NetBrain Security Guidance

Similar documents
NetBrain Operator Edition Workspace Maintenance Workflow

NetBrain Enterprise Edition 6.0a NetBrain Server Backup and Failover Setup

NetBrain Discovery Appliance Manual

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Management, Logging and Troubleshooting

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Rebasoft Auditor Quick Start Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

Configuring Security Features of Session Recording

4cast Server Specification and Installation

Configuring and Monitoring Bluecoat AntiVirus

Print Audit Facilities Manager Technical Overview

QUANTIFY INSTALLATION GUIDE

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Configuring and Monitoring Citrix Branch Repeater

Deploying the BIG-IP LTM system and Microsoft Windows Server 2003 Terminal Services

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Security Guidelines for MapInfo Discovery 1.1

Xerox DocuShare Security Features. Security White Paper

D-Link Central WiFiManager Configuration Guide

SonicWALL PCI 1.1 Implementation Guide

F-Secure Messaging Security Gateway. Deployment Guide

HP IMC Firewall Manager

Setting Up Scan to SMB on TaskALFA series MFP s.

NSi Mobile Installation Guide. Version 6.2

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Getting Started Guide

Running custom scripts which allow you to remotely and securely run a script you wrote on Windows, Mac, Linux, and Unix devices.

CloudBerry Dedup Server

NETWORK PRINT MONITOR User Guide

Tutorial: Assigning Prelogin Criteria to Policies

Scenario: IPsec Remote-Access VPN Configuration

SyncThru TM Web Admin Service Administrator Manual

NetBrain Workstation Professional Edition 2.3 Release notes

HP A-IMC Firewall Manager

PerleVIEW Device Management System User s Guide

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

Configuring PA Firewalls for a Layer 3 Deployment

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

Command Center :56:41 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

RoomWizard Synchronization Software Manual Installation Instructions

Background Deployment 3.1 (1003) Installation and Administration Guide

enicq 5 System Administrator s Guide

Reference to common tasks

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Using DC Agent for Transparent User Identification

Configuring and Monitoring SiteMinder Policy Servers

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

Network FAX Driver. Operation Guide

Criteria for web application security check. Version

Configuration Guide BES12. Version 12.2

F5 BIG-IP V9 Local Traffic Management EE Demo Version. ITCertKeys.com

Vulnerability Remediation Plugin Guide

DEPLOYMENT GUIDE CONFIGURING THE BIG-IP LTM SYSTEM WITH FIREPASS CONTROLLERS FOR LOAD BALANCING AND SSL OFFLOAD

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

LifeCyclePlus Version 1

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

ERserver. iseries. Securing applications with SSL

Configuration Guide. BES12 Cloud

CTERA Agent for Mac OS-X

Secret Server Installation Windows Server 2008 R2

Using IIS Application Request Routing to Publish Lync Server 2013 Web Services

How to Backup and Restore a VM using Veeam

Discover Live Network

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Configuring Load Balancing

Xerox Mobile Print Cloud

Configuring, Customizing, and Troubleshooting Outlook Express

Security Considerations White Paper for Cisco Smart Storage 1

NETASQ ACTIVE DIRECTORY INTEGRATION

Integrating LANGuardian with Active Directory

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sophos for Microsoft SharePoint startup guide

Secure Messaging Server Console... 2

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation

Configuring and Monitoring Hitachi SAN Servers

WhatsUpGold. v3.0. WhatsConnected User Guide

Using Device Discovery

ECView Pro Network Management System. Installation Guide.

IBackup Drive User Guide

NetFlow Auditor Manual Getting Started

CA Spectrum and CA Performance Center

For the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.

SSL SSL VPN

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

Hosted Microsoft Exchange Client Setup & Guide Book

HP ProCurve Manager Plus

Configuration Guide BES12. Version 12.3

Introduction to Endpoint Security

MadCap Software. Upgrading Guide. Pulse

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

TANDBERG MANAGEMENT SUITE 10.0

Managing Software and Configurations

Tool for Automated Provisioning System (TAPS) Version 1.2 (1027)

Configuring the BIG-IP system for FirePass controllers

Chapter 8 Router and Network Management

Application Server Installation

Transcription:

NetBrain Security Guidance 1. User Authentication and Authorization 1.1. NetBrain Components NetBrain Enterprise Server includes five components: Customer License Server (CLS), Workspace Server (WSS), Network Server (NS), Automation Server (AS) and WorkStation (EE). CLS: Manage the license and workspaces WSS: Manage all data for the shared workspace(s) NS: Collect data from the live network AS: Provide index feature and discover feature EE: A thick client installed on users desktops Note: NetBrain supports "All-in-one" deployment, you can install all the components of NetBrain Enterprise Suite to one system. 1.2. User Authentication A user must login with a username and password in order to use NetBrain. LDAP/AD Integration: NetBrain integrates with LDAP/AD system to provide better security on user authentication. You can import user groups from LDAP/AD and then define the corresponding roles for each group. After that, users can use their LDAP/AD account to log into the EE workstation. TACACS Authentication Integration NetBrain integrates with TACACS+ server as an authentication center to manage workstation login. After configuring TACACS+ settings and adding users to TACACS+ server as well as finishing the corresponding configurations on their Customer License Server webpage, they could use the accounts on TACACS+ server to log into their EE workstations.

Strong password policy: Weak password makes it easier for attackers to compromise user accounts. In NetBrain, you can enable the strong password policy to protect the system. From the CLS server webpage, navigate to User Accounts > Options to define strong password options to meet your company security policy. 1.3. User Authorization The NetBrain EE system uses roles to define which operations each user is able to perform. Each user account is always associated with one or more role(s). Four roles have been predefined: Administrator, Power User, Engineer, and Guest. Additional roles can be created by an Administrator. There are eight categories of operation permissions that can be assigned to a role for user authorization: Access to Live Network View Shared Device Settings Network Documentation Execute Network Change Troubleshooting features: IP SLA, Netflow, and IP Accounting Shared Workspace Management System Management View Configuration File for Thin Client 1.4. User Account Access Control The account access control can be managed via the following methods: AD account management(if it is enabled) NetBrain Server user access deletion Time based User access Workspace based User access Role based user deletions - Group Access Control Time Based password management and expiry 2. Security Impact on Live Network

Many NetBrain functions such as live network discovery, benchmarking, path discovery and monitoring require access to the live network. In order for these functions to work, Administrators will need to input live network settings into the NetBrain system, including: Tacacs account (username and password), non-privilege and privilege passwords. These credentials are used to Telnet/SSH to devices and retrieve live data via CLI show commands. SNMP RO strings are used to access devices via SNMP. These settings are stored in the server database and all passwords are encrypted via NetBrain s proprietary algorithm. The settings are only accessible to users that have shared network management privileges. NetBrain will use the defined credentials to retrieve data from the live network via SNMP polling and/or CLI show commands. NetBrain is designed to make as few security impacts on a network as possible. For example, NetBrain utilizes an intelligent neighbor-walking algorithm, which minimizes or removes the need to scan the live network during discovery. This process emulates the workflow of a human engineer navigating from one device to another, and from one subnet to another. A NetBrain Administrator can add any subnet into the Do-Not-Scan list so that subnet will not be scanned. For a typical network node, the packet size from NetBrain is about 1kb for SNMP requests and 3-100KB for Telnet/SSH requests. NetBrain connectivity and ports/protocols: Network Connectivity Requirements Source Destination Port Workspace Server Customer License Server HTTP/HTTPS Customer License Server Network Server Workspace Server HTTP/HTTPS Automation Server

