Connection Broker Advanced Connections Management for Multi-Cloud Environments. Security Review

Similar documents
Security Guide. Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds

Connection Broker Advanced Connections Management for Multi-Cloud Environments

Application Guide. Connection Broker. Advanced Connection and Capacity Management For Hybrid Clouds

V iew Direct- Connection Plug-In. The Leostream Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and More

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and More. Licensing Guide

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Gateway Guide. Leostream Gateway. Advanced Capacity and Connection Management for Hybrid Clouds

Connection Broker Advanced Connections Management for Multi-Cloud Environments. DNS Setup Guide

Glossary of Terms. Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds. Version 9.0 June Contacting Leostream

DNS Setup Guide. Connection Broker. Advanced Connection Management For Multi-Cloud Environments

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Leostream Agent. Leostream Platform. Advanced Capacity and Connection Management for your Hybrid Cloud

Connection Broker Managing User Connections to Hosted Desktops. Administrator s Guide

Installation Guide. Connection Broker. Advanced Capacity and Connection Management for Hybrid Clouds

Connection Broker Advanced Connections Management for Multi-Cloud Environments Leostream Connect Administrator s Guide and End User s Manual

Getting Started with Amazon Web Services

Leostream Connect. Leostream 9. Advanced Capacity and Connection Management For Hybrid Clouds

Connection Broker Where Virtual Desktops Meet Real Business. Installing Leostream Connect on HP Thin Clients

vcenter CapacityIQ Installation Guide

Dell Storage Compellent Integration Tools for VMware

Dell Storage Compellent Integration Tools for VMware

HySecure Quick Start Guide. HySecure 5.0

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Scalability Guide. Designing Highly Available and Resilient Leostream Environments

Intel Small Business Extended Access. Deployment Guide

Avaya Aura 6.2 Feature Pack 3

Dell Storage Integration Tools for VMware

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Security in Bomgar Remote Support

Ansible Tower Quick Setup Guide

vcenter CapacityIQ Installation Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Sentry Power Manager (SPM) Software Security

Transitioning to Leostream from HP SAM

NetIQ Privileged Account Manager 3.2 Patch Update 4 Release Notes

VMware AirWatch Integration with RSA PKI Guide

SOA Software API Gateway Appliance 6.3 Administration Guide

Evaluation Quick Start Guide Version 10.0 FR1

Juniper Secure Analytics Patch Release Notes

Polycom RealPresence Access Director System

Security in the Privileged Remote Access Appliance

NGFW Security Management Center

Migrating vrealize Automation 6.2 to 7.2

Installing and Configuring vcloud Connector

VMware AirWatch Content Gateway Guide for Linux For Linux

VMware AirWatch Content Gateway Guide For Linux

Horizon DaaS Platform 6.1 Patch 3

Application Notes for Virsae Service Management for Unified Communications with Avaya Aura System Manager - Issue 1.0

Storage Manager 2018 R1. Installation Guide

VMware Horizon View Client 4.10 Add-on for Dell Wyse ThinLinux Version 2.1. Release Notes

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

(Document Insight Evaluation Title) Quick Start Guide (Product Version 10.0

VMware View Upgrade Guide

PRINTED 13 APRIL 2018 NETWORK PORTS IN VMWARE HORIZON 7

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

Connection Broker Advanced Connections Management for Multi-Cloud Environments. Integrating Leostream with Commercial SSL VPN Appliances

Novell PlateSpin Forge

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

McAfee Security Management Center

NetIQ Privileged Account Manager 3.2 Patch Update 2 Release Notes

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Juniper Secure Analytics Patch Release Notes

Polycom RealPresence Access Director System

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

ForeScout Extended Module for Tenable Vulnerability Management

NGFW Security Management Center

Zenoss Resource Manager Upgrade Guide

Release Notes Version 1.0.0

NGFW Security Management Center

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

Setting Up Resources in VMware Identity Manager

akkadian Global Directory 3.0 System Administration Guide

CloudShell 7.1 GA. Installation Guide. Release Date: September Document Version: 2.0

NGFW Security Management Center

Installing and Configuring vrealize Automation for the Rainpole Scenario. 12 April 2018 vrealize Automation 7.4

VMware Horizon 7 Administration Training

VMware vfabric Data Director Installation Guide

Installing and Configuring vcenter Support Assistant

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Using the VMware vrealize Orchestrator Client

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Connection Broker OpenStack VDI Reference Architecture with Leostream

NGFW Security Management Center

Ahsay Online Backup Manager v7 Quick Start Guide for Synology NAS

NGFW Security Management Center

Dell Storage Manager 2016 R3 Installation Guide

Zenoss Resource Manager Upgrade Guide

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

CommandCenter Secure Gateway Release 3.0.2

Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5

Dell Provisioning for VMware Workspace ONE. VMware Workspace ONE UEM 1902

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

Veeam ONE. Version 8.0. User Guide for VMware vsphere Environments

OpenManage Integration for VMware vcenter Quick Installation Guide for vsphere Web Client Version 3.2

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Transcription:

Connection Broker Advanced Connections Management for Multi-Cloud Environments Security Review Version 8.2 December 2017

Contacting Leostream Leostream Corporation http://www.leostream.com 271 Waverley Oaks Rd. Telephone: +1 781 890 2019 Suite 206 Fax: +1 781 688 9338 Waltham, MA 02452 USA To submit an enhancement request, email features@leostream.com. To request product information or inquire about our future directions, email sales@leostream.com. Copyright Copyright 2002-2017 by Leostream Corporation This software program and documentation are copyrighted by Leostream. The software described in this document is provided under a license agreement and may be used or copied only under the terms of this agreement. No part of this manual may be copied or reproduced in any form without prior written consent from Leostream. Trademarks The following are trademarks of Leostream Corporation. Leostream The Leostream graphical logo The absence of a product name or logo from this list does not constitute a waiver of the trademark or other intellectual property rights concerning that product, name, or logo by Leostream. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Microsoft, Active Directory, SQL Server, Excel, ActiveX, Hyper-V, Windows, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other brand and product names are trademarks or registered trademarks of their respective holders. Leostream claims no right to use of these marks. Patents Leostream software is protected by U.S. Patent 8,417,796. 2

Contents CONTENTS...3 OVERVIEW...4 NETWORK LEVEL ACCESS...4 APPLICATION LEVEL ACCESS...5 CONFIGURING SECURE CONNECTION BROKER COMMUNICATION... 5 RESTRICTING USER ACCESS... 6 LOGGING USER ACCESS... 6 CLIENT APPLICATION ACCESS... 7 VMWARE VCENTER SERVER APPLICATION ACCESS... 7 MICROSOFT ACTIVE DIRECTORY APPLICATION ACCESS... 8 EVENT MONITORING... 8 CONNECTION BROKER MAINTENANCE...9 PASSWORDS... 9 Connection Broker Virtual Appliance Accounts... 9 The Connection Broker Web Administrator Account... 9 PATCH MANAGEMENT DETECTION AND DEPLOYMENT... 11 BACKING UP THE CONNECTION BROKER... 11 BACKING UP AN EXTERNAL DATABASE... 11 CONNECTION BROKER INTERNAL DATABASE... 11 APPENDIX A: EXPORTING LOG CONTENTS...12 APPENDIX B: SECURITY AUDIT STATEMENT...14 3

Overview This section describes the different pieces of the Connection Broker that are relevant to a security audit. Three key areas for analysis include: Network level access Application level access Maintenance. The Leostream Connection Broker is packaged as a virtual appliance for VMware environments, or as an RPM file for installation on a 64-bit CentOS Linux 6.9 minimal or 64-bit Red Hat Enterprise Linux 6.9 basic server operating system. The Connection Broker virtual appliance for VMware contains both the application and the underlying operating system, which is currently a 64-bit CentOS 6.9 operating system. When updated to the latest 8.2 version, the Connection Broker consists of the following components: Apache 2.2.29 Web Server OpenSSL version 1.0.2m VMware virtual hardware version 10 (VMware virtual appliance, only) Older versions of the Connection Broker virtual appliance are built on CentOS Linux 5. Please, contact supportsite@leostream.com for more information. Network Level Access By default, the Connection Broker uses port 443 for SSL communications. Port 80 is open, but not used for communication with the Leostream Agent or Leostream Connect clients. You can block port 80 using the Block all traffic on port 80 option on the > System > Settings page. Port 50,000 is open if you enable PCoIP and is used by the Connection Broker to communicate with PCoIP devices using the Connection Management Interface. The following diagram summarizes the open ports used by the Connection Broker. All Leostream components communicate peer-to-peer. The Connection Broker sends TDS traffic to and from the SQL Server database using TCP/IP, instead of named pipes. 4

Application Level Access Configuring Secure Connection Broker Communication The Connection Broker includes a default Leostream certificate, which is used to encrypt traffic between the Connection Broker, Leostream Agents, and Leostream Connect clients. Although traffic between these components uses port 443, by default, port 80 remains open. If you have security guidelines that restrict the use of port 80, select the Block all traffic on port 80 option available in the Connection Broker Security Options section of the > System > Settings page, shown in the following figure. After selecting this option, click Save on the > System > Settings page. You must reboot the Connection Broker to block port 80. HTTP addresses are not redirected to HTTPS. If you block all traffic to port 80 and try to use an HTTP address to access the Connection Broker, the Web browser cannot contact the Connection Broker. The Connection Broker allows you to indicate which protocols to use for secure communications with Leostream Connect clients and Leostream Agents. Use the options on the > System > Settings page to indicate if the Connection Broker uses TLSv1, TLSv1.1, or TLSv1.2. You cannot disable TLSv1.2 as that is the only SSL protocol accepted by Leostream Agent versions 6.2 for Windows operating systems and 4.2 for Linux operating systems. 5

The Connection Broker Security Options section of the > System > Settings page includes an additional option that allows you to configure the Cipher Suite used for SSL. In the Web server SSLCipherSuite directive edit field, enter a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite. For more information on the syntax entered in this field, see the Apache Module mod_ssl documentation. Restricting User Access You can access the Connection Broker at the application level via either: The Connection Broker Web interface The XML-RPC API Roles restrict how much of the Connection Broker functionality users can access, via either the Web interface or XML-RPC API. You can create different user roles to restrict access to the various elements of the Connection Broker including the XML API, maintenance, network, and general configuration (see Managing User Roles and Permissions in the Connection Broker Administrator s Guide). The Connection Broker provides a default Administrator account with locally stored user credentials. The Administrator password is stored encrypted. Logging User Access The Connection Broker logs all user access, including: Which desktops the user was offered Which desktops the user selected What protocol configuration was used to connect the user to their desktop Which desktops the user logged into When the user s session became idle When the user logged into, logged out of or disconnected from a desktop When the user locked and unlocked the desktop From the Connection Broker Web interface, you can manually log users out of any desktop or the Connection Broker (see Logging Users Out in the Connection Broker Administrator s Guide). You can view the logs on the > System > Logs page. For information on extracting the log information for use in a Microsoft Excel spreadsheet or a SQL Server database, see Appendix A: Exporting Log Contents. 6

Client Application Access Different types of clients use the following communication protocols: Leostream clients, including Leostream Connect, use the Leostream XML-RPC based API to communicate with the Connection Broker. The Dell Wyse WTOS series thin clients use a URL based API. The Connection Broker Administrator Web interface uses standard HTML. Communications use port 443 and are encrypted using the default Leostream certificate. You can optionally upload a custom signed or unsigned certificate into the Connection Broker (see Generating and Installing Self-Signed SSL Certificates or Generating and Installing Third Party SSL Certificates in the Connection Broker Administrator s Guide). By default, port 80 remains open and the Connection Broker does not automatically redirect communications on port 80 to port 443. See Configuring Secure Connection Broker Communication for instructions on closing port 80. VMware vcenter Server Application Access The Connection Broker currently reads and writes the following VMware vcenter Server commands, in order to have full functionality. System.View VirtualMachine.Interact.PowerOn VirtualMachine.Interact.PowerOff VirtualMachine.Interact.Reset VirtualMachine.Interact.Suspend VirtualMachine.Inventory.Create VirtualMachine.Provisioning.Customize VirtualMachine.Provisioning.DeployTemplate VirtualMachine.Provisioning.ReadCustSpecs VirtualMachine.State.RevertToSnapshot VirtualMachine.State.CreateSnapshot Resource.AssignVMToPool If the Connection Broker does not have permission to these commands, an access fault occurs and the operation fails. See the Leostream Knowledge Base article What privileges do I need to interact with VMware vcenter Server? for more information on the required vcenter Server privileges. All communications with vcenter Server are encrypted using SSL. 7

Microsoft Active Directory Application Access The Connection Broker logs into the Active Directory service with the account specified on the Edit Authentication Server page. If you use the Leostream feature to join desktops to the domain, the Leostream Agent on the desktop uses this account to perform the domain join The credentials for this account are stored in the Connection Broker in an encrypted form. Event Monitoring The Connection Broker provides two versions of an SNMP MIB and can signal a range of events to an external monitoring system, which can signal events using pagers, emails, etc. Supported events include, but are not limited to, pool thresholds and Connection Broker metric thresholds. Contact supportsite@leostream.com for a complete list of events that can trigger SNMP events. You can also send Connection Broker log messages to a syslog server. 8

Connection Broker Maintenance Passwords Connection Broker Virtual Appliance Accounts The default Connection Broker appliance administrator and root accounts can access and modify the Connection Broker through the console. This appliance administrator account is different from the Administrator role/account in the Connection Broker Web interface. By default, these accounts are setup as follows: administrator o User name: leo o Password: leo (On virtual appliances, only. The leo user is not assigned a default password on Connection Brokers installed using the RPM-file.) root o User name: root o Password: leostream To secure the Connection Broker, change the passwords for these two accounts. To change or set passwords for both accounts, log into the Connection Broker console as the root user. Use the passwd command to change the root or leo user s password, for example: passwd leo Do not enable SSH before changing your default passwords. The Connection Broker Web Administrator Account The Connection Broker Web administrator is the account used when logging into the Connection Broker Administrator Web interface. By default, this user is listed in the > Users > Users page with the following attributes. Name: Administrator Role: Administrator Login: admin Password: leo To change the administrator password, log into the Connection Broker as the administrator, and go to the 9

> Users > My Options page, shown in the following figure. 1. Enter a new password in the Password edit field 2. Reenter the new password in the Re-type password edit field 3. Click Save The Connection Broker cannot remind you of the administrator password. If you forget your password, you must change it through the Connection Broker console, as follows. 1. Log in to the Connection Broker console. Use either the administrator or root accounts described in Connection Broker Virtual Appliance Accounts. 2. If you logged into the console as the leo user, in the Administration Menu that opens, select Exit to the Linux shell. 3. At the Linux shell prompt, enter the following command: app/control.pl change_password user admin new_password password Where admin is the login name of the administrator account, which may not be admin if it was previously changed in the Connection Broker, and password is the new password to use for the administrator account. The password is changed in the current Connection Broker database. For example, if the Connection Broker is connected to an external database, the password changes only in the external database and not in the internal database. Therefore, if you switch back to the internal database, or to a different external database, you must run the control.pl command, again, to change the password in that database. 10

Patch Management Detection and Deployment Connection Broker Security Review Use the Leostream update mechanism to update the Connection Broker. See the Updating the Connection Broker section in the Connection Broker Administrator s Guide for information on getting Connection Broker updates. If internet access is available, the update mechanism indicates if your Connection Broker is up to date. If your Connection Broker is not up to date, you have options to download and install an update file. The downloaded update file can be uploaded to any Connection Broker. If the Connection Broker does not have internet access, check the Leostream Web site for the most recent Connection Broker update. Backing Up the Connection Broker You can back up the Connection Broker using any backup system intended for virtual machines. You can also backup the Connection Broker internal database and its settings using the > System > Backup page. This backup method is more efficient then backing up the entire appliance, however does not backup the Microsoft SQL Server or PostgreSQL database, if used. See the Scheduling Remote Backup for the Connection Broker section in the Connection Broker Administrator s Guide for information on using this feature. Backing Up an External Database If you are using an external SQL Server or PostgreSQL database, back up the database using the standard tools and techniques for those databases. Connection Broker Internal Database The Connection Broker maintains an inventory of the following information. Users: The Connection Broker stores passwords for users only if the users are created locally through the > Users > Users > Create page. Clients Desktops and their environments Microsoft Active Directory user credentials: Encrypted. Machine centers: Access credentials are encrypted. Locations, roles, and all other operational parameters If you are using an internal Connection Broker database, you can backup this information by selecting the Backup internal database option on the > System > Maintenance page. The downloaded.tgz file stores additional configuration files, including the Connection Broker ID and external database settings. See the Downloading and Uploading Connection Broker Settings and Scheduling Remote Backup for the Connection Broker sections in the Connection Broker Administrator s Guide for more information on generating the.tgz file. 11

Appendix A: Exporting Log Contents You can extract the contents of the Connection Broker log in two ways: Download a CSV-file Click the Download Leostream technical support logs link CSV-File To download a CSV: 1. Go to the > System > Log page 2. Click the export link at the bottom-left of the page. 3. When prompted, save the CSV-file The CSV-file contains the entire contents of the > System > Log, not just the information on the currently displayed page. Download Technical Support Logs When you click the Download Leostream technical support logs link at the bottom of any Connection Broker Web interface page, the Connection Broker downloads a ZIP-file containing all the information stored in the broker. To extract the log information from the.zip file: 1. Extract the downloaded.zip file. 2. In the directory you unzipped the downloaded logs into, extract the sql-log.zip file, into a directory called sql-log. The sql-log directory contains a file called sql-log.txt, which is a tab delimited file containing the contents of the > System > Log table. You can then import this table into an Excel spreadsheet for analysis. Users are referenced in the table by their user ID. 3. To see the mapping between users and user IDs, extract the sql-user.zip file. You can also enable URL access to the logs by selecting the Allow URL access to the logs option at the bottom of the > System > Maintenance page. Once this feature is enabled, you can download the logs using the following URL: 12

http://cb-address/index.pl?action=pull_log:n=1000 Where cb-address is your Connection Broker address. Change the value of n to change the number of lines downloaded from the logs. The Connection Broker does not include any password information in the downloaded log files. 13

Appendix B: Security Audit Statement The following statement is provided for inclusion in your security audit. The Leostream Connection Broker is a virtual appliance. Leostream fully maintains the application and operating system software. Product updates are bundled into single, automatically installed packages, which include changes to the application and operating system elements of the Connection Broker virtual appliance. Updates are issued on a scheduled basis for major functionality additions, and as needed for defect vulnerability resolution. Major updates occur approximately once a year. Minor updates are scheduled to meet customer requirements, or based on defect and vulnerability severity. Customers are notified of updates through regular email newsletters. These newsletters are issued quarterly, but are released on an as-needed basis for urgent issues. Release notes provide details of the changes in each update that reference any relevant security updates. The availability of product updates can also be found from within the Connection Broker, using the > System > Maintenance page. Updates are available without additional charge to any customer with an active support contract. The Connection Broker reports on the version numbers of connecting clients and Leostream Agents. Leostream Agents can be centrally updated from within the Connection Broker. The Connection Broker is typically updated via an update package obtained through the automatic check-for-updates process. This requires that the Web browser be able to connect to both the Connection Broker and the Internet. The Connection Broker can also be updated directly, without Internet access, using an update package obtained from the Leostream support team. In both cases, the update package manages the process of installing the necessary files and restarting Connection Broker services, as required. The Leostream product suite is frequently reviewed internally as part of the Quality Assurance process, and also validated via regular assessments by our strategic partners. We actively monitor both CERT and SANS for pertinent severity information and updates. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback