deanwilsons
asked on
IT staff security policy when leaving the business
Hi all,
Not quite sure where this question sits, as its not really a break/fix issue, but relates to the bigger IT security picture.
We have a large number of Cisco and Huawei equipment, as well the usual lump of window and linux based platforms, and we are struggling to get a managed security policy in place to protect and block access to these network devices when previous admins and root access holders leave.
These devices are not protected by a VPN policy, and all are local accounts
So the questions here are;
regards
phil
Not quite sure where this question sits, as its not really a break/fix issue, but relates to the bigger IT security picture.
We have a large number of Cisco and Huawei equipment, as well the usual lump of window and linux based platforms, and we are struggling to get a managed security policy in place to protect and block access to these network devices when previous admins and root access holders leave.
These devices are not protected by a VPN policy, and all are local accounts
So the questions here are;
- can cisco and huawei access be defined on a centrally managed platform or database
- can passwords for the above be remotely bulk changed
- is there a best practises document for this
regards
phil
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
looks like the need for a central privileged access management system which acts as a jumphost and all admin access or user access will go through it. The jumphost will have a password vault that will have the preconfigured login credentials to each of the devices and have it securely access. It serves primarily also as a "surveillance" checkpoint to capture all audit trail and actions of the person login and action taken...mostly a compliance proxy that serves the evidence for any foul play or abuse actions. An example is CyberArk PSM @ (pdf) http://lp.cyberark.com/rs/cyberarksoftware/images/ds-privileged-account-security-10-31-13-final-en.pdf
Good practice for securing privileged account
There are no “one size fits all” answers
Good practice for securing privileged account
• Introducing a new set of user identifiers or passwords would just add complexity and is strongly discouraged.@ (pdf) https://www.infosecurityeurope.com/__novadocuments/264635?v=636075412600330000
Assuming that organizations which intend to deploy a privileged access management system already
have a corporate user directory, such as Active Directory, it makes sense to leverage unique user
identifiers from this directory to identify users of the privileged access management system.
Once a (human) user has been identified, he must also be authenticated.
– Users may be assigned permanent access rights.
– Users may request temporary access rights.
Permanent access rights are best accomplished using access control lists (ACLs)
- Individual users are placed into user groups.
Individual managed systems where passwords to privileged accounts are managed are attached to managed system policies.
- Designated groups of users can be assigned specific rights to systems attached to designated policies.
- Temporary access rights are best accomplished using a request workflow.
- The choice of authorizers should, in general, be based on the identities of the recipient and the managed system and privileged account being requested.
- It follows that some mechanism is needed to identify alternate authorizers if the original ones are unresponsive or known to be unavailable.
With concurrency controls in place, a risk arises that one administrator will check out access to a privileged account, leave the session active and stop working (go home, leave for lunch, etc.).
- to enforce them in the event that a password was actually displayed to the user who gained access to a privileged account.
- If technically possible (it may not be) and acceptable to the administrators in question, terminate still open connections between the administrator and the system in question (e.g., SSH, RDP, etc.).
In any medium-to-large organization, workstations and servers are activated and retired daily. It therefore seems reasonable to run any auto-discovery process every 24 hours.
There are no “one size fits all” answers
A privileged access management system enables organizations to replace well-known, static and insecure passwords with frequent password changes, strong and personal authentication, fine-grained authorization logic and extensive audit logs.
Deploying this sort of system can be invasive – failure of the system, in terms of confidentiality, integrity or availability, would be catastrophic. Consequently, great care must be taken to deploy the system in a manner that is robust, fault-tolerant and secure.
ASKER
I was thinking for the Cisco something along the lines of TACACS, but not sure if Huawei has something similar, before we go down the cyberark or another paid central privileged access management system route.
Just also been informed we need to add Juniper into the equation as well..
If there is no other built in method to secure and manage accounts across all the type of devices, then we will then look further into a central privileged access management system.
Thanks
phil
Just also been informed we need to add Juniper into the equation as well..
If there is no other built in method to secure and manage accounts across all the type of devices, then we will then look further into a central privileged access management system.
Thanks
phil
TACACS+ or RADIUS can be a good baseline to ensure out of band management access are authenticated against the designated directory of users and admin. PIMS like cyberark is alternative and most of the time is for compliance to make sure recording of actions (on top of the audit log) are available as part of th capability controls. Henceforth, exploring into the use of Cisco ISE is viable and the latter can be interoperable with huawei devices too. Do refer below info,
More in ISE vs ACS (predecessor) @ https://communities.cisco.com/docs/DOC-63901?mobileredirect=true
Interoperable assessment of Huawei device @ http://blog.tolly.com/huawei-s-series-switch-interoperability-with-cisco-ise/
More in ISE vs ACS (predecessor) @ https://communities.cisco.com/docs/DOC-63901?mobileredirect=true
Interoperable assessment of Huawei device @ http://blog.tolly.com/huawei-s-series-switch-interoperability-with-cisco-ise/
ASKER
Cisco ISE looks like something we could use, but i suspect for 27001 we would need to keep some kind audit as well, although this article does imply its compliant.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi guys thanks for the help on this.
think its gonna be the ISE solution for now, and then see if we can get the budget for a paid solution next year or if ISE doesnt fit our model.
many thanks
phil
think its gonna be the ISE solution for now, and then see if we can get the budget for a paid solution next year or if ISE doesnt fit our model.
many thanks
phil
ASKER
I was hoping for some kind of off the shelf solution, as we dont really have the time nor i suspect the inhouse skills to write a reliable script.
cheers