Securing and Managing Administrative Access

Access Control for Device Management

The basic requirements of securing administrative access to managed devices in any type of a network are to satisfy an organization’s needs for authentication, authorization, and auditing. The larger the number of managed devices in a network and the more system administration users, the more complex satisfying and managing these needs becomes. Without centralized control, policies for system administration user management, device password management, and methods for retrieving and correlating audit information are distributed into each device to be managed. Centralizing control over authentication, authorization, and auditing of system administration users reduces overall network management costs, simplifies the operations team’s processes, and eases the efforts to adhere to security requirements.

The TACACS standard defines the basics of an access control server mechanism along with device password management. However, there is a need for more robust solutions that include:

• Being able to access any manageable device from any vendor
• An easy-to-use, browser-based interface
• Ability to proxy many protocols to achieve the most robust auditing
• Support for in band and out-of-band access control
• Automating device password change management
• Multiple levels of profiles for system administration users
• Connecting to managed devices not controlled by a network access server
• Granting periodic access to third parties, such as a vendor's support engineers

Data Track's Approach

We deliver access management within our Secure Access offer. It provides a comprehensive range of integrated hardware and software products and services that enable our customers to:

• Reduce the cost of supporting managed devices
• Increase the security and accountability of system administration
• Deploy a platform for new, value-added system administration services

Software applications within Secure Access include:

• Managing secure administration access to remote devices
• Measuring system administration access compliance
• Managing the security credentials of Data Track access mechanisms
• Managing the Quality of Service on the TCP/IP network

The main hardware component of Secure Access is a network device called a Tracker. It is a versatile, intelligent network application device built upon a secure and robust implementation of Linux. It includes extensible system services that improve the delivery and management of system administration. In addition, the Tracker offers an SDK for development of additional network applications.

Data Track's SAMS Software

SAMS is access control management software that aggregates and streamlines authentication, authorization, and auditing. Once system administration users authenticate via the SAMS web portal, they are given access to permitted devices without having to sign on separately to each system or device. The SAMS server maintains a centralized, comprehensive user activity audit trail.

Sample secure access deployment with SAMS

SAMS enables network operations teams to:

• Secure authentication by keeping the process hidden so users do not have to know device passwords, and device passwords are not, therefore, widely distributed. When a user leaves an organization, their profile can be removed from the SAMS database without needing to change the password on any of the devices they had access to.
• Control which managed devices an individual user or groups of users can access, including time-restricted, third-party access.
• Automate routine administrative tasks by running scripts at regular intervals to do things like change device passwords, back up device configurations, and synchronize device clocks.
• Audit user activity to comply with regulations like HIPAA and Sarbanes-Oxley or NERC CIP, as well as to perform forensic analysis should security be breached.

To use SAMS, system administration users authenticate into the network where SAMS is running, and then further authenticate by logging in to the SAMS system with a user name and password. A user profile is applied, and the authenticated user is offered a list of managed devices he is authorized to access. The user selects a device to access, and then an access method and connection path are invoked, delivering a connection to the targeted device by the appropriate access program.

The user's session is audited by the user ID, connection type, and activity performed, down to the keystrokes typed into the access program. SAMS offers reports based on the log of user activity for problem resolution, forensic investigations, and compliance to standards.

Features

The following are some of the major features of the SAMS software:

• Browser-based interface that uses SAMS or Windows authentication systems.
• User, group, and device profiles to restrict access to authorized devices only via authorized connection paths.
• Connection details, logins, and passwords are hidden.
• Multiple connections can be made to a single device using different protocols via different paths.
• Connections can be direct to a managed device or chained through intermediate access means.
• Supports the following protocols: HTTP, HTTPS, TELNET, SSH, FTP, VNC, PC Anywhere, and raw TCP.

Benefits

The SAMS software offers the following benefits to an operations team:

• Improved IT Productivity by saving time required to manage system administration access. Third-party experts can easily be given access for specialized support.
• Strengthens Security by reducing the risk of compromised administration access security because users do not see managed device passwords. Also, device password updates can be done more reliably, more frequently, and under automated control.
• Creates A Comprehensive Audit Trail by providing a more detailed record of system administration change activity than any other method.

Since device passwords are stored in a secure database and not shared with each system administration user, passwords are changed in only one place. If a system administration user leaves the operations team, his user login is removed from only one place.

Data Track's Tracker Devices

The Tracker is a versatile, intelligent network application device built upon a secure and robust implementation of Linux for the management of communications networks. It is a reliable device that provides secure access for the administration of multi-vendor infrastructure equipment using TCP/IP or PSTN connections. In addition, a secure application runtime environment allows Tracker products to run custom management applications that deliver value-added administrative services.

Multiple devices to be managed can be connected to a single Tracker, making it a cost effective platform. Trackers maximize communication management resources by performing a variety of functions simultaneously. A single Tracker can be used to collect streaming data such as syslog output; provide a secure transparent gateway for remote diagnostics or configuration; record, filter, and report device alarms; and run application-specific software. The Tracker models are the 2720, 2730, 2740 and 2750.

Tracker's Two-factor Authentication

The Tracker 2720 is a device that acts as a secure, out-bound modem. It is programmed with a 128-bit secret and a unique, 10-digit identifier. The Tracker 2720 cannot answer incoming calls; it can only dial out. When used to call a standard modem, it will operate as a standard modem itself. When used to call a Tracker 2730, 2740, or 2750 system with the equivalent security mechanism enabled, it will use an encrypted response mechanism to respond to a challenge generated by the remote Tracker device.

Tracker systems are programmed with a single secret. Within a secure challenge/response session, both Tracker systems must have identical secrets in order to authenticate with each other. The mechanism employs the AES algorithm for the authentication process.

Unique Identifier

A unique, 10-digit number identifies every Tracker 2720; it cannot be changed. The identifier is patterned as follows:

• Digits 1 - 4 are a group identifier
• Digits 5 - 10 are the device identifier within that group

The use of a group identifier eliminates the complexity of managing multiple secrets, enhances the access control ability of the system, and allows for support of a greater number of separate systems within an organization.

Access Control

After the AES authentication process takes place, the Tracker 2730, 2740, or 2750 systems will continue the authentication process via access control lists containing unique identifiers of Tracker 2720s. There is an access control list for "standard" access on all Tracker systems, and another for "master" access on the Tracker 2730 only.

A Tracker 2720 with an entry in the "standard" access control list of a 2730, 2740 or 2750 system is either allowed or denied access directly to a port in the remote Tracker system. If it has an entry in the "master" list, it is either allowed or denied for administrative access to a Tracker 2730 system itself.

Authentication Session

• Tracker 2720 calls Tracker 2730, 2740, or 2750.
• Called Tracker system acting as a lock raises encrypted challenge.
• Tracker 2720 formulates and returns an encrypted response.
• Response accepted or denied by called Tracker system.
• If accepted; called Tracker system securely requests unique identifier.
• Tracker 2720 returns unique identifier.
• On receipt, called Tracker system applies access control mechanism.

Tracker Integration into SAMS

Data Track Technology's Tracker device integrates into SAMS as a remote secure access device servicing out-of-band, in-band, and VPN connections. Using SAMS to gain access to a managed device through a Tracker delivers increased benefits and security because the Tracker's strong authentication protocols and its VPN capabilities can be used by SAMS to create an encrypted authentication, and then an encrypted connection from SAMS through the Tracker to a managed device on a network "behind" the Tracker. Additional Tracker security features such as restricted answering can be employed to further increase security. The complete set of Secure Access applications are available to any site where a Tracker is deployed.

Data Track's TRS Software

TRS software provides centralized registration and management of the security credentials used by the two-factor authentication process within Data Track's Secure Access solution. It is an essential part of managing large deployments of Data Track's secure access devices.

Features

The following are some of the major features of the TRS software:

• Creates and manages authentication "secret"
• Creates and manages Access Control Lists
• Supports all Tracker devices that act as locks or keys
• Uses local RS-232 interface of the 2720 and 2730, and the remote modem interface of the 2730 to:
  • Register the device
  • Install the authentication "secret" and Access Control Lists
  • Upgrade the device's firmware, when necessary
• Uses a TCP/IP session over the LAN interface or within a PPP session over the modem interface of the 2740 and 2750 to:
  • Register the device
  • Install the authentication "secret" and Access Control Lists
• Tracker devices are registered into the system by TRS Engineer users
• Each Tracker can have multiple security profiles associated with it, as created by the TRS Admin user
• Tracker registration and security credential management activity logs and reports

Summary

Data Track Technology's Secure Access offer increases the security of administrative and support activity within an organization. Deploying it lowers total system administration costs by speeding response times and delivering complete auditing facilities for forensic and compliance requirements.