0 оценок0% нашли этот документ полезным (0 голосов)
145 просмотров15 страниц
This paper discusses the advantages of using the BalaBit Shell Control Box (SCB) to control remote access to your UNIX / Linux and Windows servers, networking devices, as well as your virtualized applications. SCB can transparently control, audit and replay protocols commonly used to remotely access and manage servers.
This paper discusses the advantages of using the BalaBit Shell Control Box (SCB) to control remote access to your UNIX / Linux and Windows servers, networking devices, as well as your virtualized applications. SCB can transparently control, audit and replay protocols commonly used to remotely access and manage servers.
This paper discusses the advantages of using the BalaBit Shell Control Box (SCB) to control remote access to your UNIX / Linux and Windows servers, networking devices, as well as your virtualized applications. SCB can transparently control, audit and replay protocols commonly used to remotely access and manage servers.
ISO27001 compliance and Privileged Access Monitoring
February 24, 2014
Abstract How to control and audit remote access to your servers to comply with ISO27001:2013 using the BalaBit Shell Control Box Copyright 1996-2014 BalaBit IT Security Ltd. Table of Contents 1. Preface ............................................................................................................................................. 3 1.1. Using SCB for compliance ....................................................................................................... 3 1.2. What SCB is ........................................................................................................................... 3 1.3. How SCB works ..................................................................................................................... 4 1.4. Real-time content monitoring with SCB .................................................................................... 4 1.5. 4-eyes authorization ................................................................................................................ 5 1.6. Supported protocols ................................................................................................................ 5 1.7. Public references ..................................................................................................................... 5 2. Using SCB for ISO27001 compliance .................................................................................................. 7 3. Other important features .................................................................................................................. 14 4. Summary ........................................................................................................................................ 15 4.1. About BalaBit ....................................................................................................................... 15 2 www.balabit.com 1. Preface This paper discusses the advantages of using BalaBit Shell Control Box (SCB) to control remote access to your UNIX/Linux and Windows servers, networking devices, as well as your virtualized applications. SCBcan transparently control, audit and replay protocols commonly used to remotely access and manage servers, including the Secure Shell (SSH), Remote Desktop (RDP), HTTP, Citrix ICA, VMware View, Telnet, and Virtual Network Computing (VNC) protocols. This document is recommended for technical experts and decision-makers working on auditing server-administration and remote-access processes for policy compliance (for example, PCI DSS or ISO 27001), or simply to gather information for forensics situations in case of security incidents. However, anyone with basic networking knowledge can fully understand its contents. The procedures and concepts described here are applicable to ISO27001:2013 and version 3 F5 of BalaBit Shell Control Box. 1.1. Using SCB for compliance Compliance is becoming increasingly important in several fields laws, regulations and industrial standards mandate increasing security awareness and the protection of customer data. As a result, companies have to increase their auditability and the control over their business processes, for example, by ensuring that only those employees have access sensitive data who really need to, and also carefully auditing all accesses to these data. The BalaBit Shell Control Box (SCB) is a device to control and audit data access: access to the servers where you store your sensitive data. Being independent from the controlled servers, it also complements the system and ap- plication logs generated on the server by creating complete, indexed and replayable audit trails of the users' sessions. Using an independent device for auditing is advantageous for the following reasons: SCB organizes the audited data into sessions called audit trails, making it easy to review the actions of individual users; SCB provides reliable, trustworthy auditing data, even of system administrator accounts who are able to manipulate the logs generated on the server, and SCB allows you to create an independent auditor layer. The auditor can therefore control, audit and review the activities of the system administrators, while being independent from them. Owing to its authentication, authorization, and auditing capabilities like 4-eyes authorization and real-time monit- oring and auditing, SCB can play an essential part in the access control of remote access, for example, in the control of remote server administration. 1.2. What SCB is BalaBit Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. For example, it records as the system administrators configure your database servers through SSH, or your employees make trans- actions using thin-client applications in VMware View. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI DSS or ISO 27001. It is an external, fully transparent device, completely inde- pendent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB; it integrates smoothly into the existing infrastructure. 3 www.balabit.com Preface The BalaBit Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB it integrates smoothly into the existing infrastructure. Figure 1. Controlling remote access with the BalaBit Shell Control Box 1.3. How SCB works SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, therefore the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie recreating all actions of the administrator. In other words: with SCB you can oversee and control the work of the system administrators, creating a new management level that has real power over the system administrators. Fast forwarding during replay and searching for events (for example, mouse clicks, pressing the Enter key) and texts seen by the administrator is also supported. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, therefore sensitive information like passwords are displayed only when necessary. The protocols that SCB can control are not only used in remote administrative access, but also in thin-client envir- onments like Citrix ICA, VNC, or RDP used to access Windows Terminal Services. For such applications SCB provides an application-independent way to record the activities of the clients. 1.4. Real-time content monitoring with SCB SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command or text) appears in the command line or on the screen, or if a window with a par- ticular title appears in a graphical protocol. Since content-monitoring is performed real time, SCB can prevent 4 www.balabit.com How SCB works harmful commands from being executed on your servers. SCB can also detect numbers that might be credit card numbers. In case of RDP connections, SCB can detect window title content. The following actions can be performed: Log the event in the system logs. Immediately terminate the connection. Send an e-mail or SNMP alerts about the event. Store the event in the connection database of SCB. SCB currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP Drawing channels, and in VNC connections. 1.5. 4-eyes authorization SCB can also ensure that a user is overseen and authorized by an auditor or authorizer: when 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This author- ization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband author- ization and monitoring method. The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player ap- plication, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie. 1.6. Supported protocols SCB 3 F5 supports the following protocols: The Secure Shell (SSH) protocol used to access Unix-based servers and network devices. The Remote Desktop Protocol (RDP) used to access Microsoft Windows platforms. Accessing Remote Desktop Services (RemoteApp programs) is also supported. Citrix XenApp and XenDesktop. The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems. The Telnet protocol used to access networking devices (switches, routers) and the TN3270 protocol used with legacy Unix devices and mainframes. The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remote graphical access in multi-platform environments. VMware View when VMware View Clients using the Remote Desktop (RDP) display protocol to access remote servers. The HTTP protocol (including HTTPS) commonly used to access the web interface of appliances, networking devices, and other applications. 1.7. Public references Among others, the following companies decided to use SCB in their production environment: 5 www.balabit.com 4-eyes authorization Alfa Bank (http://alfabank.com/) Arcui (http://www.arcui.com/) Emerging Markets Payments Jordan (http://em-payments.com/) Dubai Islamic Bank PJS (http://www.dib.ae/) National Bank of Kuwait (http://www.nbk.com/) Svenska Handelsbanken AB (http://www.handelsbanken.com/) The Central Bank of Hungary (http://english.mnb.hu/) Ankara University (http://en.ankara.edu.tr/) EZ Group (http://www.cez.cz/en/home.html) Fiducia IT AG (http://fiducia.de/) Leibniz Supercomputing Centre (LRZ) (http://www.lrz.de/english/) MTS Ukraine Mobile Communications (http://www.mts.com.ua/eng/main.php) Orange Romania (http://www.orange.ro/) Telenor Group (http://www.telenor.com) 6 www.balabit.com Public references 2. Using SCB for ISO27001 compliance The following table provides a detailed description about the requirements of the ISO/IEC 27001:2013 Standard relevant to auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX), Basel II, or the Health In- surance Portability and Accountability Act (HIPAA) include similar requirements. A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of in- formation security within the organization. HowSCBhelps you: SCB provides a way to control and audit access to remote servers, services, and applic- ations, independently from the users and the server ad- ministrators. This allows you to create a separate auditor layer above systemadministrators. It also helps to segreg- ate the fields of IT maintenance and IT security, and provides a way to fully audit and control the work of system administrators. This greatly increases the chance of finding human errors, and decreases the possibilities of internal misuse. A.6.1.2 Segregation of duties. Control: Conflicting duties and areas of re- sponsibility shall be segregated to reduce oppor- tunities for unauthorized or unintentional modification or misuse of the organization's assets. A.9.1 Business requirements of access control Objective: To limit access to information and information processing facilities. HowSCBhelps you: Although SCBis not a general- purpose firewall, it can granularly control access to servers, applications, and protocol features, based on the identity of the user, or group-memberships. In addi- tion to access control, SCB can fully audit the events of the connections into searchable, replayable, movie-like audit trails. A.9.1.2 Access to networks and network services. Control: Users shall only be provided with ac- cess to the network and network services that they have been specifically authorized to use. A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. How SCB helps you: SCB gives you the possibility to control remote access from a central location. It can enforce strong authentication and authorization methods, and provide customized access control to the audited systems. A.9.2.3 Management of privileged access rights. Control: The allocation and use of privileged access rights shall be restricted and controlled. 7 www.balabit.com Using SCB for ISO27001 compliance How SCB helps you: SCB provides a single point that authenticates and controls access to the protected servers and services. For example removing a user from your central LDAP (for example, Active Directory) database instantly and automatically revokes all access of that user. SCB also supports scenarios when the user does not know the actual credentials used to access the server. This makes removing access rights easy even when shared accounts are used. A.9.2.6 Removal or adjustment of access rights. Control: The access rights of all employees and external party users to information and inform- ation processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. A.9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. How SCB helps you: SCB can complement this control in several different ways: it can serve as a central authentication host that controls remote access to your servers and services that use the SSH, RDP, Telnet, VNC, Citrix ICA, VMWare View, or HTTP/HTTPS protocols, allowing you to control, audit, and authentic- ate remote privileged access (for example, database and server administrators), and also thin-client users (for example, Citrix XenApp, XenDesktop, or Microsoft Terminal Services). SCBalso allows you to control which remote applications or protocol features are available for a specific user, for example: A.9.4.1 Information access restriction. Control: Access to information and application system functions shall be restricted in accord- ance with the access control policy. limit (and also audit) file transfers like SCP and SFTP, permit SSH but disable port forwarding, permit RDP access but disable file redirec- tion, prevent the user fromstarting specific applic- ations (this feature of SCB detects the com- mand or application to be started in real time, and can terminate the connection, or raise an alert if the user tries to access a prohibited application, for example, the sudo in a Linux/UNIXterminal, or the Group Policy Management window on a Microsoft Win- dows server). To limit access to certain information, SCB can integrate with DLP systems to process the information that the user accessed in the connection. 8 www.balabit.com A.9.4 System and application access control How SCB helps you: SCB has numerous features that support the secure log-on procedure, including the following: A.9.4.2 Secure log-on procedure. Control: Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. Enforce the use of strong encryption meth- ods, for example, by disallowing the use of weak cipher algorithms in the connections. Enforce the use of strong authentication methods, for example, disable the use of passphrases, and require the users to authen- ticate with X.509 certificates. Authenticate the users to a central LDAP database (for example, Microsoft Active Directory). SCB can serve as an authentication gateway, where the users must authenticate before ac- cessing the target server or service. The gateway authentication can happen inband, within the audited connection, or also out- band, using an external, secondary connec- tion to SCB. You can set up SCB to require the users to authenticate on SCB using their own creden- tials (for example, their own certificate or password), and SCBcan use different creden- tials to access the target server. This is useful if the target server (for example, a legacy mainframe, or a network device) does not support strong authentication methods, has only a built-in account, or you do not want the users to know the actual credentials to the target server. SCB can use a credential store or a password vault to authenticate on the target server. A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information. 9 www.balabit.com A.10.1 Cryptographic controls How SCB helps you: SCB can enforce the use of strong encryption methods, for example, by disallowing the use of weak cipher algorithms in the audited connec- tions. The recorded audit trails can be digitally signed and encrypted using strong encryption methods. It is even possible to require multiple certificates to be present to decrypt the audit trails. A.10.1.1 Policy on the use of cryptograph- ic controls. Control: A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A.12.1 Cryptographic controls Objective: To ensure correct and secure operations of information processing facilities. HowSCBhelps you: SCB can complement change- management policies and controls if the information processing facilities are remotely managed using a remote access protocol supported by SCB, for example, SSH or RDP. Such changes can be audited by SCB, and be part of the documentation of the change. For example, the audit trails can be used in forensic situations or general review to verify that a particular configuration change was actually performed. A.12.1.2 Change management. Control: Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. A.12.4 Logging and monitoring Objective: To record events and generate evidence. How SCB helps you: SCB can record and audit the actions of system administrators and other privileged users accessing systems and services remotely, for ex- ample, using the Secure Shell (SSH), Remote Desktop (RDP), HTTP, Citrix ICA, VMware View, Telnet, and Virtual Network Computing (VNC) protocols. The re- corded events can be replayed like a movie, and are stored in encrypted, digitally signed, and timestamped format, preventing manipulation or misuse. SCB is an excellent tool to find and review faults and actions in forensics situations. A.12.4.1 Event logging. Control: Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. HowSCBhelps you: SCB is an individual appliance that can operate transparently, so the users of the audited connection have no access to the appliance. On SCB, the audit trails can be stored in encrypted, digitally signed, and timestamped format preventing manipulation or misuse. A.12.4.2 Protection of log information. Control: Logging facilities and log information shall be protected against tampering and unau- thorized access. 10 www.balabit.com A.12.1 Cryptographic controls How SCB helps you: SCB was developed exactly for this purpose: to control, monitor, and audit remote access activities. SCB provides reliable, digitally signed, and encrypted audit trails and reports about remote systemadministration activities to ensure that every event is properly logged. The events can be reviewed exactly the same way as they happened. A.12.4.3 Administrator and operator logs. Control: System administrator and system op- erator activities shall be logged and the logs protected and regularly reviewed. How SCB helps you: SCB can automatically syn- chronize its system clock to a remote time server. That way the audit trails contain accurate time information even if the server logs are mistimed because the clock of the server is not accurate or has not been synchron- ized. A.12.4.4 Clock synchronisation. Control: The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. A.13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. HowSCBhelps you: SCBcan control, monitor, and audit the encrypted channels used in remote service ac- cess and remote application access, and can also enforce strong authentication and authorization methods, includ- ing gateway authentication, two-factor authentication, and 4-eyes authorization. SCB can also monitor the terminal connections used to access networking devices, such as routers and switches. This real-time monitoring and alerting feature allows you, for example, to collect configuration changes of Cisco routers, or even prevent the network administrat- ors from executing unwanted commands. A.13.1.1 Network controls. Control: Networks shall be managed and con- trolled to protect information in systems and applications. A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. 11 www.balabit.com A.13.1 Network security management How SCB helps you: SCB is ideal to oversee IT services managed by third parties, for example, remote support or remote service management. SCBcan provide detailed, replayable audit trails and reports to review the actions of the third party. It also offers strong access control methods to limit the access of the third party to the absolutely necessary, for example: A.15.2.1 Monitoring and review of suppli- er services. Control: Organizations shall regularly monitor, review and audit supplier service delivery. grant access only in a specific maintenance window, require out-of-band authentication on the SCB gateway, limit the available channels in the remote connection, prevent the user fromstarting specific applic- ations (this feature of SCB detects the com- mand or application to be started in real time, and can terminate the connection, or raise an alert if the user tries to access a prohibited application, for example, the sudo in a Linux/UNIXterminal, or the Group Policy Management window on a Microsoft Win- dows server), enforce the 4-eyes principle to oversee the third party, and permit remote connections from the third party only if someone has au- thorized the connection and is actively mon- itoring the events. A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. HowSCBhelps you: SCBcollects information inde- pendently from the clients and the servers, therefore it cannot be manipulated. The audit trails can be stored in encrypted, digitally signed, and timestamped format to prevent manipulation or misuse. SCB provides reliable audit trails and reports about remote system access activities to ensure that every event is properly logged and the events can be reviewed exactly the same way as they occurred. This is especially useful since many applic- ations do not log enough information to exactly recon- struct the actions of the users. SCB can complement these logs. A.16.1.7 Collection of evidence. Control: The organization shall define and ap- ply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. 