Transcript
Shell Control Box
4 F4
PRODUCT DESCRIPTION
Copyright Balabit All rights reserved. www.balabit.com
Introduction Independent and Transparent User Monitoring
Balabit’s Contextual Security Intelligence™
Shell Control Box (SCB) is a turnkey activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and
Platform protects organizations in real-time from
records the activities of the users accessing these systems. For example, it records as the system administrators configure your database servers
threats posed by the misuse of high risk and
through SSH, or your employees make transactions using thin-client applications in Citrix environment. The recorded audit trails can be replayed like
privileged accounts. Solutions include reliable Log
a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting
Management with context enriched data ingestion,
possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI-DSS.
Privileged User Monitoring and User Behavior Analytics. Together they can identify unusual user activities and provide deep visibility into potential threats. As a privileged user monitoring solution, Shell Control Box is a core component of the Contextual Security Intelligence Platform. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigation.
SCB logs all administrative traffic (including configuration changes, executed commands, etc.) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown, etc.) the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. SCB is a quickly deployable enterprise tool with the widest protocol coverage on the market. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB; it integrates seamlessly into the existing infrastructure.
Application areas and typical end-users
Regulatory
Control IT outsourcing
compliance
partners
Compliance is becoming increasingly important in several
Third parties are essential to business and IT operations.
industries - laws, regulations and industrial standards mandate
Using such services also means that your organization is
increasing security awareness and the protection of customer
willing to trust the administrators of this external company
data. Regulations like the Sarbanes-Oxley Act (SOX), the
with all its data (for example, private and business e-mails,
Payment Card Industry - Data Security Standard (PCI-DSS),
customer information, and so on), or even with the operation
ISO 27001, or the EU Data Protection Act all mandate the
of business-critical systems. Actually, companies do not
strict protection of sensitive information - be it personal data,
have a reliable and easy-to-use solution for validating SLAs
credit card data, or financial information. Missing items from
and verifying billable activities. Measuring Key Performance
the log collection system result in many question marks when
Indicators (KPI) such as response times or restricting external
an incident occurs. Therefore, organizations must find a
administrator access is also a challenging exercise. That is
reliable solution to be able to audit and report the actions of
the reason why it is essential to monitor third party access -
their privileged users in order to ensure compliance.
to know what outsourcing partners do when they connect to
Monitor internal IT staff System administrators are the most powerful users in an IT
your systems. Monitor hosting/cloud providers
environment. Although these users typically sit at the bottom
Cloud & hosting Service Providers (MSPs), as partners,
of the organizational hierarchy, they have very high or even
are expected to provide proactive security and monitoring
unrestricted access rights to operating systems, databases
solutions,
and applications. Having superuser privileges on servers,
organizations of all sizes. Every action a provider performs on
administrators have the possibility to directly access and
its customers’ servers can trigger a blame-game. Furthermore,
manipulate your company’s sensitive information, such as
cloud providers are increasingly subject to data protection
financial and client data, or HR records. In contrast, their
regulations from a variety of organizations ranging from the
accountability is low, as they have several opportunities to
ISAE (International Standard on Assurance Engagements) via
mask their activities. In addition, administrative accounts are
SAS70 to national law enforcement agencies. SCB controls
often shared among IT staff – as you can never know who
privileged access to cloud datacenters and records the
did what on a system, their accountability is not possible.
activities in a tamper-proof way to show authentic evidence in
Supervising these users’ activity with traditional methods (for
accountability issues or for compliance reasons.
example with logging or with written company policies) is quite difficult. As a result, the question of “who did what?” is almost impossible to answer, and often leads to accusations along with the time and money wasted on investigating incidents.
