Link to home
Start Free TrialLog in
Avatar of deanwilsons
deanwilsonsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

IT staff security policy when leaving the business

Hi all,

Not quite sure where this question sits, as its not really a break/fix issue, but relates to the bigger IT security picture.

We have a large number of Cisco and Huawei equipment, as well the usual lump of window and linux based platforms, and we are struggling to get a managed security policy in place to protect and block access to these network devices when previous admins and root access holders leave.
These devices are not protected by a VPN policy, and all are local accounts

So the questions here are;

  • can cisco and huawei access be defined on a centrally managed platform or database
  • can passwords for the above be remotely bulk changed
  • is there a best practises document for this

regards

phil
SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of deanwilsons

ASKER

Hi David,

I was hoping for some kind of off the shelf solution, as we dont really have the time nor i suspect the inhouse skills to write a reliable script.

cheers
Avatar of btan
btan

looks like the need for a central privileged access management system which acts as a jumphost and all admin access or user access will go through it. The jumphost will have a password vault that will have the preconfigured login credentials to each of the devices and have it securely access. It serves primarily also as a "surveillance" checkpoint to capture all audit trail and actions of the person login and action taken...mostly a compliance proxy that serves the evidence for any foul play or abuse actions. An example is CyberArk PSM @ (pdf) http://lp.cyberark.com/rs/cyberarksoftware/images/ds-privileged-account-security-10-31-13-final-en.pdf

Good practice for securing privileged account
• Introducing a new set of user identifiers or passwords would just add complexity and is strongly discouraged.

Assuming that organizations which intend to deploy a privileged access management system already
have a corporate user directory, such as Active Directory, it makes sense to leverage unique user
identifiers from this directory to identify users of the privileged access management system.

Once a (human) user has been identified, he must also be authenticated.
– Users may be assigned permanent access rights.
– Users may request temporary access rights.

Permanent access rights are best accomplished using access control lists (ACLs)
- Individual users are placed into user groups.

Individual managed systems where passwords to privileged accounts are managed are attached to managed system policies.
- Designated groups of users can be assigned specific rights to systems attached to designated policies.
- Temporary access rights are best accomplished using a request workflow.
- The choice of authorizers should, in general, be based on the identities of the recipient and the managed system and privileged account being requested.
- It follows that some mechanism is needed to identify alternate authorizers if the original ones are unresponsive or known to be unavailable.

With concurrency controls in place, a risk arises that one administrator will check out access to a privileged account, leave the session active and stop working (go home, leave for lunch, etc.).
- to enforce them in the event that a password was actually displayed to the user who gained access to a privileged account.
- If technically possible (it may not be) and acceptable to the administrators in question, terminate still open connections between the administrator and the system in question (e.g., SSH, RDP, etc.).

In any medium-to-large organization, workstations and servers are activated and retired daily. It therefore seems reasonable to run any auto-discovery process every 24 hours.
@ (pdf) https://www.infosecurityeurope.com/__novadocuments/264635?v=636075412600330000

There are no “one size fits all” answers
A privileged access management system enables organizations to replace well-known, static and insecure passwords with frequent password changes, strong and personal authentication, fine-grained authorization logic and extensive audit logs.

Deploying this sort of system can be invasive – failure of the system, in terms of confidentiality, integrity or availability, would be catastrophic. Consequently, great care must be taken to deploy the system in a manner that is robust, fault-tolerant and secure.
I was thinking for the Cisco something along the lines of TACACS, but not sure if Huawei has something similar, before we go down the cyberark or another paid central privileged access management system route.

Just also been informed we need to add Juniper into the equation as well..

If there is no other built in method to secure and manage accounts across all the type of devices, then we will then look further into a central privileged access management system.

Thanks

phil
TACACS+ or RADIUS can be a good baseline to ensure out of band management access are authenticated against the designated directory of users and admin. PIMS like cyberark is alternative and most of the time is for compliance to make sure recording of actions (on top of the audit log) are available as part of th capability controls. Henceforth, exploring into the use of Cisco ISE is viable and the latter can be interoperable with huawei devices too. Do refer below info,

More in ISE vs ACS (predecessor) @ https://communities.cisco.com/docs/DOC-63901?mobileredirect=true
Interoperable assessment of Huawei device @ http://blog.tolly.com/huawei-s-series-switch-interoperability-with-cisco-ise/
Cisco ISE looks like something we could use, but i suspect for 27001 we would need to keep some kind audit as well, although this article does imply its compliant.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
hi guys thanks for the help on this.

think its gonna be the ISE solution for now, and then see if we can get the budget for a paid solution next year or if ISE doesnt fit our model.

many thanks

phil