Feature

Achieving Access Control with Symark PowerBroker 5.0

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."

Download it now to read this article plus other related content.

ACCESS CONTROL


Symark PowerBroker 5.0
REVIEWED BY SANDRA KAY MILLER

Symark
Price: Starts at $1,000 per server

Symark PowerBroker solves

Requires Free Membership to View

the dilemma of providing root access privileges to multiple users on Unix-based systems without compromising security. It delivers comprehensive security controls through granular policies, and exhaustive auditing for rock-solid regulatory compliance.

The client/server-based software resides at the shell level, making no changes to the kernel. PowerBroker supports 30 different types of encryption--AES 256 is the default--to secure network traffic, logs and configuration files.


Configuration/ManagementA  
Installation requires moderate expertise in Unix environments and an understanding of basic shell scripting. We used a simple batch file to disseminate the necessary files to client systems.

PowerBroker works with HP-UX, Linux, Solaris, SCO and AIX and integrates well with existing infrastructure such as routers and firewalls.

PowerBroker can be configured and managed by command line or its well-designed Web GUI, which can easily be used by someone with minimum knowledge of Unix. We used the GUI to quickly set up privileges, create and assign policies, create alerts, manage encryption, and generate and view audits, logs and reports.


Policy ControlA  
PowerBroker's policy control is extremely granular, based on a programmable scripting language.

By assigning root-level privileges based upon on role, the actual root password is never revealed. Policies can also be assigned based upon user authentication through centralized repositories such as LDAP and SSO systems.

The new access control lists allow those unfamiliar with programming or shell scripts to write policies that control privileges through global categories such as user, system, command, time of day and day of week.


ReportingA+  
PowerBroker's greatest capability is logging and reporting. Ad hoc and custom reports are easily set up and run from the Web-based report utility, drawing from massive amounts of information in the encrypted log files.

The Entitlement Report will satisfy auditors, presenting a quick overview of who can run what, and under what circumstances.

The I/O logging option records all screens and keystrokes, storing them in an encrypted file that can be used for forensic analysis or to meet rigorous regulatory re-quirements. It can also be used for real-time monitoring.

Data is logged in syslog format, so it can be ported to SIM/SEM products, or exported in CSV and text formats.

EffectivenessA  
Everything the shell touches can be controlled through PowerBroker. Instead of logging in through bin/bash or csh, PowerBroker offers two transparent secured Korn- and Bourne-based shells. When we logged in through the PowerBroker shell, we did not have to type pbrun in front of every request we wanted to run as root.

We were impressed by the control that can be assigned to users based on role and circumstance. For example, we elevated privileges of users so they could access a particular system, such as a Web server, as root, while denying similar root privileges to a mail server. Security features include blocking predefined keystrokes, automatic termination of idle root sessions, and checksum comparisons to identify potential malicious code.


Verdict
PowerBroker is a scalable solution that effectively delegates root privileges securely and provides excellent audit trails for regulatory compliance.


Testing methodology: Symark PowerBroker was deployed in a Linux-based environment with a variety of servers requiring root privileges, including a Web server and mail server.

This was first published in October 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: