Stratusphere. Security Overview

Similar documents
Stratusphere Solutions

Stratusphere Technical Guide

Flex-IO. Upgrade Guide

Stratusphere UX. Advanced Mode Dashboards Guide

Stratusphere FIT & Stratusphere UX

ProfileUnity with FlexApp Technology

Stratusphere UX. Test Drive Instructions

Stratusphere FIT and Stratusphere UX

Stratusphere UX. Advanced Mode Dashboards Guide

ProfileUnity with FlexApp Technology

ProfileUnity with FlexApp Technology

Measuring VDI Fitness and User Experience Technical White Paper

Stratusphere FIT. Quick Start & Evaluation Guide

ProfileUnity with FlexApp Technology

Technical Overview. Jack Smith Sr. Solutions Architect

Using ProfileUnity to Migrate from Windows 7 to Windows 10

ProfileUnity with FlexApp Technology

Chapter 8 Information Technology

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

HySecure Quick Start Guide. HySecure 5.0

ProfileUnity with FlexApp Technology

vcloud Director User's Guide

V iew Direct- Connection Plug-In. The Leostream Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds

Branch Office Desktop

ProfileUnity with FlexApp Technology

KASPERSKY SECURITY FOR VIRTUALIZATION LIGHT AGENT. Quick Deployment Guide.

ForeScout CounterACT. Configuration Guide. Version 1.1

Security in Bomgar Remote Support

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Actifio Data Security

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

NGFW Security Management Center

Trust in the Cloud. Mike Foley RSA Virtualization Evangelist 2009/2010/ VMware Inc. All rights reserved

Forescout. Configuration Guide. Version 2.4

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and More

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Security in the Privileged Remote Access Appliance

Connection Broker Advanced Connections Management for Multi-Cloud Environments. Security Review

Polycom RealPresence Access Director System

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

vcloud Director User's Guide

vcloud Director User's Guide

Kaspersky Security Center 10

Storage Manager 2018 R1. Installation Guide

vcloud Director Administrator's Guide vcloud Director 8.10

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

NetIQ SecureLogin 8.7 enhances the product capability and resolves several previous issues.

vcloud Director Administrator's Guide

Installing and Configuring vcloud Connector

vsphere Security Modified on 21 JUN 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Citrix XenApp and XenDesktop 7.15 LTSR FIPS Sample Deployments

vsphere Security Update 1 Modified 03 NOV 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Next Generation Firewall

Stratusphere FIT Quick Start Guide

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

vsphere Security Update 2 Modified on 22 JUN 2018 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

PCI DSS Compliance. White Paper Parallels Remote Application Server

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

vrealize Operations Management Pack for NSX for vsphere 2.0

Veeam Cloud Connect. Version 8.0. Administrator Guide

NGFW Security Management Center

vsphere Security VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5 EN

Dell EMC Ready System for VDI on VxRail

Security Guide. Connection Broker. Advanced Connection and Capacity Management for Hybrid Clouds

NGFW Security Management Center

Dell EMC Ready Architectures for VDI

NGFW Security Management Center

Stonesoft Next Generation Firewall. Release Notes Revision A

About FIPS, NGE, and AnyConnect

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

NGFW Security Management Center

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

Transport Level Security

CA Agile Central Installation Guide On-Premises release

Dell EMC Ready System for VDI on XC Series

vrealize Infrastructure Navigator Installation and Configuration Guide

vcloud Director User's Guide

Service Portal User Guide

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware View Upgrade Guide

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

How Parallels RAS Enhances Microsoft RDS. White Paper Parallels Remote Application Server

Connection Broker Advanced Connections Management for Multi-Cloud Environments

Oracle Enterprise Manager

OnCommand Unified Manager 7.2: Best Practices Guide

MITEL PERFORMANCE ANALYTICS

ClearPath OS 2200 System LAN Security Overview. White paper

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Syllabus: The syllabus is broadly structured as follows:

IMC inode Intelligent Client v7.0 (E0106) Copyright (c) Hewlett-Packard Development Company, L.P. and its licensors.

