Upload
amy-marion
View
225
Download
0
Embed Size (px)
Citation preview
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 1/7
`
Remote Vendor Monitoring
Recording Secure Remote Access SSL VPN Gateway Sessions
An ObserveIT Whitepaper
Daniel Petri
March
© Copyright 2008 ObserveIT
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 2/7
Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com
Table of Contents
Executive Summary .............................................................................................................................. 2
The Need for Centralized Remote Access .............................. ................................ ...................... .......... 2
Establishing Remote Connections ......................................................................................................... 2
Securing the Remote Access Sessions ................................................................................................... 3
Protecting the Internal Network ........................................................................................................... 4
Using Microsoft TS Gateway ................................................................................................................. 5
Monitoring User Activity .......................... ............................... ...................... ................................ ........ 5
Real Time Monitoring and Integration with Management Tools ............................. ....................... ........ 6
`User Identification ............................................................................................................................... 7
Conclusion ............................................................................................................................................ 7
Benefits of this solution include: ....................... ................................ ...................... .............................. 7
About ObserveIT................................................................................................................................... 7
Executive Summary
In the following article, I will demonstrate how to
Record Secure Remote Access SSL VPN Gateway
Sessions, using Terminal Services/ in conjunction
with ObserveIT. In this deployment, all secure
remote access SSL VPN sessions are routed through
one or more central remote access gateways, with
secondary remote desktop sessions serving as the
method to access internal Windows or UNIX
servers and other network devices. All sessions
through the Secure Remote Access SSL VPN
Gateway are fully audited and recorded. This
recorded session allows Auditors and IT managers
to have a full visual audit trail of all secure remote
accesses SSL VPN connections; identify the source
of each secured remote access connection; and
view a step-by-step replay of the actions taken and
applications accessed on these machines.
This whitepaper covers the following topics:
1. Setting up a Windows Terminal Gateway
Server
2. Secure communication to the Gateway using
SSL VPN Gateway
3. Audit, Alert and Replay all Recorded Sessions
performed on the Gateways
The Need for Centralized Remote
Access
In today's complex network and IT environments,
more and more people need access to corporateservers, applications, databases and management
tools. While trying to minimize human intervention
with these critical services, IT managers need to
consider how to allow the remote access and
management of these services: Who to allow
access; How to secure and audit access; How to
record all actions that are performed on these
servers.
The continuous need to control budgets by
decreasing operational costs and maintenance fees
has led many large and medium corporations to
using external consultants and outsourcing services
while minimizing internal IT departments.
Establishing Remote Connections
In order to mitigate this risk, a leading approach to
enabling remote connections is to create a secure
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 3/7
Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com
remote access deployment, in which all remote
connections go through one or more terminal or
citrix gateway servers. All vendors and remote
administrators will initiate an remote desktop
RDP/ICA Session to these servers, where they will
be authenticated and, if authorized, granted access
to either the entire desktop, or to a subset of published applications that are to be used for
management purposes.
The first component of such a solution is the actual
remote access mechanism. Here, we have a few
options to consider. The decision on what remote
access solution to chose is closely related to
security concerns, corporate policy, budget and
number of concurrent connections.
Using regular RDP connections from the external
world through your corporate Firewall is probably
the easiest option to deploy. However, it is also the
most unsecure method when compared to the
other options. RDP packets travel across the
Internet as regular packets, and unless the built-in
encryption capabilities of Terminal Server are also
employed, this will not provide adequate security
for the connection. Furthermore, unless using
some sort of remote access control mechanism
(such as a Firewall that has authentication
capabilities), the only barrier that will prevent a
malicious user from entering the network is the
Terminal Server Windows Authentication prompt.
Securing the Remote Access
Sessions
In order to add an additional layer of security to
such connections, we will need to deploy some sort
of remote access solution prior to the actual
connection to the Terminal Server itself. Optionsfor securing remote access include:
• IPSec, L2TP or PPTP-based VPN connections
through Microsoft Windows Server 2003/2008
RRAS, by using Microsoft ISA Server, or by
using leading 3rd-party solutions from
vendors such as Cisco and Checkpoint
SSL VPN connections by using appliances such as
Juniper SSL VPN, Cisco SSL VPN, Check Point
Connectra and others, or by using MicrosoftWindows Server 2008 SSTP
• Microsoft Windows Server 2008 TS Gateway
connections
The benefits of using VPN-type remote access
include the fact that the connection is strongly
encrypted, adding extra security encapsulation to
each packet. VPN enables the protection against
unauthorized access because prior to gaining
access to the actual remote management gateway,
users are forced to authenticate themselves with
their credentials or token, and only then they will
be granted access to the gateway. On the other
side, in most VPN products, an additional cost is
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 4/7
Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com
incurred because of the need to deploy VPN
servers and extra authentication systems.
Using SSL VPN adds the ability to use SSL-based
encryption, which easily passes through most
firewalls without the need to open specific ports.
SSL VPN makes it easier for remote workers to
connect because it usually does not involve any
additional software installation on the client side,
and is usually initiated from an easy-to-use web
browser. This makes such connections ideal for
usage on public computers such as the ones found
in hotel lobbies and conference centers.
It is worth noting that in most scenarios, SSL VPN is
preferred for remote access to those applications
that are browser-based (i.e., have a web-based
user interface), while IPSec VPN will be used
principally for site-to-site communications (rather
than individual client remote access).
Using the new SSTP capabilities of Microsoft
Windows Server 2008 can help to further reduce
costs associated with using 3rd-party solutions.
Protecting the Internal Network
An additional issue that is brought up when
discussing remote management scenarios is the
concern of controlling what type of traffic can be
passed through these VPN connections, and what
type of remote computers can actually connect to
the corporate network. Often, these un-managed
computers might not be fully patched against
security vulnerabilities, not have an up-to-date
anti-virus product, or not have their personal
firewall turned on. This raises many security issues
especially when considering the fact that these
computers might be using a VPN tunnel type of
connection, which in fact is very much like actuallyconnecting them to the corporate network.
Furthermore, after successfully connecting to the
corporate network, these computers might initiate
a type of connection to internal resources that is
out of scope for the type of required connection. In
order to mitigate these risks there is need to
implement a mechanism that will quarantine these
computers until they provide proof of being fully
patched and up-to-date. These types of quarantine
systems can be achieved by using 3rd-partyNetwork Admission Control (NAC) capabilities of
VPN appliances such as those provided by Juniper,
Check Point or Cisco, or by implementing the built-
in Network Access Protection (NAP) found in
Microsoft Windows Server 2008.
In order to control exactly what type of traffic is
passed through the VPN connection, there is need
to either deploy smart appliances such as those
provided by Check Point, Cisco, Juniper orMicrosoft (with their IAG product), or to place an
additional firewall behind the VPN server that will
scan the un-encrypted inbound traffic.
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 5/7
Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com
Using Microsoft TS Gateway
In addition, using the new capabilities of Microsoft
Windows Server 2008 TS Gateway provides further
protection of RDP traffic by encapsulating it into
SSL packets – much like SSL VPN, but without the
need to deploy special VPN servers.
The benefit of using the TS Gateway capabilities of
Microsoft Windows Server 2008 is that remote
users will only be granted access to the internal
servers based upon a strict policy that can be
enforced on the TS Gateway, and when combined
with the NAP capabilities of the system, will only
allow connection of computers that fully meet the
security requirements set by the administrator.
This scenario employs a number of components.
These include the TS Gateway server, a firewall,
one or more Domain Controllers, a NAP server and
a Network Policy Server (NPS is Microsoft's
implementation of a RADIUS server). The TS
Gateway authenticates the client by collecting the
user's credentials and checking them against the TS
Gateway Remote Access Policy. It then
authenticates against the Domain Controller and
performs a security validation as required by the
NAP server and its policies. Only when all checks
are fully successful, it passes the RDP traffic
inwards, towards the remote management
gateway server.
Monitoring User Activity
In the scenario outlined above, all remote access
connections are indeed secured, and only
authorized personnel can connect to the corporate
servers.
However, the question of knowing exactly what
vendors do once connected remains unanswered.
This leaves a gaping hole in the corporate security
and compliance: Once vendors connect to the
remote management gateway server, in theory
they can perform other actions, including opening
full Remote Desktop connections to other remote
servers. A mechanism is needed that gives IT
Managers the full confidence that comes with
knowing exactly who connected, what they did
while connected, and what applications or system
tasks have been used or opened.
Many server-based applications have varying
degrees of built-in auditing or logging, including
extended diagnostic logging. However, auditing
and logging only show cryptic log traces, not actual
human actions. Auditing and logging may be of usefor debugging an error, but security and regulatory
issues create a need for to know exactly what users
are doing while logged onto the Terminal Servers.
By using the recording and auditing capabilities of
ObserveIT, IT Managers receive a clear and concise
answer to these questions.
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 6/7
Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com
Built specifically for enterprise-wide deployments,
ObserveIT gives full control and insight into the
actions done by external vendors and specialists
that were hired to perform a specific task, as well
as by local IT personnel and power users. ObserveIT
records all human activities on monitored servers,
both with exact visual recording as well as withdetailed metadata. Visual recording allows
replaying of every user session and understanding
of what exactly was performed on the monitored
servers, who did it, and what applications where
accessed.
In the above deployment scenario, ObserveIT is
deployed on each remote management Terminal
Server. Built-in server-based policies are configured
to trigger recording of all relevant activity
performed by external vendors. ObserveIT
configuration is also specified to only record the
management applications that are published on
the remote management Terminal Server.
Real Time Monitoring and
Integration with Management
Tools
By capturing metadata in addition to visual
screenshots, ObserveIT provides an abundance of`
information about what is seen on the screen, the
user performing the action, the remote computer's
name and IP, date, time, application executable
name, windows title and more. All this information
is stored alongside the screenshots, allowing
flexible searching capabilities and enterprise-scale
management, allowing rules-based searching
without the need to replay screen-by-screen
activity.
Another feature of ObserveIT is its capability to
also create textual log files for monitoring
purposes. These files are stored on the server’s
hard disk, and can be parsed by 3rd-party tools
such as Microsoft System Center Operation
Manager 2007, generating events or alerts based
upon information written in them.
8/3/2019 Recording Remote Vendor Access - SSL VPN Gateway Sessions
http://slidepdf.com/reader/full/recording-remote-vendor-access-ssl-vpn-gateway-sessions 7/7
Whitepaper: Remove Vendor Monitoringwww observeit sys com
User Identification
ObserveIT's Identification Services are integrated
with the Active Directory database. This service
forces users to identify themselves before gaining
access to a server desktop or published application.
After completing the Windows logon process, the
users will be prompted with the secondary
ObserveIT logon window, where they will be forced
to enter their own personal username and
password. This allows us to distinguish specific
users, even when logging in using a ‘generic’
"Administrator" account.
Conclusion
Security and Regulatory issues force many IT
Managers to seek a solution for vendors and
external administrators access their networks
remotely. By using a centralized remote
management gateway approach, we achieve a
more secure implementation for such remote
access needs, and by integrating these solutions
with ObserveIT, the recording of all human actions
and management tasks is easy to collect and
monitor. ObserveIT's advanced indexing
capabilities, combined with video replay of screen
activity, allows the IT Manager to keep a finger on
the pulse of remote access activity, in accordance
with security and regulatory requirements.
Benefits of this solution include:
• Accountability of all activities performed by a
Service Organization
• Processes that link each system access to a
identifiable individual user
• Reduced cost involved in generatingCompliance Reports: Less effort, with faster
turnaround time
• Unequivocal proof of user activity,
guaranteeing authentication and non-
repudiation
About ObserveIT
ObserveIT is an innovator and leader in Terminal,
Citrix and Console session recording, with solutions
for Windows, Desktop and Virtual Machine
environments.
ObserveIT software visually records and replays all
user sessions, providing detailed insight into all
activities on the network.
Founded in 2006, ObserveIT has a worldwide
customer base that spans many industry segments,
including financial, insurance, healthcare,
manufacturing, telecommunications, government
and IT services.