Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Achieving Access Control with Symark PowerBroker 5.0

In this product review, discover everything you need to know about Symark PowerBroker 5.0, such as policy control, logging and reporting capabilities, configuration and management.


Symark PowerBroker 5.0

Price: Starts at $1,000 per server

Symark PowerBroker solves the dilemma of providing root access privileges to multiple users on Unix-based systems without compromising security. It delivers comprehensive security controls through granular policies, and exhaustive auditing for rock-solid regulatory compliance.

The client/server-based software resides at the shell level, making no changes to the kernel. PowerBroker supports 30 different types of encryption--AES 256 is the default--to secure network traffic, logs and configuration files.

Configuration/Management A  
Installation requires moderate expertise in Unix environments and an understanding of basic shell scripting. We used a simple batch file to disseminate the necessary files to client systems.

PowerBroker works with HP-UX, Linux, Solaris, SCO and AIX and integrates well with existing infrastructure such as routers and firewalls.

PowerBroker can be configured and managed by command line or its well-designed Web GUI, which can easily be used by someone with minimum knowledge of Unix. We used the GUI to quickly set up privileges, create and assign policies, create alerts, manage encryption, and generate and view audits, logs and reports.

Policy Control A  
PowerBroker's policy control is extremely granular, based on a programmable scripting language.

By assigning root-level privileges based upon on role, the actual root password is never revealed. Policies can also be assigned based upon user authentication through centralized repositories such as LDAP and SSO systems.

The new access control lists allow those unfamiliar with programming or shell scripts to write policies that control privileges through global categories such as user, system, command, time of day and day of week.

Reporting A+  
PowerBroker's greatest capability is logging and reporting. Ad hoc and custom reports are easily set up and run from the Web-based report utility, drawing from massive amounts of information in the encrypted log files.

The Entitlement Report will satisfy auditors, presenting a quick overview of who can run what, and under what circumstances.

The I/O logging option records all screens and keystrokes, storing them in an encrypted file that can be used for forensic analysis or to meet rigorous regulatory re-quirements. It can also be used for real-time monitoring.

Data is logged in syslog format, so it can be ported to SIM/SEM products, or exported in CSV and text formats.

Effectiveness A  
Everything the shell touches can be controlled through PowerBroker. Instead of logging in through bin/bash or csh, PowerBroker offers two transparent secured Korn- and Bourne-based shells. When we logged in through the PowerBroker shell, we did not have to type pbrun in front of every request we wanted to run as root.

We were impressed by the control that can be assigned to users based on role and circumstance. For example, we elevated privileges of users so they could access a particular system, such as a Web server, as root, while denying similar root privileges to a mail server. Security features include blocking predefined keystrokes, automatic termination of idle root sessions, and checksum comparisons to identify potential malicious code.

PowerBroker is a scalable solution that effectively delegates root privileges securely and provides excellent audit trails for regulatory compliance.

Testing methodology: Symark PowerBroker was deployed in a Linux-based environment with a variety of servers requiring root privileges, including a Web server and mail server.

Article 1 of 15

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All