PCI Compliance Auditing and Forensics with Tectia White Paper November 2010 This document discusses auditing remote system access processes for policy compliance (for example, PCI DSS) and for gathering forensics information about security incidents. The document introduces Tectia that enables you to control, audit and replay remote access connections to your Unix, Linux, and Windows services without changes to existing processes, IT environment, or end user experience. The procedures and concepts described here are applicable to Tectia version 3.0. 2010 Tectia Corporation. All rights reserved. ssh and Tectia are registered trademarks of Tectia Corporation in the United States and in certain other jurisdictions. The SSH and Tectia logos are trademarks of Tectia Corporation and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.
INTRODUCTION The main problem of server administration is that while system administrators are usually near the bottom of the company hierarchy and do not have much responsibility, their privileges to accessing the different systems like databases are actually the highest in the company. And it is not only their responsibility that is limited, but their accountability as well, because they have countless possibilities to hide their actions. Although every server creates logs of all events, the logging system itself is also under control of the system administrator: he can stop the logging any time, and if there is no centralized logging in place even delete the log entries about his actions. Another problem about server administration is the increasing tendency of outsourcing. If a company outsources the administration of its servers to an external company, it effectively means that complete strangers the system administrators of the company providing the server-administration services, or in worse cases, a subcontractor have omnipotent access to all business data and critical services of the company. Additionally, the security requirements and legislations that traditionally have mandated auditing and control of administrative actions and accounts are becoming more and more common also for regular end-users connecting to virtualized environments such as Windows Terminal Services and Citrix Virtual Desktop. Figure 1. Controlling remote access with Tectia 2 www.tectia.com
OVERVIEW OF TECTIA GUARDIAN Tectia, a key product of Tectia Manage Solutions, is a device that controls, monitors, and audits remote access to servers and networking devices. It is a product to oversee server administrators and users remote access and server administration and access processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent of the clients and the servers. The server- and client applications do not have to be modified in order to use Tectia it integrates smoothly into the existing infrastructure. Tectia is a gateway appliance that is transparent to network traffic except for the remote access protocols it controls. The controlled traffic is filtered according to rules set in Tectia, and also recorded into audit trails for later analysis. Every action, modification and configuration change that the administrators or end-users perform on the servers is available in the audit trails: in case of any problems (server misconfiguration, compromise, unexpected shutdown) the circumstances of the event are readily available and the cause of the incident can be easily identified. With Tectia you can oversee and control the work of the system administrators and other remote users, creating a new management level that has real power over the system administrators. Tectia logs all the traffic (including configuration changes, executed commands, file transfers, etc.) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. Anyone administering or accessing the end servers do not have administrator access to Tectia making it a true third-party for auditing and forensics. The recorded audit trails can be displayed like a movie recreating all actions of the administrator. Fast forwarding during replay and searching for events (e.g., mouse clicks, pressing the Enter key) and texts seen by the administrator are also supported. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary. GATEWAY AUTHENTICATION AND 4-EYES AUTHORIZATION To verify the identity of the users, Tectia can act as a gateway and request authentication on the gateway. When gateway authentication is required for a connection, the user must authenticate on Tectia as well. This additional authentication can be performed on the Tectia web interface, providing a protocol-independent, out-of-band authentication method. That way the connections can be authenticated to the central authentication database (e.g., LDAP or RADIUS), even if the protocol itself does not support authentication databases. Also, connections using general usernames (e.g., root, Administrator, etc.) can be connected to real user accounts enabling individual auditing and accountability required by many of the regulations and security standards. It is even possible to use an authentication method (e.g., X.509 certificates) on Tectia and a different one on the accessed remote server, and thus facilitate twofactor authentication. Tectia can also ensure that a user is overseen and authorized by an auditor or authorizer: when 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on Tectia as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, out-of-band authorization and monitoring method. The authorizer has the possibility to 3 www.tectia.com
terminate the connection any time, and also to monitor the events of the authorized connections in real time. Tectia can stream the traffic to the Audit Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie. The 4-eyes authorization and auditing can be utilized for example when auditing outsourced or other remote third-party connections to your critical services. Tectia can also remove the encryption from the traffic and forward the unencrypted traffic to an Intrusion Detection System (IDS), making it possible to analyze the contents of the encrypted traffic. That way traffic that was so far inaccessible for IDS analysis can be inspected real-time. Other protocols tunneled in SSH can be inspected as well. Similarly, the list of files transferred and accessed in the encrypted protocols can be sent to a Data Loss Prevention (DLP) system. SUPPORTED PROTOCOLS Tectia 3.0 supports the following protocols: The Secure Shell (SSH) protocol (version 2) used to access Unix-based servers and network devices. The Remote Desktop Protocol (RDP) versions 5, 6, and 7 used to access Microsoft Windows platforms, including 2008 Server R2, Vista, and Windows 7 The VMware View protocol to access VMWare virtual desktops. The Citrix ICA (Independent Computing Architecture) protocol to access Citrix WinFrame, XenApp, and XenDesktop environments (available in version 3.1) The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remote graphical access in multi-platform environments. The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems. The Telnet protocol used to access networking devices (switches, routers) and the TN3270 protocol used with legacy Unix devices and mainframes. Figure 2. 4-eyes authorization 4 www.tectia.com
USING TECTIA GUARDIAN IN FORENSICS SITUATIONS Computer forensics by larger companies is performed by local Computer Emergency Response (CERT) or Computer Incident Response Teams (CIRT). Being able to reliably record administrative access to the servers of the company, Tectia can be an ideal tool to aid the investigation of incidents related to the servers, such as unexpected shutdowns or server compromises, as it provides a way to review exactly what and when did the administrators change or configure. This is especially important in case of business-critical servers, or if the company has outsourced its server administration to an external possibly foreign company. FINDING AND REPLAYING AUDIT TRAILS Tectia saves information about every recorded connection to make it easy to find a particular connection. This saved metadata includes the starting and ending date of the connection, the IP address of the client and the server, the username and method of authentication used to access the server, etc. To replay exactly what an administrator did after connecting to the server, a media-player-like application called Audit Player (AP) is used. Both the Audit Player and the search page on the Tectia web interface give you the possibility to find particular audit trails based on the various metadata saved about every connection. Searching on the web interface is mainly recommended for pre-filtering the audit trails, while the Audit Player is more useful in targeted searches and organizing the audit trails. Filtering makes it easy to find the audit trails of specific interest, based on: date protocol used in the connection IP address and port number of the client and server authentication method and username used to log on to the server, etc. Figure 3. Filtering connections on the Tectia web interface 5 www.tectia.com
Figure 4. Reviewing audit trails Tectia and the Audit Player create a comprehensive index of the texts seen in the audit trails (including the commands typed, filenames, etc.), making the contents of the audit trails searchable from the Tectia web interface. Customized reports can also be created for specific keywords. After downloading the relevant audit trails to your desktop computer, the Audit Player can display exactly what appeared on the screen of the administrator like a movie: the SSH or the Telnet terminal window, or the complete graphical desktop of the Windows servers. Everything is included: what the administrator typed, what he saw, etc. In addition to the basic replaying functions like fastforwarding, with the Audit Player you can actually search in every text that appeared on the administrator's screen, so you can search for commands, names of directories, etc. Searching works for the audit trails of Microsoft Windows servers as well, because the Audit Player performs optical character recognition (OCR) on the audit trails. AUTOMATIC INDEXING AND REPORTING Tectia can send the audit trails to the Audit Player application (AP) for processing. AP extracts the text from the audit trails and segments it to tokens. A token is a segment of the text that does not contain whitespace: e.g., words, dates (2009-03-14), MAC or IP addresses, etc. AP then returns the extracted tokens to Tectia, where Tectia creates a comprehensive index of the tokens of the processed audit trails. That way the contents of the processed audit trails (e.g., commands typed or texts seen by the user) can be searched from the web interface. Reports can be also automatically created from the indexing results. The reports include statistics of the occurrences of specific search keywords, screenshots from the audit trails where a search keyword was used, and also general statistics, including statistics on the commands used in SSH connections. 6 www.tectia.com
Figure 5. Replaying an audit trail with the Audit Player FINDING AND REPLAYING AUDIT TRAILS To ensure that the audited connections can be traced back to the real-life user who initiated the connection, Tectia can act as a gateway, and request authentication from the users. This gateway authentication: is available for every supported protocol; is performed out-of-band on the Tectia web interface, in a communication channel independent of the audited connection; can use strong authentication methods (e.g., X.509 certificates); can integrate into a central user database (e.g., an LDAP/Microsoft Active Directory server or a RADIUS server); is independent and in addition to the authentication performed by the accessed server, so it can be used to perform two-factor authentication. To add a further layer of authorization, 4-eyes authorization can be required for every connection (i.e., a separate user must accept and enable the connection request of the user), and the authorizer, or a separate auditor also has the possibility to oversee the actions of the user real-time. 7 www.tectia.com
USING TECTIA GUARDIAN FOR PCI COMPLIANCE Compliance is becoming more and more important in several fields laws, regulations and industrial standards mandate increasing security awareness and protection of customer data. As a result, companies have to increase the control over the business processes and their auditability, for example, by ensuring that only those employees have access to certain data who really need it, and by carefully auditing all accesses to these data. Tectia is a device to control data access; access to the servers where you store your important data. Being independent of the controlled servers, it also complements the system and application logs generated on the server by creating complete, indexed and replayable audit trails of the users' sessions. Using an independent device for auditing is advantageous for the following reasons: Tectia organizes the audited data into sessions called audit trails, making it easy to review the actions of individual users; Tectia provides reliable, trustworthy auditing data even of system administrator accounts who are able to manipulate the logs generated on the server, and Tectia allows you to create an independent auditor layer who can control, audit and review the activities of the system administrators, while being independent of them. The following table provides a detailed description about the requirements of the Payment Card Industry Data Security Standard (based on PCI-DSS version 1.2.1, available at https://www.pcisecuritystandards.org) relevant to auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX), Basel II, or the Health Insurance Portability and Accountability Act (HIPAA) include similar requirements. PCI REQUIREMENT 1.3.8 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies for example, port address translation (PAT). 2.2.1 Implement only one primary function per server. 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems. HOW TECTIA GUARDIAN SUPPORTS IT Tectia supports both network and port address translation, and can even extract the destination address from the controlled protocol (e.g., SSH) itself. Tectia is an appliance dedicated for the sole purpose of overseeing remote-access connections. Other applications cannot be installed on Tectia. Tectia is based on a hardened operating system that contains only the tools required to run Tectia. 8 www.tectia.com
2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. The Tectia web interface is accessible only via the TLS-encrypted HTTPS protocol; optionally, a remote console accessible using SSH can be enabled as well. 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues. The software and applications used in Tectia and the underlying operating system are constantly monitored for security vulnerabilities. Updating Tectia requires only the updating of the Tectia firmware. The list of security vulnerabilities and their status is available to our registered customers. 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following: 7.1.2 Assignment of privileges is based on individual personnel s job classification and function 7.1.4 Implementation of an automated access control system Tectia is a tool that can control remoteaccess connections using the role-based access control (RBAC) model. It is capable to retrieve the group memberships of the users from LDAP databases, and grant access to a connection or a specific protocol channel (e.g., SCP, X11 forwarding in SSH, or a shared drive or device in RDP) based on these roles. The configuration and management of Tectia itself can be greatly customized as it is entirely based on ACLs and group memberships. Owing to its authentication, authorization, and auditing capabilities, such as 4-eyes authorization and real-time monitoring and auditing, Tectia can play an essential part in the access control of remote access, e.g., in the control of remote server administration. 9 www.tectia.com
7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. 8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed. Tectia can restrict access to the servers only to users who are members of selected LDAP user groups, or specifically listed in a userlist. It is also possible to restrict access based on the IP address of the client. Tectia can also control access to the channels of the administrative protocol, e.g., it can disable access to the shared drives when accessing Windows Terminal servers, or enable port-forwarding in SSH connections only to selected users. As for the configuration and access of Tectia and the data stored on Tectia, a role-based ACL system is available where the rights of the user can be specified in detail. Tectia was designed to control and audit remote access connections. Tectia can authenticate the users independently of the accessed server, and it supports strong authentication methods, such as public-key authentication, X.509 certificates, and also authentication to RADIUS and LDAP databases. Being able to require a separate authentication it is an effective tool to implement a centralized two-factor authentication scenario. Tectia can also require the users to authenticate on the Tectia web interface to access a connection, thus providing a protocol-independent, out-of-band authentication method. You can create Time Policies to enable a client to access the protected servers only during scheduled maintenance hours. Alternatively, you can simply disable connections coming from the client when not needed. To oversee and control what the vendor does on the system, you can use 4-eyes authorization, where the vendor can access the system only if you authorize the connection, and you can watch the actions of the vendor real-time in the Audit Player application. If the user does something that you deem inappropriate or harmful, you can terminate the connection at any time. 10 www.tectia.com
8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Tectia was developed to control and audit the remote access of administrators to the protected servers. Tectia provides control over the most common applications and protocols used in remote server administration, including Secure Shell (SSH), VNC, and Windows Terminal Services. Tectia can control regular access as well if normal users also use the Terminal Services running on a Windows Terminal Server to access these data. In addition to the authentication performed on the remote server, the user can be authenticated using strong authentication methods by Tectia by using an LDAP or RADIUS database, making it possible to facilitate two-factor authentication. Furthermore, the 4-eyes principle can also be enforced by requiring another user to authorize every connection. 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Tectia can automatically deny certain usernames (e.g., root) from accessing your protected servers. It can also authenticate users who try to access the servers by using your main LDAP database. Tectia can require the users to authenticate on Tectia using their normal usernames, making it possible to tie the connections that use general (e.g, Administrator) usernames to real accounts. Tectia can even control who can use a specific username on the server. 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.2 All actions taken by any individual with root or administrative privileges Tectia was developed for this very purpose: to control and audit the remote access of administrators to the protected servers. Every action of the administrators is visible in the audit trail. It is also possible to automatically process and index the contents of the audit trails, create reports of the results, and also to create customized reports based on selected keywords or other conditions. 11 www.tectia.com
10.2.3 Access to all audit trails The audit trails stored on Tectia can be accessed only by users who have the privilege to do so. Downloading of audit trails is visible in the system logs. The audit trails can be encrypted, and it is also possible to encrypt them with multiple encryption keys. When encrypted with multiple keys, the audit trail can be viewed only if every required decryption key is available. 10.2.4 Invalid logical access attempts Tectia automatically logs all attempts to access remote servers or specific protocol channels that were denied for some reason. 10.2 5 Use of identification and authentication mechanisms 10.2.7 Creation and deletion of system-level objects. For both successful and failed authentication attempts, Tectia logs the type of authentication used as well. Typically only administrators can perform such operations, and administrator activities are audited. For its own configuration changes, Tectia maintains a detailed changelog, and can require the administrators to describe the reasons of the modifications. 10.3 Record at least the following audit trail entries for all system components for each event: 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource. 10.4 Synchronize all critical system clocks and times. Tectia records all these data and other metadata (e.g., type of authentication, etc.) as well about users accessing the protected servers using the supported protocols. Tectia can require the users to authenticate on Tectia using their normal usernames, making it possible to tie the connections that use general (e.g, Administrator) usernames to real accounts. Tectia can automatically synchronize its system clock to a remote time server. That way the audit trails contain accurate time information even if the server logs are mistimed because the clock of the server is not accurate or has not been synchronized. 12 www.tectia.com
10.5 Secure audit trails so they cannot be altered. All audit trails are digitally signed and encrypted using public-key encryption. The encryption can use multiple encryption keys as well. The audit trails can be timestamped using local or external Timestamping Authorities. 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Audit trails can be downloaded only by users who have the required privileges. The downloaded audit trails can be viewed only if the user has the required encryption key or encryption keys. The upstream traffic of the communication (the part that may contain passwords or other sensitive information) can be encrypted separately, and is displayed only if the additional encryption key is available. The audit trails are stored on Tectia, which is an appliance physically independent of the audited servers; the users of the remote servers do not need to have accounts on Tectia. The audit trails are encrypted, timestamped, and signed to prevent any modification. They can be accessed directly only by those authorized to do so. Tectia supports both the legacy BSD-syslog and the latest IETF-syslog protocols, and can send the log messages to the log server via mutually authenticated and TLS-encrypted connections. Tectia automatically generates daily reports about the audited connections. It can also automatically index the contents of the recorded audit trails and create custom reports. The content of the audited traffic can be forwarded to an external IDS/DLP system as well, to extend the protection offered by these systems to the so far inaccessible administrative traffic. As for its own logs, Tectia can send them to remote log servers using reliable, encrypted connections. 13 www.tectia.com
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-todate. 12.3.9 Activation of remote-access technologies for vendors only when needed by vendors, with immediate deactivation after use Tectia can store a significant amount of audit trails on-line. The database storing the metadata about the audit trails is available even after the actual audit trails have been archived. The content of the audited traffic can be forwarded to an external IDS/DLP system as well, to extend the protection offered by these systems to the so far inaccessible administrative traffic. The connection policies of Tectia can be easily enabled and disabled as needed. When using the 4-eyes authorization principle, every session of a connection policy must be authorized individually, with the possibility of monitoring the work of the user realtime to exert total control over vendor access. It is also possible to limit access to a connection to specific times of the day or week. 12.3.10 When accessing cardholder data via remote-access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media. Tectia can control remote access connections on the channel level, thus it is possible for example to disable the SCP channel of SSH connections, or the Clipboard and device sharing channels of RDP connections to prevent the copying of the remotely stored data to local media. The contents of the audited connection can be forwarded to an external IDS/DLP system as well, to extend the protection offered by these systems to the so far inaccessible administrative traffic. 14 www.tectia.com
OTHER IMPORTANT FEATURES This section highlights additional features of Tectia that were not discussed in detail so far, but are useful to know about. PROTOCOL INSPECTION Tectia acts as an application-level proxy gateway: the transferred connections and traffic are inspected on the application level (Layer 7 in the OSI model), rejecting all traffic violating the protocol an effective shield against attacks. This high-level understanding of the traffic gives control over the various features of the protocols, such as the authentication and encryption methods used in SSH connections, or the channels permitted in RDP traffic. DETAILED ACCESS CONTROL Tectia allows you to define connections: access to a server is possible only from the listed client IP addresses. This can be narrowed by limiting various parameters of the connection, for example, the time when the server can be accessed, the usernames and the authentication method used in SSH, or the type of channels permitted in SSH or RDP connections (for example, Tectia can permit SSH portforwarding only to selected users, or disable access to shared drives in RDP). Controlling the authentication means that Tectia can enforce the use of strong authentication methods (public key), and also verify the public keys of the users. operate simultaneously. The master shares all data with the slave node, and if the master unit stops functioning, the other one becomes immediately active, so the servers are continuously accessible. SEAMLESS INTEGRATION The system is fully transparent, no modification on the client or the server is necessary, resulting in simple and cost effective integration into your existing infrastructure. AUTOMATIC DATA AND CONFIGURATION BACKUPS The recorded audit trails and the configuration of Tectia can be periodically transferred to a remote server. The latest backup including the data backup can be easily restored via Tectia 's web interface. MANAGING TECTIA GUARDIAN Tectia is configured from a clean, intuitive web interface. The roles of each Tectia administrator can be clearly defined using a set of privileges: manage Tectia as a host, manage the connections to the servers, or view the audit trails. The web interface is accessible via a network interface dedicated to the management traffic. This management interface is also used for backups, logging to remote servers, and other administrative traffic. HIGH AVAILABILITY SUPPORT All audited traffic must pass Tectia, which can become a single point of failure. If Tectia fails, the administrators cannot access the protected servers for maintenance. Since this is not acceptable for critical servers and services, Tectia is also available with HA support. In this case, two Tectia units (a master and a slave) having identical configuration 15 www.tectia.com
CONCLUSION Compliance with regulations and security standards such as SOX, HIPAA, or PCI DSS poses requirements for strong authentication, control, and auditing of administrator connections and other operational data streams - the effective implementation of which has in the past required unsatisfactory tradeoffs in many environments. Tectia enables packet inspection for both SSH and RDP encrypted traffic, and easily integrates into existing IDS and DLP solutions. It is a powerful tool for auditing and troubleshooting secured connections, enabling effective forensics and ensuring accountability throughout your critical business environment. It enables you to reach your compliance goals, while costeffectively raising and maintaining the security level of your operational environment. 16 www.tectia.com