Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
SSH.COM CryptoAuditor is a centrally managed virtual appliance for
monitoring, controlling and auditing encrypted privileged access and data
transfers.
What is CryptoAuditor?
SSH.COMCryptoAuditor®
Control and audit encrypted 3rd party sessions. See the unseen.
SSH.COM CryptoAuditor ®
Cloud and on-premise access for
internals and vendors
57% of organizations have more than 100 3rd party vendors
with access to their systems.
Do you know how many Nth parties can
access your data?
57%
2
SSH.COM CryptoAuditor ®
Solve the problem of 3rd party access.CUT THE COST AND RISK OF VENDOR ACCESSNo hardware, no CAPEX. Cut OPEX with process-driven, unified, centralized management of internal and 3rd party privileged access to your digital core. Pay-as-you-use, either direct with SSH.COM or via AWS Marketplace for EC2 deployments >
SIMPLIFY, TRANSPARENT AND NON-INVASIVECryptoAuditor is your trusted audit point. Scalable deployment as virtual appliances at key locations in your enironment. No changes to network architecture, no new agents, no user training and no-disruption for end users.
INTEGRATE WITH YOUR SIEM, DLP, UEBA, IPS/IDS...CryptoAuditor integrates with your event, analytics and perimiter security - and your existing multifactor authentication solution. You get an audit trail of encrypted traffic that runs through SSH, SFTP, RDP and HTTPS, with indexed logging and session video playback.
3
SSH.COM CryptoAuditor ®
Your virtual audit point for 3rd party access.
SSH.COM CryptoAuditor is a centrally managed virtual appliance for monitoring, controlling and auditing encrypted privileged access and data transfers. It’s designed for deployment in front of server farms, databases and network entry points to solve the problem of poorly monitored privileged access, particularly remote vendor access.
It terminates and re-opens privileged user sessions, and inspects and records sessions in real time before re-encrypting and pushing the session forward. Sessions are indexed and stored in an encrypted database for reporting, replay and forensic investigation.
It’s easy to run from the centralized console, and easy to deploy, with no hardware, no agents, no new clients, no user training, and no changes to workflows. It can be deployed in fully transparent mode with no changes to end-user access and login procedures.
SSH.COM CrypoAuditor is cloud-ready, integrates with all major DLP, AV, IDS and SIEM systems, and is used by four of the world’s five largest banks.
4
SSH.COM CryptoAuditor ®
Monitor insider and 3rd party access to your digital core Control remote access by vendors, consultants, home workers, and M2M and IoT connections Define privileged access and activities based on user identity Collect forensic evidence for investigations with every keystroke and every pixel Protect critical data and minimize credentials abuse by enabling two-factor authentication
Integrate with existing firewalls, detect attacks earlier and resolve issues in real time
Address individual accountability even for shared accounts with AD/LDAP infrastructure View encrypted SSH, SFTP and Remote Desktop traffic at your boundary
Prevent data theft with Data Loss Prevention (DLP) and analytics Record, store and index session audit trails for searches, replay and reporting, with support for 4-eyes review
Hardened sessions for the trusted vendors of Fortune 500 companies.
5
SSH.COM CryptoAuditor ®
Cost-effectiveNo hardware, no CAPEX. Cut
OPEX with process-driven, unified, centralized management of 3rd party
and privileged access.
Cloud andon-premiseRapid, scalable deployment. No
changes to network architecture, no new agents, no disruption and no
user training.
Hardened sessions
Compliant session monitoring and auditing, contextual session control, support for four-eyes authorization –
and session video playback.
6
SSH.COM CryptoAuditor ®
Multiple deployment modes: Bastion (non-transparent), Router (Layer 3) and Bridge (Layer 2 with VLAN support).
Distributed architecture with multiple Hound audit-points and shared vault storage.
High-availability Hound clustering with configurable failure tolerance.
Straightforward auditing of privileged activity, including session replay and video sessions.
Monitor and record SSH, SFTP, RDP, SSL.
Block SSH tunneling to mitigate the threat from user-created backdoors.
Searchable database for quick and easy access to recorded session information.
Real-time 4-eyes authorization for critical access scenarios.
Identity-based policy control with integration to directory services to control privileged access and activities.
Manage users and credentials via HTTP REST-based API.
Certified compatibility with McAfee, RSA, IBM and VCE vBlock.
Integrations with SIEM, IDS, DLP, network AV etc.
FIPS 140-2 certified cryptography (certificate #1747).
Directional control of SFTP. Allowing to upload but not download or reverse.
Remote control. Rewind. Relax.
SSH.COM CryptoAuditor is an intelligent proxy designed for deployment in front of server farms, databases and network entry points.
7
SSH.COM CryptoAuditor ®
Compliance and forensics for regulated industries
Does your board need evidence that 3rd party risk is being assessed, managed, and monitored? Are you mandated by GDPR, PCI-DSS, ISO 27001, or by health or communications authorities to secure your supply chain?
8
SSH.COM CryptoAuditor ®
Visibility to encrypted sessions missed by siems
Can your SIEM, DLP or UEBA process encrypted session data? Does your IPS/IDS inspect encrypted traffic? Would you like to empower them to do their job?
9
SSH.COM CryptoAuditor ®
FEATURES AND BENEFITSMultiple deployment modes: Bridge, Router, Bastion
Fits into diverse network topologies including VLAN-based audit and policy control.
High-availability clustering for Hounds, and con gu- rable failure-tolerance policy
Minimal downtime in event of a single Hound node failure. If a single Hound node fails, the system can recover and continue relaying new connections.
Transparent network applianceNo need to retrain users to have them use another SSH client or portal, or provide them with new SSH keys.
Session replay, including video sessions Straightforward audit of privileged activity.
Searchable database Quick and easy access to recorded session information.
Encrypted storage with audit zonesAudited activity is secured from unauthorized access. Separate audit zones enable access on a need to know basis.
Monitors and records SSH, SFTP, RDP Audit high value, privileged access. Comply with security mandates.
Customizable auditing policies Focus on high value targets, activities.
Real-time 4-eyes authorization. HTTP REST API for requesting connection authorization from third-party solutions.
Extra security layer for accessing critical servers.
Identity-based policy control with integration to directory services
Control which users can access which servers and what activities they can perform.
Distributed architecture with multiple freely-distribut- able Hound audit-points, and shared Vault storage.
Adapts easily to changes in network topologies and business processes, enabling fast deployment and low Total Cost of Ownership.
Integrates with SIEM, IDS, DLP, Network AVCerti ed compatibility with major vendors such as McAfee, RSA, IBM and VCE vBlock.
Public and Private Cloud Instance Virtual ApplianceAmazon Machine Image (AMI) available in AWS MarketplaceOpenStack (on KVM hypervisor)
Supported platforms: VMware ESXi and MS Hyper-VFor evaluation purposes Oracle VirtualBox and VMware Workstation (no production use support)
PERFORMANCE
Throughput• 930 Mbit/s (unaudited passthrough)• 400 Mbit/s (single encrypted SFTP connection)
Connections• Simultaneous connections: 3000 SSH or 300 RDP or 300 SSL/TLS • New connections per second: 3 SSH or 3 RDP or 10 SSL/TLS
* Setup used in the performance test: HP DL320e Gen8 server running VMware ESXi 5.5, CryptoAuditor VM (4 CPUs, 12 GB RAM)
THIRD-PARTY APPLICATION SUPPORT
SIEM & Syslog
• IBMSecurityQRadarSIEM• McAfeeEnterpriseSecurityManager • SplunkEnterprise• RSASecurityAnalytics• HPArcSightLogger• Rsyslog• Syslog-ng
IDS • RSASecurityAnalytics
DLP and Network AV
• RSADataLossPreventionSuite• SymantecCloudProtectionEngine • McAfeeWebGateway• F-SecureInternetGateKeeper* DLP and network AV integration support through the standard ICAP protocol
ssh®, PrivX™, Tectia®, Universal SSH Key Manager® and CryptoAuditor® are registered trademarks or trademarks of SSH Communications Security Corporation and are protected by the relevant jurisdiction-specific and international copyright laws and treaties. Other names and marks are the property of their respective owners. Copyright © 2018 SSH Communications Security Corporation. All rights reserved.
10
SSH.COM CryptoAuditor ®
DEPLOYMENT AND SYSTEM ADMINISTRATION
High Availability• Active-Passive redundancy (Hound)* VMware (and hardware appliance) in production use
Operation• Transparent bridge and router modes• Non-transparent bastion mode• SOCKS proxy functionality for HTTP/HTTPS auditing
VLAN • Supported in bridge mode
Management• Web-based admin UI (current version of Mozilla Firefox for optimal experience) • Dedicated management interface• CLI
Administration• On device management accounts• AD/LDAP-based management accounts• Customizable role-based administration and audit rights
HTTP REST-based API • Managing users and credentials
AUDITING, END-USER AUTHENTICATION & AUTHORIZATION
Inspected Protocols• SSH(v2),SCP,SFTP,RDP• SupportedprotocolscanbeauditedalsorecursivelyinSSHtunnels
Audit Levels • Optionsbetween“Metadataonly”,and“Fullchannels”
Monitoring and Policy Control
• Rulesbyprotocol,address,port,VLAN,orusergroup• Easy-to-useruleveri cationtool• Flexibleusercredentialmanagement(throughHTTPREST-basedAPI)
End-User Authentication & Authorization
• OndevicepasswordorSSHpublickey• Passthroughpasswordorkeyboard-interactive• AD/LDAP-compliantdirectories• RADIUS• RSASecurID/OTP• X.509certi cate(SSHonly),withPIV/CACsmartcardsupport• HTTPRESTAPIforuserauthorization• 4-eyesauthorization.Alertsviae-mail;connectionaccept/rejectintheweb-basedadmin UI
Shared account management
• SecurepasswordandSSH-keysafe
Other• OCR-basedcontentrecognitionforRDP(LatinandCyrillic) • Indexing-enabledfree-textcontentsearching
The information in this document is provided “as is” without any warranty, express or implied, including without any warranties of merchantability, fitness for a particular purpose and any warranty or condition of non-infringement. SSH Communications Security products are warranted according to the terms and conditions of the agreements under which they are provided. SSH Communications Security may make changes to specifications and product descriptions at any time, without notice.
SECURITY
Encryption• KeyExchange:Di e-Hellman,RSA• HostKey:RSA,DSA• Connection:AES-CTR/CBC(128-,192-,256-bit),3DES-CBC,Blow sh,RC4
Data Integrity • HMACSHA-1(160-bit,96-bit) • HMACMD5(128-bit,96-bit)
Compliancy • FIPS140-2compliantoperationthroughcerti edOpenSSLlibrary
System Security• AllcommunicationbetweenHoundandVaultsecuredbyTLS • AllinformationstoredintheVaultisencryptedwith128-bitAES • Nouserpasswordscapturedandstored
11
SSH Communications Security, Inc. Max-Planck-Str. 4 85609 Aschheim
+49 89 [email protected]