Stonesoft Next Generation Firewall

Stonesoft Management Center. Release Notes Revision A

HP Instant Support Enterprise Edition (ISEE) Security overview

Contents. Configuring SSH 1

Installing and Configuring vcloud Connector

CounterACT VMware vsphere Plugin

NGFW Security Management Center

Transcription:

Stratusphere Security Overview

Introduction This guide has been authored by experts at Liquidware in order to provide a security overview of Liquidware s Stratusphere product, the leading product for VDI Assessment and Diagnostics. This paper is intended for IT Security and Operations audiences who want to understand the product from a security perspective within their IT environment. Information in this document is subject to change without notice. No part of this publication may be reproduced in whole or in part, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any external use by any person or entity without the express prior written consent of Liquidware Labs. Liquidware Labs, Inc. 3600 Mansell Road Suite 200 Alpharetta, Georgia 30022 U.S.A. Phone: 678-397-0450 www.liquidware.com 2018 Liquidware Labs Inc. All rights reserved. Stratusphere, ProfileUnity, FlexApp, FlexDisk, ProfileDisk and Flex-IO are trademarks of Liquidware Labs. All other products are trademarks of their respective owners. 18-0227 Stratusphere Security Overview Page 1

Contents STRATUSPHERE OVERVIEW... 3 STRATUSPHERE VIRTUAL APPLIANCES... 3 ACTIVATION AND SECURE INTER-COMPONENT COMMUNICATIONS... 3 CONNECTOR ID KEY... 5 DATA PRIVACY STATEMENT... 5 Stratusphere Security Overview Page 2

Stratusphere Overview Stratusphere is certified for use with VMware, Citrix, Microsoft, KVM, Nutanix, and Amazon desktop virtualization platforms, and is compatible with other desktop virtualization components such as third-party brokers. It is downloadable from the Liquidware website. The product includes three virtual appliances (pre-packaged and selfcontained VMs), the Stratusphere Hub, Database and the Collector, and a software agent called the Connector ID Key that is delivered along with the Stratusphere Hub. Stratusphere Virtual Appliances The Stratusphere Hub, Database and Collector virtual appliances are based on a hardened stripped-down version of the CentOS 6 Linux 2.6 Operating System. Only essential software modules and services are retained onboard the appliance with all other nonessential service modules being removed. Access to the Stratusphere Hub virtual appliance and administrative functions is provided through a web browser interface that is SSL encrypted and requires a user id and password to access. In addition, all Stratusphere virtual appliances have a command line console for appliance administrative controls, which is also password protected. All communications between the Stratusphere components are encrypted using PKI infrastructure, where the Stratusphere Hub is the Certifying Authority generating public and private key certificates for itself and each of the components (Collectors and Connector ID Keys on individual machines). Activation and Secure Inter-Component Communications Secure communications among the separate components of Stratusphere serve as a basis for communicating configuration and policy changes among those components and for establishing or obtaining identities or other data necessary for the functioning of the system. The communications use public-private key cryptography and key exchange following the Diffie-Hellman model, where the key generation and exchange happens automatically and is hidden from users of the system. All policy configuration information on machines with Connector ID Keys and inside Stratusphere Collectors is stored within encrypted X.509 certificates. The encryption relies on the public-private keys generated and exchanged during the activation process. Steps for establishing and conducting secure inter-component communications are as follows: 1. Each component generates its own private-public 2048-bit RSA key pair. Through a secure activation process, the Stratusphere Hub obtains the public key for all Connector ID Keys and all Collectors and gives its public key to each component. 2. The Stratusphere Hub generates an X.509 certificate for each Connector ID Key and each Collector. The certificate is encrypted using the public key of the Connector ID Key or the Collector, so that only those components can decrypt it, and it is signed with the Stratusphere Hub s private key. The recipient confirms that the certificate came from the Hub using the Center s public key. The certificate contains policy and configuration information, and may be updated periodically and sent to components at configured intervals. 3. Once activated, all communication between the Stratusphere Hub and the Connector ID Keys and Collectors is secured using the private-public keys and the FIPS-compliant 128-bit AES block cipher encryption algorithm. Each message is encrypted using the recipient s public key so that only the intended recipient can decrypt it, and it is signed with the sender s private key allowing the recipient to confirm that it came from the identified sender. Stratusphere Security Overview Page 3

Stratusphere virtual appliances do not actively ping, scan or broadcast traffic to any parts of the network. Stratusphere is a passive data collection system that only communicates among its own components (aside from specific import capabilities from management systems such as VMware vcenter, Active Directory, etc. which are also secured). The following ports and protocols are used by Stratusphere 6.x: TCP/22 TCP/443 TCP/443 TCP/443 TCP/5432 : Stratusphere Hub, Database, and Collector Appliance SSH Console Management Interface. : Stratusphere Hub Web User Management Interface. : Connector ID Key communications. : Collector communications. : Stratusphere Database appliance listening for database communication from Hub. The following ports and protocols are used by legacy versions such as 5.x and older: TCP/5501 TCP/5502 TCP/5502 : Stratusphere Hub listening for Connector ID Key communications (legacy). : Stratusphere Hub listening for Stratusphere Network Appliance communication (legacy). : Stratusphere Network appliance listening for Network Monitoring Policies from Hub (legacy). The Stratusphere Hub can be configured to import information in a strictly read-only mode from enterprise infrastructure servers such as LDAP name stores (Microsoft Active Directory), VMware vsphere, and Nutanix Prism. If email based alerting is required it can also be configured to connect to a Mail Relay Server (Microsoft Exchange) to send out email alerts. The same alerts are also available to be sent to other systems monitoring solutions or via Stratusphere s secure RSS feeds (requires authentication with an administrator name and password to access). Software updates and patches are provided by Liquidware only. Liquidware customer support will notify customers when there is an update available. Administrator username and password authentication is required for upgrades. The Stratusphere Hub can be updated with an automatic pull from the Liquidware web site, and Collectors and Connector ID Key updates can either be automatically controlled through the Hub administrative interface or delivered through other software update or patch control services. The Stratusphere appliances can be configured to enable password complexity requirements on the Web User Interface as well as the Console Management Interface to comply with any organization s policies. It also supports secure certificate based access to existing infrastructure servers such as Active Directory, VMware vcenter, etc. The Web Server can also be configured to accept a SSL Certificate to guarantee the identity and owner of the website and application. The Stratusphere appliance maintain keys and ciphers that comply with US Government s Department of Defense guidelines and is awaiting certification from Defense Information Systems Agency (DISA) Allowed To Operate (ATO) certificate for its CentOS based appliances that incorporate more than 700 Federal Security Technical Information Guides (STIGs). The Stratusphere Hub, Database, and Collector Appliances all communicate securely with each other to maintain security and integrity with all data in motion. The Stratusphere Database appliance also provides options to encrypt data at rest. It can be configured to encrypt the entire disk to protect information at rest as well. Stratusphere Security Overview Page 4

Connector ID Key The Connector ID Key is installed on a physical desktop or within a guest virtual machine s operating system. Stratusphere currently supports current versions of Microsoft Windows, MAC OS X & macos Sierra, and Linux including Red Hat, CentOS, and Ubuntu distributions. The Connector ID Key installation requires administrative privileges. The software runs as a service in the operating system that is configured to start automatically. Once installed, the Connector ID Key automatically registers the machine (and the currently logged in user) with the Stratusphere Hub and receives an X.509 certificate back from the Stratusphere Hub. This certificate is nontransferable and is specific to the machine (physical or virtual) where it was generated. The CID does not listen on any ports; it only sends information to the Stratusphere Hub on the secure channel (TCP/443). The Connector ID Key functions are controlled by administrators through the Stratusphere Hub. When configured to monitor the machine configuration and processes, the Key sends information back to the Stratusphere Hub on a configurable timed basis. Also, when configured, the Connector ID Key embeds the identity of the user and machine on every network connection to uniquely and irrefutably identify the initiator of the connection (providing Caller ID for computer networks). For more details on this protocol and Connector ID Keys in general, please refer to the Stratusphere architecture white paper. Privacy: The CID Key is not designed to collect passwords, nor personal information, nor credit card information. It does not keep track of the names of files or documents accessed or opened. DATA PRIVACY STATEMENT Stratusphere is first and foremost a user experience-focused solution that uses resource utilization and performance metrics associated with users, machines and applications within the virtual architecture. Stratusphere gathers information and metrics on physical and virtual workloads, including details such as CPU and memory utilization as well as details on network and storage throughput. As noted above, Stratusphere accomplishes this task through the use of virtual appliances and CID Keys. While the Stratusphere solution is able to examine network packet header information (such as source and destination address details), at no time does Stratusphere expose network payload data when organizationally required, the ability to track IP addressed can be disabled by the Stratusphere administrator. Stratusphere also gathers and provides information regarding desktop applications and processes, as well as relevant network applications and services to ensure appropriate performance and end user experience indicators are met. That said, at no time does Stratusphere examine specific data related to user-generated content. Related, Stratusphere does not capture any keystroke details, such as passwords, or accessed filenames. Further, all collected details remain within Stratusphere; no information or metrics are uploaded to any external location. Stratusphere Security Overview Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback