Products: Patented Technology
Xceedium GateKeeper™ Patented and Unique Technologies
 |
|
A brief summary of each:
UNIQUE IMPLEMENTATIONS
1. Restrictive Access Methodology
Xceedium has developed a unique implementation of Reversed Encrypted Tunneling Methodology with integrated applets, to restrict access via a "Deny All, Permit by Exception" (DAPE) provisioning model.
Key features of this unique restrictive access methodology are:
- Endpoints have no footprint on the critical network infrastructure;
- Integrated applets allow granular compartmentalization to the port level for all devices and systems;
- Limits visibility to only authorized areas;
- Uncovers source IP address.
Universal Port (UP) Tunneling Technology
This is the most restrictive access method in that it provides the remote user the ability to access only specific TCP or UDP port(s) on a specific hardware based on the user's profile. The user is never given any interactive access capabilities, such as a Shell or a Virtual Desktop, on the network. This restrictive access model functions to compartmentalize, directing the user to specific authorized resources only, and contain, so the user does not have any ability to roam from the authorized resource to other unauthorized resources. This model virtually eliminates internal security vulnerabilities associated with intranet-originated attacks by remote entrants.
After a user successfully authenticates to the Xceedium GateKeeper, a Java applet is immediately served to the user's computer. The applet then binds these pre-defined TCP/UDP port(s) to the loop-back interface on the user's computer. The result is a TCP/UDP service that appears to be running locally on the remote user's computer. When the user launches client software to connect to the local virtual server, all expected functionality is available; however, behind the scenes, the applet encrypts the communication via SSL and directs all activities to the Xceedium GateKeeper, which in turn forwards the traffic to the proper destination.
The UP technology instills best practices by encouraging companies to eliminate or drastically reduce the provisioning of any type of interactive access, such as a Unix Shell, a Terminal Server session, or the like, when the remote user only needs access to a particular TCP or UDP application.
2. Application Publishing and Isolation Technology
Microsoft provides two convenient tools for remote access: the Remote Desktop Protocol (RDP) and Terminal Services (TS). These tools make it possible for a remote user to have graphical access to the internal network and applications. Unfortunately, these tools lack native security and thus easily can be exploited. For example, a remote user connecting with RDP could gain a full-desktop access to a Terminal Server, then leapfrog from that session to any other location on the network.
Xceedium provides two unique security features for handling graphical access. First, the Xceedium GateKeeper serves a Java-based RDP applet which prevents the remote user from making changes to the RDP configurations. Second, the Xceedium GateKeeper provides an added layer of security by limiting the RDP session so that only specific applications, rather than the full desktop environment, are visible. The combination of RDP and Terminal Services to provide remote access is generally known as a jump-box. The Xceedium GateKeeper can replace the jump-box by providing remote users with the convenience of using standard RDP to access a standard Terminal Server, without the risks of leapfrog or launching an attack from the full desktop environment. Through Xceedium GateKeeper, the remote user sees only the specific applications he is explicitly permitted to access.
3. Centralized Reporting
Because Xceedium GateKeeper tracks all activity in the data center and remote locations, it becomes the single centralized source for comprehensive reporting. Coupled with keystroke logging and session recording, audit and compliance teams can easily produce reports for testing of controls. This centralized view of the entire infrastructure delivers simplicity in a complex environment to satisfy both management and compliance requirements.
PATENT-PENDING and PATENTED TECHNOLOGIES
1. LeapFrog Prevention™
Command Filtering Technology Prevents Leapfrog Violations on Network Devices or Appliances
By watching what commands are being issued by the user, silent alerts can be issued to administrators or a black listed command can be intercepted to completely stop a leapfrog attempt by the user. Xceedium's Command Filtering Technology supports both black and white lists, which are customer definable. The black list contains commands that can be individually set to generate a silent alert or to intercept, or both. Conversely, the white list contains all allowed commands permitted for the user.
The silent alert is a practical security measure that provides a real-time awareness of specific user actions without the user knowing it. For example, the GateKeeper administrator can define the "enable" command in the network device or appliance such that he can be notified whenever any user of the network device or appliance tries to enter the configuration mode using the "enable" command.
Leapfrog Prevention for network appliances can be achieved by inspecting the user's issued commands and matching them to pre-defined entries on the list. When a match occurs, the violation attempt is immediately intercepted so the issued command does not reach the network device or appliance. Additionally, the user receives an on-screen warning and an alert is sent to the appropriate authority.
Socket-Level Filtering Technology Detects and Stops Leapfrog Violations on Servers
Socket-level filtering technology tracks individual users that are accessing servers running Linux and Microsoft. When a user attempts to open a socket to another device or server on the network using interactive protocols such as Telnet, SSH, re-login, etc., the monitoring process immediately blocks the socket, issues a warning to the user, and sends an alert to the authority of the company.
For a CLI session on the server such as via Telnet or SSH, the user has access to any available tools to leapfrog from the server to another device on the network. Furthermore, the user can even create scripts to circumvent any command-based filtering system, as it is impossible to enforce an infinite list of user-generated commands. Socket-level monitoring, based on the user's processes, can detect any leapfrog attempt regardless of what command the user issues. This methodology effectively detects and terminates the violating program that is trying to establish a connection to another device on the network.
In Windows graphical environment, even with application publishing technology deployed, the user can easily leapfrog from the server to other devices on the network. For example, the user is given access to a single Windows application through Citrix. Once authenticated through Citrix and the application is launched, the user can utilize Windows' ability to open the cmd.exe file from within the application.
The cmd.exe essentially is the CLI that the user can use to Telnet to another device on the network. In a poorly configured environment, the user may even be able to launch any client software from his remote laptop because his hard drive partitions are accessible within the Citrix session. Without the ability to predict what command or software the user may use to leapfrog from Windows servers, the socket-level detection and intervention technology provides an effective strategy to seek out and block a broad range of leapfrog violation methods.
2. Session Recording
Session Recording for Telnet and SSH
Xceedium delivers a centralized IT Operations management platform that presents a single place for each user to perform all activities. Concurrently, Xceedium touches all the systems and devices in the heterogeneous infrastructure for a single view of all its components. Thus, all end-user activity is tracked sequentially, and reporting capabilities enable customers to easily pull reports that chronicle every activity performed by the end user, or group of users. This "single pane of glass" view allows simplicity in a complex environment for performance audit or compliance.
Additionally, Xceedium delivers complete keystroke and session recording capabilities that provide complete visibility into what the user is doing in CLI sessions. By keeping track of what the user types and sees, forensic data is created, which is invaluable for future risk assessment and forensic analysis.
The recording capability can be configured for uni-directional (keystroke only) or bi-directional (both keystroke and screen output). Additionally, recording can be configured based on individual user profile or individual back-end server/device. These configurable options allow the GateKeeper administrator to custom define recording policies for different use cases. For example, he can turn on uni-directional recording for a specific application developer to eliminate the recording of the screen output, which can generate a large amount of data as the developer is viewing the program code.
3. Point to Multipoint Connectivity
UP client concurrent multi-site connectivity
This technology enables users to concurrently connect to and manage multiple physically and logically isolated GateKeeper installation sites. It provides a unified portal for access to all authorized systems in multiple sites, while reflecting the potentially unique access policies of each individual site. Users authorized to access one site have no visibility to other sites managed via the unified portal. Additionally customers are able to implement local security policy for the different sites. This feature increases operational efficiency while enhancing security.