specialized
expertise
and
resources
for
Troubleshooting & Forensic IT incidents The simple question “Who did what on our server?” is one of the toughest questions to answer in IT today. When something wrong happens, everybody wants to know the real story. For example, when you have to investigate a remote-access incident, the correlation of logs might be necessary between the desktop PC, the firewall, and the accessed servers. Analyzing thousands of text-based logs can be a nightmare and may require the participation of costly external experts. Without recording the user sessions, the question of “who did what and when?” is almost impossible to answer, and often leads to accusations along with time and money wasted on investigating the incident. To avoid this, a tamper-proof session-recording solution should be used. Protect sensitive data Many companies manage and store personal data, such as billing information, payment transaction data, and personal financial information. User access to this data must be logged and archived for several years. If there is any unauthenticated access and data leak, the company could suffer major damage to its reputation. SCB perfectly isolates your sensitive systems from unknown intruders or from non-authorized users. In addition, it tracks all authorized access to sensitive data and provides with actionable information in the case of human errors or unusual behavior. Audit VDI users Enterprises increasingly implement virtualized desktop infrastructures, thus, when users work from their local machine, all of the applications, processes, and data used are kept on the server and run centrally. However, countless business applications running on these terminal servers are not capable of sufficient logging. Consequently, controlling the activities of several hundreds or thousands of thin-client users is almost impossible. SCB can audit protocols used in popular VDI applications (e.g. CITRIX XenDesktop, VMware View), allowing to monitor and record all user activities independently of the application being used.
Public references The list of companies and organizations using the Balabit Shell Control Box includes: •
E.ON Climate & Renewables – http://www.eon.com/en/) – USA
•
Bouygues Telecom – http://www.bouyguestelecom.fr/ – France
•
France Telecom - Orange – http://www.orange.com/en/home – Romania
•
Paddy Power Betfair – https://www.paddypowerbetfair.com/ – United Kingdom
•
National Bank of Hungary – http://www.mnb.hu – Hungary
•
Svenska Handelsbanken AB – http://www.handelsbanken.com/ – Sweden
•
FIDUCIA IT AG – http://www.fiducia.de/ – Germany
•
Ankara University – http://www.ankara.edu.tr/ – Turkey
•
Leibniz Supercomputer Center (LRZ) – http://www.lrz.de/english/ – Germany
•
CEZ Group – http://www.cez.cz/en/home.html – Czech Republic
Product Features
HENTICATION AUT
and Benefits
ANA LY
PR
ROL ONT SC ES CC
ZE
ENT EV
ACTIVITY REP OR TS
A
Independent from servers and clients, and difficult to compromise Transparent operation and easy integration into the existing infrastructure Control all widely used administrative protocols such as SSH, RDP, HTTP(s), Citrix ICA, VNC or Telnet Granular access control to servers and audit trails 4-eyes authorization for remote system- and data access
S RT LE
DET CT E
REA L-T I M EA
ICS S EN OR
Real-time prevention of risky actions Audit SCP and SFTP connections, list file operations, and extract transferred files Collect tamper-proof information for forensics investigations Movie-like playback of recorded sessions Free-text search for fast troubleshooting Custom activity reports for compliance Easy, web-based management High Availability option Automatic data archiving and backup
AU D IT &
F
Comprehensive Protocol Inspection SCB acts as an application level proxy gateway: the transferred connections and traffic are inspected on the application level (Layer 7 in the OSI model), rejecting all traffic violating the protocol – an effective shield against attacks. This high-level understanding of the traffic gives control over the various features of the protocols, like the authentication and encryption methods used in SSH connections, or the channels permitted in RDP traffic.
Unwanted tunnel Allowed tunnel
Traffic
Audited tunnel
Upload CD copy
Widest protocol coverage • The Secure Shell (SSH) protocol (version 2) used to access Unix-based servers and network devices.
• The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remote graphical access in multi-platform environments. TLS or SSL encryption for VNC is also supported.
• The Remote Desktop Protocol (RDP) versions 5, 6, and 7 used to access Microsoft Windows platforms, including Windows 2012R2 and Windows 10.
• The VMware View application used to access remote virtual desktops (currently only direct connections using the RDP display protocol are supported).
• HTTP/HTTPS protocol used for administrative access to the web interfaces of various devices and applications, for example, routers, firewalls, appliances, web-services, and so on.
