banking, insurance & capital markets Do you know what the system administrators are doing in your network? Comarch SecureAdmin

Transcription

1 banking, insurance & capital markets Do you know what the system administrators are doing in your network? Comarch SecureAdmin

2 Banking, Insurance and Capital Markets 2 Introduction IT system monitoring is a vital factor in risk management allowing you to track the efficiency and degree of system resource use. Expanding your capacity to detect hostile or undesirable incidents using effective audit solutions means less of the user errors and abuses that compromise corporate security.

3 Comarch SecureAdmin 3 Comarch SecureAdmin is a user activity monitoring system which operates transparently at the level of the network layer. These features mean that implementing Comarch SecureAdmin does not require the modification or reconfiguration of existing applications or systems and its presence is not visible to users. A further imposing feature is the capacity to monitor encrypted connections. It is based on application and system logs and may also be deployed to monitor administrator activity. System Components Comarch SecureAdmin has been produced in three tier architecture and has the following components: Sensors dedicated servers equipped with at least three network interfaces, including two operating in bridge mode. Their task is to monitor network traffic, analyze selected connections according to the required configurations and record the data collected. Network Managing Server the central server that manages the sensors and the data collection. Administration Console a www console enabling system administration and providing a view of the data collected by the system. Administrator workstations https https Managing server Sensors Comarch SecureAdmin System Architecture

4 Banking, Insurance and Capital Markets 4 System Features High Volume Protocol Analysis There are two ways network traffic is analyzed: passively, actively using MITM (Man in The Middle). Passive analysis is based on the incoming packet queue mechanism provided by iptables software. This is the way analyses for simple protocols in plain text such as Telnet, POP3, IMAP, FTP, SMTP, SMB, NFS, Oracle, MySQL, PostgreSQL and MSSQL are conducted. MITM analysis techniques, though, involve a sensor actively intervening between the server and client and assuming their identities. Protocols using encryption, or that require modifications to the transmitted packets, such as SSH (versions 1 and 2), SSL (FTP, POP3, IMAP, LDAP, SMTP, HTTP) and X11 are analyzed in this way. Transparency The network traffic analysis and monitoring Comarch SecureAdmin provides is transparent to users. This is easy to achieve with passive analysis because the packets transmitted in the connections are in no way modified. Comarch SecureAdmin is exceptional because it also offers transparency in MITM connection analysis. In this mode the sensor uses IPTables mechanisms to transfer connections to a local port and simulate the client s connection. Meanwhile, the sensor connects with the server in the name of the client. The server hides behind the IP addresses of real servers and clients so that it is invisible both to the client and the server. Managing SSH keys and SSL certificates and keys is performed centrally from the administration console. Logging User Activity Comarch SecureAdmin monitors network traffic and conducts protocol analyses to log user activity. This means recording their actions and the consequences of those actions: were they performed successfully or were errors committed. The following information is logged for each connection analyzed: time connection began, duration of connection, source address and port, destination address and port, MAC and DNS addresses, if available, protocol type, user name and password, if available, information specific to the monitored protocol. Extensibility The analyzers for each protocol are activated as independent and discrete processes. This means that you can add new analyzers without stopping the others. Furthermore, all the analyzers use a common API that monitors the network traffic in question and records data concerning the connections analysed. Central Data Gathering Information on network connections analyzed by the sensors is gathered on the network managing server in a data base as well as in the form of text and graphics files. Basic information on the analyzed connections is stored in the data base: source address and port, aim of connection, connection start and end time, user name and password.

5 Comarch SecureAdmin Detailed information on the connections analyzed is stored in the text files and not in the data base, while the screen dumps are stored in PNG files. These files are ordered chronologically and are named for easy retrieval of files concerning a specific connection. If the network managing server malfunctions or there is downtime, the data on the connections analyzed is stored in the sensors and is transmitted to the network managing server later. Central Management with WWW Interface System management is achieved using the administration console which operates as a www application. This allows the following configurations: sensors, network traffic monitoring and filtering policy, keys used for MITM analysis, system user notifications. It is also possible on the administration console to view information gathered by the sensors and observe system performance. Flexible Configuration for Network Traffic Monitoring and Filtering The network traffic monitoring and filtering configuration performed by the sensors depends on the policy adopted. Each policy consists of a list of rules specifying: the source and aim of the connection in the form of an address or masked address the range of the destination port connection type (TCP/UDP) In the case of network monitoring policy the rules also stipulate: the type of protocol, for example HTTP, FTP (with or without SSL), this means the analyzer the traffic is sent to. For network traffic filtering policy, however, the rules also specify the action (accept/drop) to take on connections that fulfill the defined conditions. Once the policy has been defined it can be applied to a particular sensor. 5 Comarch SecureAdmin Network Traffic Monitoring Comarch SecureAdmin Network Traffic Filtering