Workstation Client Workspace Server Automation Server TCP-8888 Workspace Server Automation Server Workstation Client Network Server TCP-7813 TCP-9099 TCP-9099 Network Server Live Network ICMP/SNMP/Telnet/SSH 3. Data Storage and Communication 3.1. Data Storage All shared data is stored in the CLS/WSS database accessible through API after authentication. Some of the data may be cached in the WS client to improve performance. A PostgreSQL database is pre-installed in the servers. NetBrain applies the latest Postgres security patches to our major releases. Data stored in the server includes credentials to access the live network (encrypted), L2 and L3 topology, baseline data, and historical benchmarked data. Historical data is version controlled and can be managed from the web interface. The sensitive data (e.g. live network settings for the network) are stored in the server database and all credentials are encrypted via well-known block ciphers (symmetric). The cryptography components of NetBrain provide confidentiality, data integrity through encryption, hashing. The encryption algorithms AES, 3DES and MD5 hashing are used. 3.2. Communication: The communication between the WS client and Servers is through HTTP. The user can also choose to use HTTPS to have communication encrypted (refer to section 4.2 below on how to enable HTTPS). To avoid session fixation attack (a class of Session Hijacking steals the established session between the client and the Web Server after the user logs in) to Customer License Server webpage, Workspace Server webpage and Server Workspace webpage, NetBrain adopts a new web security mechanism that is to bind a session ID with user s IP address and change session ID after a session is established. 4. NetBrain Server Security Enhancements 4.1. Remove sensitive data from the device configuration files

For network security concerns, NetBrain can be configured to remove sensitive data from configuration files. To achieve this, navigate to the Workspace webpage > System > Options and check this option below: 4.2. Enable HTTPS and disable HTTP on CLS/WSS servers To protect the data transfer between WS clients and CLS/WSS servers, we recommend enabling HTTPS to encrypt the communication. Install SSL certificates on both CLS/WSS Windows servers Enable HTTPS and disable HTTP on default website from Windows IIS manager Enable HTTPS on CLS: Navigate to CLS webpage > Workspace Server, select WSS IP, and click on the Edit button. Check on both HTTPS boxes and set both Port to 443 Enable HTTPS on WSS: Navigate to Workspace webpage > System > Options, check the HTTPS option, enter WSS IP in both Local & NAT d IP address boxes and set both Port to 443 Restart WWW service on both CLS and WSS servers Restart NetBrain Benchmark Schedule service on WSS server To verify, navigate to Workspace webpage > Network Server and check status is up 4.3. Disable Windows IIS default webpage Default pages bring unnecessary attention to attackers. Attackers tend to use techniques like Google Hacking to target servers with default configuration. NetBrain does not rely on the default website. If no other applications depend on the default website, you can disable it by stopping the DefaultAppPool service as below: In IIS Manager, choose Application Pools, right click on DefaultAppPool and choose Stop.

4.4. Backup Server Data NetBrain allows users to back up the data in an active Enterprise Server and restore the data in a backup Enterprise Server if the Active Enterprise Server goes down. User could use backup tool provided by NetBrain to export the data from the active server periodically and restore the exported data on the backup server automatically. 4.5. Shorten Thin Client Auto Logout Time Using the automatic log out feature in Thin Client is a good way to bring an additional layer of security to your data including device configuration and network topology in Thin Client. You could predefine the auto logout after a period of inactivity according actual needs. To set the time, click drop- down button next to Role sign in the right upper corner of Thin Client, select Session Timeout, and select time in the drop-down menu of Session Timeout Settings dialog box. 4.6. Disable Web Service Definition Language (WSDL) Files To protect API Contents from being exposed to unnecessary users, WSDL is disabled in EE6.0a and later versions. You could enable it by manually modifying some configurations. However, you are suggested keeping it disabled if you do not use this feature. 5. Windows Server Hardening Best Practice

5.1. HDD Encryption To prevent outsiders from gaining easy access to data stored in the server hard disk drives, a user can encrypt the entire hard disk drive via 3 rd party applications. NetBrain EE is a software solution. NetBrain is not responsible for HDD encryption. 5.2. Windows server hardening Although NetBrain EE is a software solution installed on Windows servers, we don t manage the servers. We recommend you to harden the Windows server by following your company s security policy, including the following items: Install anti-virus software Apply latest Windows patches from Microsoft Apply corporate security policy Backup VM server image if the servers are VM based

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information