Tuesday, October 18, 2011

Uplogix more than insurance for Information Assurance

We're back to the oven of Austin from the tropics of Tampa's LandWarNet Army IT tradeshow where we had many conversations with Information Assurance, or IA people. In addition to being able to drop some of the key acronyms that IA folks want to hear like FIPS 140-2 compliance, Uplogix really has a great story for IA with security features that one Army IA specialist called "pretty hot stuff."

If you aren't involved in networking for the US Department of Defense, you might not be familiar with the guidelines of the DISA Network Infrastructure STIG. It states:

"The processes and procedures outlined in this Security Technical Implementation Guide (STIG), when applied, will decrease the vulnerability of DoD sensitive information. Network Security is clearly still one of the biggest concerns for our DoD customers (i.e., the warfighter)."

While you might not live in the world of the warfighter, network security is critical in most industries, making the DISA STIG guidelines supported by Uplogix Local Management widely applicable. We have a whitepaper that shows details on how Uplogix features apply to STIG requirements. Here is a high level summary:

STIG Section 5 - Device Management

In-band
All in-band traffic is secured via SSHV2 and HTTPS (port 8443). Monitoring is done via the CLI of the connected device via the console/serial port, and SNMP is not used for management of end components such as routers, switches, etc. SNMP may be used from the Uplogix Control Center to an NMS system via the management network. In essence this is Secure Monitoring.

Out-of-band (OOB)
Uplogix has multiple connection methods for OOB (PPP/POTS, Cellular, Satellite or Ethernet). By default Uplogix “dials-out,” not in, to restore secure connectivity to managed devices when the primary connection is lost, eliminating potential security threats. Once the OOB connection is established and secured, a user must authenticate and only has access to what they are authorized. This is granular to the port and command level.

SNMP
SSHv2 is supported between Uplogix and client via in-band and out-of-band. When OOB, a secure VPN is established back to the management network. Uplogix uses SNMP V3 and supports AES128, AES192 and AES256 for encryption.
Uplogix incorporates a hierarchy model and a query model to modify SNMP settings, allowing mass change on-demand of any SNMP setting for all Uplogix devices. Uplogix can also schedule SNMP configuration changes on a mass scale to managed devices supported by an Uplogix driver.

Configuration and Change Management
Uplogix stores the current and 21 previous versions of both the running and startup configurations on an ad-hoc or scheduled/reoccurring basis.

Section 6 - Authentication, Authorization and Accounting (AAA)

Implementation
Uplogix supports AAA locally on an encrypted database, plus TACACS and Radius. Uplogix supports tiered groups within its local authentication mechanism. Uplogix also supports two-factor authentication.

Administrator and Emergency Accounts
A user must authenticate to Uplogix to gain authorized access to a device. Uplogix utilizes a secondary authentication means when a device cannot connect to the AAA servers.

Auditing
Uplogix logs all interactions and failed attempts including time stamp of all logon/logoff activities. Furthermore, all commands executed and output displayed to user is logged. This is true for both interactions on the Uplogix device itself and via the managed device CLI.

Section 7 - Passwords

Password Encryption
Uplogix does not store any passwords to any device outside of its database. These passwords are stored in a 3DES encrypted SHA-1 salted hash and are not displayed by Uplogix when viewing any configuration.

Want to learn more?
Find a nice cool spot to sit and take a look at the full whitepaper for more details and examples of the "hot stuff" that Uplogix does for the STIG requirements.