6 Banking, Insurance and Capital Markets 6 Secure Communication Network connections between system components are mutually authenticated using public key cryptography. All data and auditing communications sent between system components are encrypted. This ensures the integrity, confidentiality and incontestability of the information transmitted. Notification The system enables notifications sent to administrators to be configured as s or www notifications displayed on the administration console when the user logs in. Notifications are sent in connection with the following: network traffic analysis, for example the beginning of a connection with an IP address administrator activity, for example logging on or changing configurations system events, such as disconnecting from the sensor. Environment Sensors The SecureAdmin sensors are controlled by an operating system based on Linux Debian Sarge. This is modified so that masking sensors under client and server addresses in MITM protocol analysis can be achieved transparently. Network Managing Server The network managing server is controlled by the Linux Debian Sarge operating system. This consists of: manager a component that controls the sensors (implemented in Java) MySQL data base storing system configurations and data on the connections monitored. Administration Console The administration console has been produced based on Java/Struts technology and operates on the Tomcat applications server and the Apache www server. Comarch SecureAdmin Automatic Auditing

7 Comarch SecureAdmin Automatic Auditing All system elements have automatic auditing mechanisms implemented. Data on component malfunctions are collected in the data base and can be flagged on the console or sent in the form of a notification. Data Compression The network session data the sensors analyze is collected in PNG graphics files. These files are recorded on the sensors and then copied at regular time intervals to the network managing server. After they have been collected on the network managing server they can be viewed and searched by using the administration console. Furthermore, the session data gathered can be automatically compressed meaning it can be stored for longer with no need to add disc space. High Availability Architecture featuring two servers operating in failover mode delivers the high availability of the sensors in Comarch SecureAdmin. One of the servers, the active server, in the sensor set makes the session connections and monitors them. Meanwhile, the passive server maintains readiness to take over the tasks of the active server. This solution means that when a breakdown is detected in one of the servers the communication can be transferred automatically to the second server in the sensor set. 7

8 Comarch Headquarters Al. Jana Pawla II 39 a Krakow Poland phone: fax: info@comarch.pl Comarch Inc. 10 W 35th Street Chicago, IL United States phone: fax: info@comarch.com Comarch Software AG Chemnitzer Str Dresden Germany phone: fax: info@comarch.de Comarch OOO Prechistenskiy Pereulok 14/ Moscow Russia phone: Poland Gdansk, Katowice Krakow, Lublin, Lodz, Poznan, Szczecin, Warsaw, Wroclaw Belgium Brussels France Lille Germany Dresden, Frankfurt/Main Lithuania Vilnius Panama Panama City Russia Moscow Slovakia Bratislava UAE Dubai Ukraine Kiev, Lviv USA Chicago, Miami Comarch is a leading Central European IT business solutions provider specializing in forging business relationships that maximize customer profitability while optimizing business and operational processes. Comarch s primary advantage lies in the vast domain of knowledge accumulated in and applied to our software products. These products incorporate highly sophisticated IT solutions for businesses in all vertical sectors. Comarch has a multinational network of offices employing over 2800 highly-experienced IT specialists in Europe, the Middle East and the Americas. ComArch Spółka Akcyjna with its registered seat in Kraków at Aleja Jana Pawła II 39A, entered in the National Court Register kept by the District Court for Kraków-Śródmieście in Kraków, the 11th Commercial Division of the National Court Register under no. KRS The share capital amounts to 7,960, zł. The share capital was fully paid, NIP Copyright Comarch All Rights Reserved. No part of this document may be reproduced in any form without the prior written consent of Comarch. Comarch reserves the right to revise this document and to make changes in the content from time to time without notice. Comarch may make improvements and/or changes to the product(s) and/or programs described in this document any time. The trademarks and service marks of Comarch are the exclusive property of Comarch, and may not be used without permission. All other marks are the property of their respective owners. EN