Single Connect High Level Design
HIGH LEVEL DESIGN
SECTION I: LOGICAL ARCHITECTURE
Single Connect has modular and integrated architecture to support wide range of protocols and features on one platform. Users logon to Single Connect from web based interface to use services such as web based remote desktop connection to a windows server, web based client connection to a network device, password checkout from secure vault, etc.
Users may prefer to connect using their regular native clients instead of web based interface. For example, users can use their own CLI client applications (e.g. Putty, SecureCRT, etc.) or SQL client (TOAD, DataGrid, Navicat, etc.) applications to connect directly to Single Connect proxy services which are SSH/TELNET and SQL respectively in this case. In some use cases, users do not directly connect to Single connect or even aware of Single Connect. For example, if a network device is managed by Single Connect TACACS manager, then when a user directly connects to that network device for device administration purposes, Single Connect runs behind the scenes and user is not even aware of Single Connect.
Single Connect admins connect via Web based interface for administration and configuration purposes such as changing user privileges, creating new policies, adding/removing endpoints.
SECTION II: INTERNAL LAYERS
There are four logical layers within Single Connect, Integration Interfaces layer, Core Functions Layer, Main Modules Layer, Supported Protocols Layer.
- Integration Interfaces Layer
Integration with directory services (e.g. Active Directory, LDAP server, AAA server) is supported through LDAP, TACACS+ and RADIUS protocols to sync user profiles and enable single-sign-on within enterprise.
SIEM (Security Information and Event Management) integration is supported through Syslog protocol. Single Connect administration activities (e.g. changing privilege of a user, changing configuration of a device/server), user logon/logout actions, session activities (e.g. user sessions to devices/servers and activities in sessions) can be sent to a SIEM server.
Alarms on Single Connect such as resource (e.g. CPU, memory, storage) utilization, service stop down events can be sent as SNMP traps to a SNMP server which are most of the time monitored by technology operations center.
Email integration with an email server is supported via SMTP protocol. Based on the configuration of Single Connect modules, when an email is required to be sent (e.g. notification messages, managerial approval requests) during an internal process, SMTP interface is used and message is delivered to user/admin as an email.
SMS integration with an SMS service provider is supported via REST API. For example, during a 2-factor-authentication process when an OTP (One Time Password) is configured to be sent to user via SMS, then this interface is used and OTP is sent to user as a regular SMS.
- Core Functions Layer
User Management and Device management functions manage life-cycle (create, change settings and configurations, delete) of users and endpoints (e.g. servers, devices, DBs), respectively.
Policy Management function manages the life-cycle of policies. There are different types of policies such as allow/reject specific user activities during an active session, OTP to connect to an endpoint or to run a command, managerial approval to run a command, time&date based Access filters, geographical validation, etc.
License Manager controls how the Single Connect instance is able to run, such as which modules and interfaces are allowed to run.
Log Manager collects and stores the log records. There are many types of logs, such as user/admin logons and activities on Single Connect User interface, activities of users while connected to a device through Single Connect, failed attempts, task executions, send messages, video record of user sessions, etc.
Report management function uses log records and generates summary results including texts, tables and graphics in a presentable form.
Task management function manages the tasks such as changing/rotating passwords periodically. Replication Management function replicates configuration data among Single Connect instances when two or more Single Connect instances are running in order to provide local or geographical redundancy.
Conf DB stores all configuration data (user profiles, end points, policy rule-sets, etc.)
Log DB stores all session and transaction log records (logon/off time, executed commands, session details, etc.)
- Modules Layer
Each module (Session Manager, Dynamic Password Controller, MFA Manager and TACACS Manager, Data Access Manager, Cloud PAM) runs the main business logic of their own services while consuming functions from other layers. For example, when a user connects to a windows server through remote desktop connection, session manager orchestrates user authentication and connection establishment processes with user management, device management, policy management, and RDP proxy functions. After the session is established, Session Manager continues to control session by orchestrating RDP proxy, log management and policy management functions.
For each module, positioning in network topology and delivered services are described separately in this document below.
- Supported Protocols Layer
Each proxy (SSH, TELNET, RDP, VNC, HTTP/S, SFTP and SQL proxies) provides man-in-the-middle function. For example, when a user connects to a network device via SSH proxy in the middle, SSH proxy runs as a SSH server towards to user and meanwhile runs as a SSH client towards the target network device. As a result, SSH proxy runs transparently in the middle of SSH session and is able to monitor and log all session activities and enforce policies. On the other hand, TACACS+ and RADIUS servers are used by TACACS Manager module in order to provide built-in TACACS and RADIUS server.
- Protocol Descriptions
SSH (Secure Shell) and TELNET protocols provides bi-directional interactive text oriented communication to CLI (Command Line Interface) interface of servers or devices.
RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing) are protocols for graphical desktop sharing. Most of the time Unix/Linux based systems supports VNC while windows-based systems supports RDP protocol.
HTTP/S (Hypertext Transfer Protocol / Secure) is the de-facto protocol for web sessions, mostly used between a browser and a web server.
SFTP (Secure File Transfer Protocol) is a protocol to transfer (upload or download) files between computers/servers.
SQL (Structured Query Language) is used for storing, manipulating and retrieving data in databases.
TACACS ( Terminal Access Controller Access Control System) and RADIUS (Remote Access Dial-in User Service) protocols are used to control remote access (e.g. authentication and authorization) to servers or devices.
SECTION III: SINGLE CONNECT MODULES
- DYNAMIC PASSWORD CONTROLLER
Single Connect Dynamic Password Controller is a central secure password vault and helps to prevent stealing or unauthorized sharing of passwords. Users check-out the credentials of a privileged account from Single Connect Dynamic Password Controller and then uses the password to connect to target endpoint in order to fulfill their tasks. Indexed logging and audit trail is generated to meet the security and compliance requirements. Dynamic Password Controller supports integration with the existing directory service of enterprises so that users continue to use their existing personal accounts to login to Single Connect Dynamic Password Controller and check-out the credentials of the target privileged accounts they are authorized to. Dynamic Password Controller secures the user credentials of operating systems (Windows, Linux, Unix), databases (Oracle, MySQL, MsSQL, PostgreSQL, etc.), virtually any network device or appliance that has an SSH/TELNET interface and any application that provides user credential management API’s.
Application-to-Application Password Management (AAPM) to eliminate static passwords in configuration files and source codes of application is supported with agent-less architecture.
Secret Vault Function enables secure storing, tracking and sharing of confidential data/file or unmanaged credentials among employee.
- PRIVILEGED SESSION MANAGER
Single Connect Privileged Session Manager (PSM) has the capability to control, monitor and audit encrypted administrator sessions. Session manager runs as a gateway between users and target end points. Man-in-the-middle approach of Privileged Session Manager requires no software agents to be deployed to target end points and also no specific access portal or client application is required to go through. It is fast to implement and has no impact on end-user experience. Users are authenticated from the existing directory service of the enterprise, and the entire session goes through Privileged Session Manager therefore indexed logs, audit trails, videos and statistics are generated indisputably. Any custom policy can be created flexibly on Privileged Session Manager and can be assigned to user groups to implement the least privilege practices within the enterprise. Single Connect Privileged Session Manager supports a wide range of interfaces including SSH/TELNET for command line interface sessions, RDP/VNC for remote desktop connections, HTTP(S) for web sessions, SFTP for file transfer.
- MULTI- FACTOR- AUTHENTICATION (MFA) MANAGER
Usernames and passwords were the most common combination to identify users, but today passwords are vulnerable and hackers may easily steal passwords with phishing, social or dictionary attacks.
MFA Manager delivers an additional code (one-time-password) to mobile phones of users that is required to be entered during authentication which assures users are who they say they are. MFA Manager can work with any application or device that supports RADIUS Access-Challenge mechanism. MFA Manager supports integration with the existing directory service of enterprises so that users continue to use their existing personal accounts. Codes (one-time-passwords) can be delivered to users in real-time through Single Connect Mobile application or SMS. Offline code generation is also supported through Single Connect Mobile application and key generator hard tokens.
- TACACS ACCESS MANAGER
Controlling access to who can login to a network device or server via SSH/TELNET sessions to configure them has always been a high priority concerns for carriers and enterprises. Longstanding de-facto protocols for device administration access management are RADIUS (Remote Access Dial-in Service) and TACACS (Terminal Access Controller Access-Control System). Every authentication and command execution attempt of a user is forwarded from device/server to Single Connect TACACS Manager which enables many features –including single-sign-on, custom/least policy enforcement, indisputably logging, multi-tenancy) to be centrally managed and delivered.
- DATA ACCESS MANAGER
Single Connect Data Access Manager has the capability to control, monitor and audit encrypted database administrator sessions. Data Access Manager runs as a gateway between users and target databases. Man-in-the-middle approach of Data Access Manager requires no software agents to be deployed to target end points and no specific access portal or client application is required to go through. It is fast to implement and has no impact on end-user experience. Users are authenticated from the existing directory service of the enterprise, and the entire session goes through Data Access Manager therefore indexed logs, audit trails and statistics are generated indisputably. Any custom policy can be created flexibly on Data Access Manager and can be assigned to user groups to implement the least privilege practices within the enterprise. Single Connect Privileged Session Manager supports a wide range of SQL and NoSQL database types for DB sessions including Oracle, MsSQL, MySQL, Cassandra, Teradata and Hive. Single Connect Data Access Manager efficient and centrally secures and controls privileged access to databases. Single Connect Data Access Manager also provides dynamic data masking feature to prevent access to sensitive data.
- PRIVILEGED TASK AUTOMATION
Single Connect Privileged Task Automation Manager provides virtual and physical network and task automation suite for enterprises. Even a simple mistake in a network configuration can create a vital problem within the network. Therefore, the validation of network tasks is critical to a successful operational environment. Due to the lack of validation mechanisms and potential service outage concerns, most of the mission critical tasks must be performed during night shifts.
Single Connect Privileged Task Automation improves operational efficiency, mitigates operational risk and reduces the cost of operations. Configuration rollback support prevent unexpected failure occurred on target devices. Single Connect Privileged Task Automation frees up hours by automating time-consuming, repetitive and routine tasks in an operator’s daily life. Single Connect Privileged Task Automation generates executive workflow reports to make network operations more visible provides.
PTA provides central management, unified visibility and granular access control of privileged tasks while augmenting staff operations.
- CLOUD PAM
Single Connect Cloud PAM solution supports Amazon Web Services, Azure and Google Cloud platforms. Through API integration with cloud platforms, seamless zero-touch instance on boarding and tag management are supported. Cloud PAM eliminates disclosure/sharing of privileged account passwords on enterprise servers and network elements on cloud platforms. Single Connect Cloud PAM provides indexed and searchable logging of all sessions, including video recording and re-play. System admins can apply policies based on target endpoint list, date & time of access, command filtering (blacklist/whitelist). Dual Control provides real-time, “over-the- shoulder” viewing of sessions with session control take-over and release capabilities. Built-in MFA module enables second layer authentication to connect to a server or network element installed on Cloud Services. Users can access directly from their web browsers, without any install and VPN- less.
SECTION IV: SINGLE CONNECT TOPOLOGY
- Single Connect for 2 nodes High-Level
- Single Connect Web Page and Database Activity for 2 Nodes