Wallix AdminBastion - Privileged User Management & Access Control
1. Wallix
AdminBas-on
Secure
Accesses
and
Trace
Ac-ons
performed
by
IT
service
providers
and
administrators
Zayed Alji
Regional Sales Manager
Email: zayed.alji@gsn.ae
Mob: +971 50 573 44 30
Tel : +971 2 667 47 82
2. Global
Security
Network
(GSN)
French
Company
based
in
Abu
Dhabi,
UAE
GCC
Value-‐Added
Distributor
for
Wallix
AdminBas-on
11
years
opera-ons
in
the
MENA
market
Experienced
in
delivering
high-‐end
IT
security
projects
Customers
include
Intelligence,
Defence
and
Energy
sectors
Dedicated
staff
of
French
technical
experts
in
UAE
2
3. Solu-on
Por>olio
Privileged
User
Secure
“One-‐
Management
&
Way”
Access
Control
Communica-on
Wallix
Fox
DataDiode
AdminBas-on
Enterprise
Log
Enterprise
Management
Intelligence
Wallix
LogBox
AMI
Enterprise
3
5. What
does
Wallix
AdminBas-on
(WAB)
do?
• Provides
centralized
Access
Control
for
all
enterprise
resources
• Access
Control
applied
to
all
types
of
Administra-ve
Access
using
Privileged
Accounts
such
as:
• Administrator
accounts
on
Windows
Servers
• Root
accounts
on
Unix/Linux
Servers
• Root
accounts
on
Cisco
devices
• etc………
• Records
all
ac-ons
performed
on
managed
resources
via
Privileged
Accounts
in
the
form
of
Video
and
Text
reports
5
6. Why
do
we
need
WAB?
Common
challenges
for
Privileged
Accounts
6
7. Audit/Compliance
Requirements
• ISO27001,
PCI,
Internal
Audit
etc
• ISO27001
Compliance
• 10.10.4
:
Administrator
Ac-vity
Logs
• A.11
:
Access
Control
• A.11.3.1
:
Password
Use
• A.11.5
:
Opera-ng
System
Access
Control
• PCI
Compliance
• 1.3.3
–
No
direct
routes
between
internet
and
internal
data
environment
• 2.1
–
Change
vendor
supplied
default
passwords
• 7.1.1
–
Restric-on
of
access
rights
to
privileged
users
• 7.1.4
–
Implementa-on
of
an
automated
access
control
system
• ……………………
7
8. Ques-ons
–
Privileged
Account
Creden-als
• Do
we
store
our
privileged
account
passwords
on
paper,
soaware
files,
mobile
devices?
Does
that
sa-sfy
our
compliance
&
audit
requirements?
• Do
we
change
our
privileged
account
passwords
whenever
we
have
any
indica-on
of
possible
system
or
password
compromise?
• Do
we
change
our
privileged
account
passwords
at
regular
intervals?
How
easy
is
that
to
achieve?
• Do
we
actually
use
separate
passwords
for
mul-ple
privileged
accounts?
8
9. Ques-ons
–
Traceability
of
Ac-ons
• For
shared
privileged
accounts
(administrator,
root,
enable,..)
can
we
have
Individual
Accountability?
• Can
we
determine
exactly
what
our
Service
Providers
have
been
doing
on
our
systems?
• If
there
is
an
incident
due
to
privileged
account
ac-vity,
are
we
in
a
posi-on
to
determine
the
cause
and
the
people
responsible?
How
easily
and
quickly
can
we
do
this?
• When
a
Privileged
User
leaves
the
organiza-on,
can
we
deac-vate
all
of
his/her
access
(not
just
domain
accounts)
easily
in
one
click?
9
14. Easy
Deployment
NO
need
to
install
an
agent/client
on
any
of
the
equipment
o Benefits
o Time
saved
during
the
deployment
period
o Easy
integra-on
in
the
exis-ng
infrastructure
o Lower
TCO
NO
extensive
training
is
needed
for
the
users
o Benefits
o No
change
in
work
methods
o A
user
can
keep
working
with
his
usual
tools(TSE/RDP
client,
Puhy,
WinSCP,
command
line
…)
14
15. Implement
an
Appliance
or
So`ware
Appliances
9
available
models:
from
WAB
25
to
WAB
2000
Virtual
machines
VMWare
ESX
4
virtual
appliance
15
16. WAB
Appliances
WAB
MODELS
CPU
RAM
Hard
Drives
Power
Supply
Core
i3
540
(3.06
4
x
1
Gb
DDR3,
Redundant
Hot-‐Plug
WAB
25
-‐
50
2
x
250
GB,
RAID
1
GHz)
-‐
Dual
Core
1333
MHz
2
x
400w
Xeon
X3480
(3.06
4
x
2
Gb
DDR3,
Redundant
Hot-‐Plug
WAB
100
-‐
200
2
x
1
TB,
RAID
1
GHz)
-‐
Quad
Core
1333
MHz
2
x
400w
Xeon
X5675
(3.06)
4
x
4
Gb
DDR3,
Redundant
Hot-‐Plug
WAB
400
-‐
600
4
x
1
TB,
RAID
10
GHz)
-‐
Hexa
Core
1333
MHz
2
x
750w
8
x
4
Gb
DDR3,
Redundant
Hot-‐Plug
2
x
Xeon
X5675
(3.06)
8
x
2
TB,
RAID
5
WAB
800
-‐
1000
1333
MHz
2
x
750w
GHz)
-‐
Hexa
Core
2
x
Xeon
E7-‐4850
16
x
4
Gb
DDR3,
4
x
900
GB
(SAS),
Redundant
Hot-‐Plug
WAB
2000
(2.00
GHz)
-‐
Deca
1333
MHz
RAID
10
2
x
1100w
Core
16
20. Access
Control
• User
Group
<-‐>
Resource
Group
• Users
can
be
restricted
to
specific
IP
Addresses
• Users
can
be
restricted
within
specific
-meframes
• Access
Protocols
and
SSH
sub-‐systems
for
Resources
are
defined
20
21. Complete
Traceability
/
Audit
• Real-‐Time
Traceability
of
Connec-ons
• Connec-ons
History
–
Provides
Individual
Accountability
21
22. En-re
Session
Recording
RDP
SESSIONS
(WINDOWS)
• Sessions
are
saved
and
stored
in
flash
format
(they
can
be
played
on
the
user’s
computer)
• You
can
replay
RDP
sessions
with
the
integrated
Player
o Weight
:
1.5
Mb
/
minute
(average)
• Informa-on
is
available
in
Video
and
Text
formats
SSH/TELNET
SESSIONS
• Command
lines
entered
by
the
user
are
stored
as
well
as
the
equipment’s
response
• Informa-on
is
available
in
Video
and
Text
formats
22
23. RDP/VNC
Concurrent
Session
Recording
Model
Low
Resolu-on
Medium
Resolu-on
High
Resolu-on
WAB
25-‐50
100
80
30
WAB
100-‐200
120
100
40
WAB
400-‐600
130
110
60
WAB
800-‐1000
150
120
75
WAB
2000
200
140
90
Remarks:
There is no known limit for SSH / Telnet Session Recordings
23
24. Recording
Ac-ons
on
Client-‐Server
Applica-ons
Web
Interface
RDP
Client
virtualized
Windows
XP/7
or
Windows
TSE
Client
d’administra-on
24
25. Strong
Authen-ca-on
• Password
Management
for
Devices
• Auto-‐Logon
Feature
for
Privileged
Account
Passwords
• No
need
to
share
Privileged
Account
passwords
with
Administrators
• Passwords
can
be
changed
automa-cally
(Hourly,
Daily,
Weekly,
Monthly)
• Passwords
are
stored
encrypted
on
WAB
(AES
256)
25
26. User
Authen-ca-on
Op-ons
OPTION
1
–
Local
Authen-ca-on
User
Passwords
stored
locally
on
the
WAB
Appliance
for
user
authen-ca-on
OPTION
2
-‐
External
Authen-ca-on
The
WAB
appliance
connects
to
an
external
directory
*
to
authen-cate
the
users
*
LDAP,
Ac-ve
Directory,
Radius
26
28. Authen-ca-on
via
X.509
Cer-ficates
• Cer-ficates
can
be
used
to
logon
to
the
WAB
Web
Interface
AND
for
Primary
Connec-ons
to
the
WAB
• Cer-ficates
can
be
stored
in
the
Browser
or
in
a
Hardware
Token
• If
a
user
logs
on
to
the
WAB
Web
Interface
with
a
Cer-ficate,
then
the
user
is
automa-cally
authen-cated
for
the
primary
connec-on
to
WAB
via
SSH
or
RDP
• Cer-ficate
support
is
currently
limited
to
cer-ficates
that
have
been
signed
by
the
same
cer-fica-on
authority
(CA)
as
the
Web
Server’s
cer-ficate.
28
29. Authen-ca-on
via
SSH
Public
Key
• SSH
Public
and
Private
Keys
can
be
used
for
authen-ca-ng
users
to
WAB
during
Primary
Connec-on
• KeyGen
u-lity
can
be
used
to
generate
the
SSH
Public
and
Private
Keys
• SSH
Public
Key
for
a
user
can
be
uploaded
to
WAB
either
by
WAB
Administrator
or
by
the
user
himself
29
30. Command
Management
SSH
Flow
Scanning
In
the
example
above,
the
expression
‘passwd’
can
be
found
of
the
«
forbidden
commands
»
list
The
detec-on
of
the
expression
‘passwd’
triggers
an
alert
and/or
the
termina-on
of
the
connec-on.
30
32. High
Availability
• Ac-ve/Passive
Dual-‐Appliance
type
cluster
• No
load-‐balancing
• Virtual
IP
Address
shared
by
Master
and
Slave
nodes
in
the
cluster
(actual
IP
addresses
are
hidden
from
users)
• Replica-on
of
WAB
Configura-on
Data
to
the
cluster’s
second
node
by
OpenLDAP
replica-on
mechanisms
• Replica-on
of
Connec-on
Logs
to
the
cluster’s
second
node
by
MySQL
replica-on
mechanisms
32
33. High
Availability
• Replica-on
is
done
every
minute
by
‘rsync’
of
the
files
containing
the
session
recordings
• Automa-c
Switch
from
Master
to
Slave
is
virtually
transparent
(except
for
open
connec-ons)
• WAB
Administrator
is
no-fied
by
email
if
there
is
an
automa-c
failover
• Return
to
produc-on
on
Master
requires
manual
maintenance
opera-ons
during
which
-me
the
HA
cluster
and
WAB
services
are
not
available
33
34. Command
Line
Access
to
WAB
Console
Mode
Via
the
Keyboard
and
Monitor
connected
to
the
WAB
appliance
Network
Mode
By
logging
onto
the
WAB
via
port
2242
using
an
SSH
client
(Linux,
Mac
OSX)
or
the
“puhy”
applica-on
(Windows,
Linux)
For
example:
ssh
–tp
2242
wabadmin@192.168.56.5
34
35. Browsers
Supported
by
WAB
• Mozilla
Firefox
3
• Internet
Explorer
7,
8
• Safari
5
• Google
Chrome
35
36. Repor-ng
and
Alerts
REPORTING
ON
CONNECTIONS
• You
can
export
data
at
csv
format
for
later
use
• Define
real-‐-me
alerts
(mail
&
logs)
:
o Forbidden
character
string
detec-on
(SSH)
o Failure
to
authen-cate
o Failure
to
connect
to
a
target
account
…
• Daily
connec-on
report
sent
by
e-‐mail
36
37. WAB
–
Installa-on
Planning
Prepare
a
list
of:
o Users
(Privileged)
who
need
to
access
Target
Accounts
o Users
(eg.
Security
Officer)
who
need
to
administer
WAB
(WAB
Administrator)
o Devices
and
Target
Accounts
that
need
to
be
managed
via
the
WAB
For
each
user,
answer
the
following:
o Should
this
user
be
given
the
right
to
administer
WAB
?
o Does
this
user
need
to
have
access
to
Target
Accounts?
And
which
ones
?
o What
are
the
permissions
to
be
granted
to
this
user
?
o When
does
this
user
have
the
right
to
log
on
to
Target
Accounts
?
o Should
this
user
be
allowed
to
access
cri-cal
resources
?
For
Target
Account
or
Device,
answer
the
following:
o Is
this
Target
Account
or
Device
a
cri-cal
resource?
o Do
users
accessing
this
Target
Account
or
Device
need
to
be
recorded
?
o Which
protocols
should
be
allowed
to
be
used
to
access
this
Target
Account
or
Device
?
37
38. Raise
the
security
level
Record
and
Replay
Centralize
and
Sessions
simplify
authoriza-ons
and
password
Strengthen
management
Access
Control
Policy
SECURITY
LEVEL
MANAGEMENT
SECURITY
NEEDS
PREVENTION
OPTIMIZATION
VERIFICATION
38
41. Customer
References
Public
sector
Industry
/
Energy
Services
/
Media
• Mairie
de
Boulogne
Billancourt
• Ministère de l’Ecologie • LVMH
• Ministère de l’Economie
• Mairie
d’Alès
• Hermes
• INERIS
• Mairie
de
Beauvais
• France
Télévisions
• IRSN
• Mairie
des
Mureaux
• Gendarmerie Nationale • Quick
• Mairie
de
Nanterre
• DGA Techniques • Alain
Afflelou
• Mairie
de
Châteauroux
Navales ... • PMU
• Communauté
Urbaine
de
• Académie d’Amiens • PIXID
• Académie de Montpellier
Bordeaux
• Wolters
Kluwer…
• Université de Rennes 2
• Conseil
Général
des
Hauts
de
• Université du
Seine
Luxembourg Transport
• Conseil
Général
de
la
Sarthe
• Service Public de
• Geodis
• Conseil
Général
de
l’Oise
…
Wallonie
• CCI de Brest • Chronopost
•
…
• Coliposte
• Aéroport de Marseille Provence
…
42. Customer
References
Administra-on
/
Health
Telecom
Educa-on
• Hôpital
d’Orsay
• France
Telecom
• Hôpital
de
Carcassonne
• Bouygues
Telecom
• Ministère
de
l’Ecologie
• Hôpital
de
Poissy
St-‐ • SFR
Vodafone
France
• Ministère
de
l’Economie
Germain
• Numericable
• INERIS
• SIIH
• Millicom
Interna-onal
Cellular
• IRSN
• GRITA
(Tigo)
• Gendarmerie
Na-onale
• Pharmagest
…
• Naxoo
(Télégenève)
• DGA
Techniques
Navales
...
• Coreye
(ex-‐Pic-me)
• Académie
d’Amiens
Bank / Insurance • EMTEL
(Mauricius,
Salvador,
• Académie
de
Montpellier
Luxembourg)
• Université
de
Rennes
2
• MGEN / Choregie
• Marocco
Telecom
• Université
du
Luxembourg
• Crédit Agricole SA
• OPT
(Polynésie
Française)
…
• Service
Public
de
Wallonie
• CA Monecam
• CCI
de
Brest
• Solly Azar
• Euler Hermes
• BFT
• COEBANK …
44. Wallix
v/s
Compe--on
Wallix
Compe--on
Opera-ng
System
Hardened
Linux
(more
Hardened
Windows
secure
than
Windows
at
the
appliance
system
level)
Access
Control
and
Traceability
Based
on
strong
local
Based
on
password
request
and
external
approval
mechanism.
Provides
an
authen-ca-on.
No
extra
layer
of
security,
but
creates
a
further
permissions
bohleneck
if
none
of
the
approvers
required
to
access
provide
approval
on
-me.
authorized
resources.
Provides
ease
of
use.
IP
Address
Restric-on
for
Users
Yes
No
Protocol
restric-on
under
SSH
Subsystem
for
Yes
No
SSH
Users
Local
and
External
Authen-ca-on
Yes
Yes
Auto-‐Logon
possible
Yes
Yes
Encryp-on
of
Resource-‐Account
passwords
AES
256
AES
256
stored
on
the
appliance
45. Wallix
v/s
Compe--on
Wallix
Compe--on
Session
Recording
for
RDP
and
VNC
sessions
in
Yes
Yes
VIDEO
format
Session
Recording
for
RDP
and
VNC
sessions
in
Yes.
Provides
very
quick
No
TEXT
format
analysis
of
video
recordings.
Recording
for
SSH
Sessions
in
VIDEO
format
Yes
Yes
Session
Recording
for
SSH
Sessions
in
TEXT
Yes.
Provides
very
quick
No
format
analysis
of
video
recordings.
Recorded
Videos
can
be
exported
Yes.
Provides
flexibility
No
for
evidence
analysis.
Storage
required
for
Recorded
Videos
Slightly
more
storage
Less
storage
required
due
to
required
due
to
FLV
proprietary
format.
format.
External
Storage
for
Session
Recordings
Yes
Yes
License
required
for
Session
Recordings
No.
Its
part
of
the
same
Yes.
It’s
a
different
module.
Hence
product.
licensing
is
mandatory.
47. Maintenance
&
Support
Packages
Silver
Gold
Pla-num
Access
to
Product
Yes
Yes
Yes
Updates
Access
to
Patches
Yes
Yes
Yes
No.
of
registered
Users
2
4
6
authorized
to
contact
support
team
of
Wallix
for
Level
3
Support
Dedicated
Technical
No
No
Yes
Contact
at
Wallix
Response
Time
Next
Business
Day
4
hours
2
hours
Resolu-on
Time
Best
Effort
Best
Effort
Best
Effort
Availability
of
Level
2
Saturday-‐Thursday,
9:00
AM
7
days
a
week,
9:00
AM
-‐
24/7
(GMT
+4)
Technical
Support
-‐
7:00
PM
(GMT
+4)
7:00
PM
(GMT
+4)
Availability
of
Level
3
Monday-‐Friday,
9:00
AM
-‐
7
days
a
week,
9:00
AM
-‐
24/7
(CET)
Technical
Support
7:00
PM
(CET)
7:00
PM
(CET)
Hardware
Failure
Next
Business
Day
4
hours
2
hours
Replacement
Service