• Citrix ICA protocol to access virtual desktop and application server infrastructures, designed by Citrix Systems. (SCB is verified as Citrix Ready with XenDesktop and XenApp 7.x deployments.) Reliable connections also
• The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems. • The Telnet protocol used to access networking devices (switches, routers) and the TN3270/TN5250 protocols used with legacy UNIX systems and IBM mainframes. TLS or SSL encryption for Telnet, and TN3270 is also supported.
known as Common Gateway Protocol (CGP) are also supported. • Terminal Services Gateway Server Protocol, so SCB can act as a Terminal Services Gateway (also called TS Gateway or Remote Desktop Gateway).
Detailed Access Control SCB allows you to define connections: access to a server is possible only from the listed client IP addresses.
SCB supports local credential stores offering a way to store user credentials (for example, passwords, private
This can be narrowed by limiting various parameters of the connection, for example, the time when the server
keys, certificates) and using them to login to the target server, without the user having access to the credentials.
can be accessed, the usernames and the authentication method used in SSH, or the type of channels permitted
That way, users only have to authenticate on SCB with their usual password (that can be stored locally on SCB
in SSH or RDP connections. Controlling the authentication means that SCB can enforce the use of strong
or in a central LDAP database). If the user is allowed to access the target server, SCB automatically logs in
authentication methods (public key), and also verify the public key of the users. SCB has the built-in capability
using the data from the credential store.
to verify the SSH host keys and certificates identifying the servers, preventing man-in-the-middle attacks and other manipulation. Also, SCB can authenticate the users to an external user directory. This authentication is completely independent from the authentication that the user performs on the remote server.
AUTHENTICATION ON THE SCB GATEWAY
AUTHENTICATION ON THE SERVER
SCB Target server
Client The following parameters can be controlled • The group of administrators permitted to access the server (based on username black- and whitelists or LDAP groups) when using SSH, Telnet or RDP6 with Network Layer Authentication. • In addition to the authentication performed on the remote server, it is also possible to require an additional,
• The authentication method (for example, password, public-key, certificate) required to access the server using SSH. • The time period when the server can be accessed (for example, only during working hours).
outband authentication on the SCB web interface. Authorization can be based on this outband authentication as well.
• The type of the SSH or RDP channel permitted to the server (for example, SSH terminal or port forward, RDP file sharing, and so on).
• The IP address of the client machines allowed to access the server.
The above rules can be applied both on the connection level and the channel level. That way access to special channels can be restricted to a smaller group of administrators – limiting access to only those who really need it.
4-eyes authorization
Real-time alerting & blocking
To avoid accidental misconfiguration and other human errors, SCB supports the 4-eyes authorization
SCB can monitor the traffic of SSH, Telnet, RDP, ICA and VNC connections in real time, and execute
principle. This is achieved by requiring an authorizer to allow administrators to access the server.
various actions if a certain pattern appears in the command line or on the screen. Predefined patterns
The authorizer also has the possibility to monitor the work of the administrator real-time, just like they
can be, for example a risky command or text in a text-oriented protocol, or a suspicious window title
were watching the same screen.
in a graphical connection. This functionality can prevent malicious user activities as they happen
Client
Authorizer
instead of just recording or reporting it. For example, SCB can block a connection before a destructive administrator command, such as the „rm” comes into effect. SCB can also detect numbers such as credit card numbers. The patterns to find can be defined as regular expressions. In the case of detecting a suspicious user action, SCB can perform the following measures:
4-EYES AUTHORIZATION
SCB
A
B
C
D
Log the event in the system logs.
Immediately terminate the connection.
Send an e-mai or SNMP alerts about the event.
Store the event in the connection database of SCB.
Shell Control Box ALLOWED
AUDITED CONNECTION
SUSPICIOUS (e.g.: credit card data on screen)
BLOCKED
Auditor
(e.g.: sudo, rm, etc.)
Server
Client Real-time alerts
Target server The 4-eyes principle can be used for the auditors as well; SCB can use multiple keys to encrypt audit trails. In this case, multiple decryption keys are needed to replay the audit trails, so a single auditor on his own cannot access all information about network systems.
Real-time alerting and blocking by SCB
Movie-like playback and free-text search SCB records all sessions into searchable audit trails, making it easy to find relevant information in forensics or other situations. Audit trails can be browsed online, or followed real-time to monitor the activities of the privileged users. All audit trails stored on SCB and the archiving server are accessible from SCB’s web interface. The web-
Shell Control Box
based Audit Data Player application replays the recorded sessions just like a movie
INDEXING AND REPORTING
– all actions of the administrators can be seen exactly as they appeared on their monitor. Audit trails are indexed by an internal “on-box” indexer or – optionally – by external indexer services. This makes the results searchable on the SCB web GUI. The
Client
improved searching abilities provide easier post-mortem incident analysis, as auditors
Server
can access detailed search results, for example, hits with precise timestamps or screenshots that contain the searched expression. The full-text searching capabilities provide search results ranked by relevance, many powerful query types, and support
Web-based audit player
for non-Latin characters.
The Audit Data Player enables fast forwarding during replays, searching for events (for example, mouse clicks, pressing Enter) and texts seen by the administrator. It is also possible to execute searches on a large number of audit trails to find sessions that contain a specific information or event. SCB can also execute searches and generate reports automatically for new audit trails. These content reports provide detailed documentation about user activities on remote IT systems. In addition, SCB supports the creation of custom reports and statistics, including user-created lists and charts based on search results, the contents of audit trails, and other customizable content. To help you comply with the regulations of the PCI DSS, SCB can generate reports on the compliance status of SCB.
Review file transfers
Reliable auditing
Retain all data for over a year
In addition to recording audit trails of the inspected protocols,
Auditing is usually based on the logs generated on the
SSH and Telnet terminal sessions that take up the bulk of
embedded protocols (for example, other protocols tunneled in
audited server. This model is inherently flawed, as logs of
system-administration work are the most interesting type of
SSH, port-forwarding) and transferred files can be recorded
interactive events are usually not too detailed, and there
traffic for auditing purposes. But such traffic typically does not
as well. Recorded files from SCP and SFTP connections
is no way to ensure that the logs stored on or sent by the
take up much space on the hard disk (only about 1 MB per
can be extracted for further analysis. It is even possible to
server have not been manipulated by an administrator or
hour, depending on the exact circumstances), so SCB can
convert the audited traffic into packet capture (pcap) format
attacker. But SCB is an independent device that operates
store close to 500.000 hours of the system administrators’
for analysis with external tools.
transparently, and extracts the audit information directly from
activities. That means a company who has 50 administrators
the communication of the client and the server. In addition, to
constantly working online (7x24) can store all SSH and Telnet
prevent manipulation and provide reliable information for the
sessions on SCB for over 1 year – in searchable, replayable,
auditor, SCB timestamps, encrypts and signs all audit trails.
readily accessible format. And these figures do not include the
This prevents anyone from modifying the audited information
data archived on the remote backup server, which are equally
– not even the administrator of SCB can tamper the encrypted
accessible from SCB. RDP sessions take up considerably
audit trails. SCB also generates detailed changelogs of any
more space (but usually under 1 MB per minute), meaning
modification of its configuration.
that SCB can store the data of several weeks of work.
The audit trails are compressed; idle connections do not consume disk space.
Transparent mode In transparent mode, SCB acts as a transparent router connecting the network segment of the administrators to the segment of the protected servers at the network layer (Layer 3 in the OSI model).
destination: server IP : port
Subnet #1
destination: server IP : port
Shell Control Box Routing
Subnet #2
INTERNAL
EXTERNAL
Client
Server
Routing
Routing
Non-transparent mode In non-transparent mode, SCB acts as a bastion host — administrators can address only SCB, the administered servers cannot be targeted directly.
Smooth Integration
The firewall of the network has to be configured to ensure that only connections originating from SCB can access the servers. SCB determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port). destination: SCB IP : port
Subnet #1 To make integration into your network infrastructure smooth,
Shell Control Box
Subnet #2 or #1
EXTERNAL
SCB supports transparent and nontransparent operations. To simplify integration with firewalled environments, SCB supports both source and destination address translation
Client
Server
(SNAT and DNAT). To make the network configuration flexible, SCB supports virtual networks (VLANs). In VLAN environments the transparent and non-transparent operations are merged: SCB can manage nontransparent (Bastion mode) and transparent (Router mode) connections simultaneously.
Integration to user directories Integration with Blindspotter SCB can connect to a remote LDAP database (for example, a Microsoft Active Directory server) to resolve the group memberships of the users who access the protected servers. Rules and policies can be defined based on group memberships. When using public-key authentication in SSH, SCB can authenticate the user against the key or X.509 certificate stored in the LDAP database.
SCB now supports the operation of Blindspotter, the realtime user behavior analytics solution of Balabit. Blindspotter is a monitoring tool that maps and profiles user behavior to
Administrators and auditors accessing the web interface of SCB can also be authenticated to an LDAP database. RADIUS authentication (for example, using SecurID) is also supported both for accessing the web interface, and also to authenticate the audited SSH sessions.
reveal human risk, and can analyze user behavior using the data from the audit trails recorded by SCB.
SCB includes a flexible plugin framework that allows you to integrate with external third-party authentication or authorization tools (e.g. OKTA) for connections that SCB monitors. Such plugins support multifactor authentication by requesting additional authentication information from the user or an external system (for example, LDAP or Active Directory), and permit or deny the connection based on this information.
Deployment in public cloud You can deploy SCB from the Microsoft Azure Marketplace,
Integration to Privileged Identity Management solutions
with a bring-your-own-license model. This allows you
In addition to storing credentials locally, SCB can be seamlessly integrated with Lieberman’s Enterprise Random Password Manager (ERPM) and
to conveniently audit access to your entire virtualized
Thycotic’s Secret Server password management solutions. That way, the passwords of the target servers can be managed centrally using the above
infrastructure.
password managers, while SCB ensures that the protected servers can be accessed only via SCB — since the users do not know the passwords required for direct access.
External Password Management RETRIEVE CREDENTIALS FOR THE HOST-USER PAIR AUDITED CONNECTION PAUSED UNTIL GATEWAY AUTHENTICATION IS SUCCESSFUL
GATEWAY AUTHENTICATION ON SCB
Client
Integration with SIEM systems AUTHENTICATION ON THE SERVER USING DATA FROM THE CREDENTIAL STORE
Event Management (SIEM) systems, HP ArcSight and Splunk.
SCB Target server
Beyond ERPM integration, SCB provides a generic Application Programming Interface (API) to make integration with further password management systems also possible.
SCB can be integrated with leading Security Information and SCB is available at both vendors’ marketplace and is able to improve their reporting and alerting capabilities by sending detailed and better quality data of privileged user access.
Integration to ticketing systems SCB provides a plugin framework to integrate it to external helpdesk ticketing (or issue tracking) systems, allowing to request a ticket ID from the user before authenticating on the target server. That way, SCB can verify that the user has a valid reason to access the server — and optionally terminate the connection if he does not. Requesting a ticket ID currently supports the following protocols: SSH, RDP, TELNET and TN3270.
Simple management SCB is configured from a clean, intuitive web interface. The roles of each SCB administrator can be clearly defined using a set of privileges: •
manage SCB as a host;
•
manage the connections to the servers;
•
view the audit trails and reports, and so on
Access to the SCB web interface can be restricted to a physically separate network dedicated to the management traffic. This management interface is also used for backups, logging to remote servers, and other administrative traffic. Users accessing the web interface can be authenticated to an LDAP or a RADIUS database. An X.509 certificate can be also required from the users accessing the web interface to enforce strong authentication. All configuration changes are automatically logged; SCB can also require the administrators to add comments when they modify the configuration of SCB. SCB creates reports from the configuration changes, and the details and descriptions of the modifications are searchable and can be browsed
Integration to third-party applications Web Services based remote API (RPC API) is also available to manage and integrate with SCB. The SOAP-based RPC API allows you to access, query, and manage SCB from remote applications. You can access SCB using a RESTful API, as well. Accessing SCB with the API offers the following advantages:
1
2 3 4
Integration into custom applications and environments (e.g. helpdesk ticketing systems) Central search for connection data from external applications (e.g. from SIEM tools) Integration with key management systems Configuring SCB from third-party systems management applications
from the web interface, simplifying the Auditing of SCB.
High Availability
Software upgrades
SCB is also available in a high availability (HA) configuration. In this case, two SCB
Software upgrades are provided as firmware images – upgrading SCB using the SCB
units (a master and a slave) having identical configuration operate simultaneously.
web interface is as simple as upgrading a network router. SCB stores up to five previous
The two units have a common file subsystem; the master shares all data with the slave
firmware versions, allowing easy rollback in case of any problems.
node as soon as the data is received: every configuration change or recorded traffic is immediately synchronized to the slave node. If the master unit stops functioning, the other one becomes immediately active, so the protected servers are continuously accessible. SCB-T4 and larger versions are also equipped with dual power units.
Automatic data archiving
Support and warranty
The recorded audit trails are automatically archived to a remote server. The data on the
Support and software subscriptions for SCB can be purchased on an annual basis
remote server remains accessible and searchable; several terabytes of audit trails can
in various packages, including 7x24 support and on-site hardware replacement.
be accessed from the SCB web interface. SCB uses the remote server as a network
Contact Balabit or your local distributor for details.
drive via the Network File System (NFS) or the Server Message Block (SMB/CIFS) protocol.
Hardware specifications Free evaluation SCB appliances are built on high performance, energy efficient, and reliable servers that are easily mounted into standard rack mounts.
A fully-functional evaluation version of SCB is available as a VMware image upon request. An online demo is also available
T1 Balabit Shell Control Box T1 ■■
1xQuadCore CPU, 8 GB RAM, 1 TB HDD –
T4 Balabit Shell Control Box T4 ■■
software RAID
■■
after registering on our website.
TO TEST THE BALABIT SHELL CONTROL BOX, REQUEST AN EVALUATION VERSION AT WWW.BALABIT.COM/MYBALABIT/
1xQuad Core CPU, 8 GB RAM, redundant power supply, 4 TB HDD – hardware RAID.
Software license to audit 10 servers,
■■
Software license to audit 10 servers, upgradeable to 5000 servers.
upgradeable to 500 servers.
Learn More To learn more about commercial and open source Balabit
T10 Balabit Shell Control Box T10 ■■
2x6 Core CPU, 32 GB RAM, redundant
VA Balabit Shell Control Box VA ■■
power supply, 10 TB HDD, hardware RAID.
■■
Software license to audit 100 servers, upgradeable to ten thousands of servers.
following links: The Shell Control Box homepage: http://www.balabit.com/network-security/scb/ Product manuals, guides, and other documentation: https://www.balabit.com/network-security/scb/documentation
Virtual appliance to be run under VMware ESXi, Microsoft Hyper-V or Microsoft Azure.
■■
products, request an evaluation version or find a reseller, visit the
Software license to audit 10 servers, upgradeable to ten thousands of servers.
Request an online demo: https://my.balabit.com/new-request/scb-live Find a reseller: http://www.balabit.com/partnership/commercial/
About Balabit
Balabit is an international IT security vendor, founded in Budapest, Hungary. Balabit is a leading provider of contextual security technologies with the mission of preventing data breaches without constraining business. Balabit operates globally through a network of local offices across the United States and Europe together with partners. Balabit’s Contextual Security Intelligence™ strategy protects organizations in real-time from threats posed by the misuse of high risk and privileged accounts. Solutions include reliable system and application Log Management with context aware data ingestion, Privileged User Monitoring and User Behavior Analytics. Together they can identify unusual user activities and provide deep visibility into potential threats. Working in conjunction with existing controlbased strategies Balabit enables a flexible and people-centric approach to improve security without adding additional barriers to business practices. Founded in 2000 Balabit has a proven track record including 23 Fortune 100 customers among over 1,000,000 corporate users worldwide.
For more information, visit www.balabit.com
