a Policy Name (such as, hosted-service) and a Description.

1.4 Configure the Policy Attributes:

  • Only allow access from the following role: ANY (or a role according to your organization’s requirements)
  • Only allow users and devices with the following Trust Levels: No Trust Level - ignore TrustScore (or a Trust Level according to your organization’s security requirements)

Step 2. Register Database as a Hosted Service

2.1 Navigate to Manage Services > Infrastructure Services and then click + Register Service.

2.2 Select the template Database Service.

2.3 Enter the Service Name (such as, AWS RDS) and Description (such as Access to hosted AWS RDS service).

2.4 Click Select an Icon, then search for and select the AWS icon.

2.5 Select the cluster where the applicable Access Tier is located.

2.6 Configure the Service Attributes:

  • Enter the Service Domain Name of the Access Tier behind which the AWS RDS service is deployed and leave the port as 8443
  • Set the enforcement model to Site-based (Access Tier) and then select the applicable Site (Access Tier)
  • Set the incoming connections to be proxied to the Fixed Backend Domain
  • Enter the Backend Domain Name and Port

2.7 Configure the Service Connection Settings:

  • Optionally, set an Assigned Listen Port or leave it blank to use a random port
  • Optionally, allow or deny end users the ability to override these settings in the Banyan Desktop App

2.8 Attach the policy we had previously created in Step 1.4, and then set enforcement mode to Enforcing.

2.9 Click Register Service.

Step 3. As an End User, launch the Banyan Desktop App and access the Database

3.1 Launch the Banyan Desktop App, locate the hosted database (for example, Amazon RDS) server from the list of Infrastructure Services, and then click Connect.

3.2 Click into the service details and take note of the (localhost:port) provided in the Banyan Desktop App (for example, 127.0.0.1:XXXXX).

3.3 Launch your preferred database management tool (such as Microsoft SQL Server Management Studio, pgAdmin, phpMyAdmin, MySQL Workbench, etc.), and then create a new server using the localhost:port noted in the previous step. If necessary, enter your credentials to authenticate.

Behind the scenes, Banyan evaluates your device posture, enforces your security policies, and grants access accordingly.

Success!

And, that’s it! You have created a Zero Trust policy for a remote database and accessed it conveniently using your preferred database management tool.



Last modified: Oct 07, 2021