12 www.balabit.com A.16.1 Management of information security incidents and improvements A.17.2 Redundancies Objective: To ensure availability of information processing facilities. How SCB helps you: The SCB appliance supports high-availability configurations, where two SCB units operate together in fail-over mode, and every incoming data is instantly available on both units. Also, the appli- ances can be equipped with redundant power units. A.17.2.1 Availability of information pro- cessing facilities. Control: Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. 13 www.balabit.com A.17.2 Redundancies 3. Other important features This section highlights some of the features of BalaBit Shell Control Box that were not discussed in detail so far, but are useful to know about. Protocol inspection SCB acts as an application level proxy gateway: the transferred connections and traffic are inspected on the applic- ation level (Layer 7 in the OSI model), rejecting all traffic violating the protocol an effective shield against attacks. This high-level understanding of the traffic gives control over the various features of the protocols, like the authen- tication and encryption methods used in SSH connections, or the channels permitted in RDP traffic. Detailed access control SCB allows you to define connections: access to a server is possible only from the listed client IP addresses. This can be narrowed by limiting various parameters of the connection, for example, the time when the server can be accessed, the usernames and the authentication method used in SSH, or the type of channels permitted in SSH or RDP connections (for example, SCB can permit SSH port-forwarding only to selected users, or disable access to shared drives in RDP). Controlling the authentication means that SCB can enforce the use of strong authentication methods (public key), and also verify the public key of the users. High availability support All audited traffic must pass SCB, which can become a single point of failure. If SCB fails, the administrators cannot access the protected servers for maintenance. Since this is not acceptable for critical servers and services, SCB is also available with HA support. In this case, two SCB units (a master and a slave) having identical configuration operate simultaneously. The master shares all data with the slave node, and if the master unit stops functioning, the other one becomes immediately active, so the servers are continuously accessible. Seamless integration The system is fully transparent, no modification on the client or the server is necessary, resulting in simple and cost effective integration into your existing infrastructure. Automatic data and configuration backups The recorded audit trails and the configuration of SCB can be periodically transferred to a remote server. The latest backup including the data backup can be easily restored via SCB's web interface. Managing SCB SCB is configured from a clean, intuitive web interface. The roles of each SCB administrator can be clearly defined using a set of privileges: manage SCB as a host, manage the connections to the servers, or view the audit trails. The web interface is accessible via a network interface dedicated to the management traffic. This management interface is also used for backups, logging to remote servers, and other administrative traffic. 14 www.balabit.com Other important features 4. Summary This paper has shown how to use the BalaBit Shell Control Box (SCB) appliance to control privileged access to remote systems and record the activities into searchable and replayable movie-like audit trails, and how to use the audit trails in forensic situations. SCB is an ideal choice to enhance your IT infrastructure if your organization must comply to external regulations like ISO 27001:2013. 4.1. About BalaBit BalaBit IT Security Ltd. is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary plat- forms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the logging "company", based on the company's flagship product, the open source log server application syslog-ng, which is used by more than 1 000 000 companies worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe. To learn more about commercial and open source SCB products, request an evaluation version, or find a reseller, visit the following links: Shell Control Box homepage Product manuals, guides, and other documentation Contact us and request an evaluation version Find a reseller All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1117 Budapest, Alz Str. 2 Phone: +36 1 398 6700 Fax: +36 1 208 0875 Web: http://www.balabit.com/ Copyright 2014 BalaBit IT Security Ltd. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaBit. The latest version is always available at the BalaBit Documentation Page. 15 www.balabit.com Summary