Wallix AdminBastion 3.

1 - Administration Guide

Wallix AdminBastion 3.1

Administration Guide

i
Wallix AdminBastion 3.1 - Administration Guide

Wallix AdminBastion 3.1: Administration Guide

ii
Wallix AdminBastion 3.1 - Administration Guide

Table of Contents
1. Introduction ............................................................................................................................. 1
1.1. Preamble ....................................................................................................................... 1
1.2. Copyright, Licences ....................................................................................................... 1
1.3. Legend ......................................................................................................................... 1
1.4. About this document ...................................................................................................... 1
2. Concepts ................................................................................................................................. 3
2.1. General information ....................................................................................................... 3
2.2. Positioning of the WAB in the network infrastructure ......................................................... 3
2.3. The concept of WAB ACLs ............................................................................................ 4
2.4. Roll-out ........................................................................................................................ 4
3. Administration interface ............................................................................................................ 6
3.1. Initial logon .................................................................................................................. 6
3.2. Menu tree structure ........................................................................................................ 7
3.3. My preferences .............................................................................................................. 9
3.4. My authorisations .......................................................................................................... 9
3.5. WAB audit .................................................................................................................. 10
3.5.1. Current connections ........................................................................................... 10
3.5.2. View sessions in real time .................................................................................. 11
3.5.3. Connection history ............................................................................................. 12
3.5.4. View session recording ...................................................................................... 14
3.5.5. Authentication history ........................................................................................ 15
3.5.6. Connection statistics .......................................................................................... 17
3.6. System audit ................................................................................................................ 18
3.6.1. System status .................................................................................................... 18
3.6.2. System logs ...................................................................................................... 19
3.7. Users .......................................................................................................................... 19
3.7.1. Accounts .......................................................................................................... 20
3.7.2. Groups (of users) ............................................................................................... 24
3.7.3. Import (users) ................................................................................................... 27
3.8. Resources and accounts ................................................................................................ 31
3.8.1. Devices ............................................................................................................ 31
3.8.2. Target accounts ................................................................................................. 34
3.8.3. Device admin credentials .................................................................................... 37
3.8.4. Groups (of target accounts) ................................................................................. 40
3.8.5. Authentication mechanisms ................................................................................. 43
3.8.6. Import (target devices and target accounts) ........................................................... 44
3.9. Manage authorisations .................................................................................................. 46
3.9.1. Add an authorisation .......................................................................................... 46
3.9.2. Delete an authorisation ....................................................................................... 48
3.9.3. Import authorisations from CSV .......................................................................... 48
3.10. User profiles .............................................................................................................. 48
3.10.1. Default profiles ................................................................................................ 49
3.10.2. Add a user profile ............................................................................................ 49
3.10.3. Edit a user profile ............................................................................................ 50
3.10.4. Delete a user profile ......................................................................................... 50
3.11. WAB configuration .................................................................................................... 50
3.11.1. Time frames .................................................................................................... 50
3.11.2. External authentications .................................................................................... 52
3.11.3. Notifications .................................................................................................... 54
3.11.4. Password policy ............................................................................................... 57
3.11.5. Secondary passwords ........................................................................................ 58

iii
Wallix AdminBastion 3.1 - Administration Guide

3.11.6. Logon settings ................................................................................................. 61

3.12. System configuration .................................................................................................. 62
3.12.1. Network .......................................................................................................... 62
3.12.2. Time service ................................................................................................... 63
3.12.3. Remote storage ................................................................................................ 64
3.12.4. Syslog ............................................................................................................ 65
3.12.5. SNMP ............................................................................................................ 66
3.12.6. SMTP ............................................................................................................. 67
3.12.7. Licence ........................................................................................................... 68
3.13. Back-up/Restore ......................................................................................................... 69
4. Operation ............................................................................................................................... 71
4.1. Using the command line to connect to the WAB .............................................................. 71
4.2. Exporting audit data ..................................................................................................... 71
4.3. Back-up/Restore from the command line ......................................................................... 71
4.4. Configuring automatic back-up ...................................................................................... 72
4.5. Rights engine: operating limitations ................................................................................ 73
4.6. SSH flows analysis / Pattern detection ............................................................................ 73
4.7. TELNET connection scenario ........................................................................................ 73
4.8. Resolving common problems ......................................................................................... 74
4.8.1. Restoring the factory 'admin' account ................................................................... 74
4.8.2. Resetting the device ........................................................................................... 74
5. Data encryption ...................................................................................................................... 75
6. Compatibility: ........................................................................................................................ 76
7. Limits: ................................................................................................................................... 78
8. Definitions ............................................................................................................................. 79

iv
Wallix AdminBastion 3.1 - Administration Guide

List of Figures
2.1. Wallix AdminBastion in the network infrastructure .................................................................... 4
3.1. WAB logon screen ................................................................................................................. 6
3.2. WAB home page (administrator profile) ................................................................................... 7
3.3. 'My preferences' page ............................................................................................................. 9
3.4. User's authorisations ............................................................................................................. 10
3.5. Close an SSH connection ...................................................................................................... 11
3.6. View RDP sessions in real time ............................................................................................. 12
3.7. Connection history ............................................................................................................... 13
3.8. Connection history filters ...................................................................................................... 14
3.9. View an RDP recording with OCR ........................................................................................ 15
3.10. Authentication history ......................................................................................................... 16
3.11. Connection statistics ........................................................................................................... 17
3.12. Sample statistical graph ....................................................................................................... 18
3.13. System status ..................................................................................................................... 19
3.14. List of users ...................................................................................................................... 20
3.15. Add user form ................................................................................................................... 22
3.16. Delete users ....................................................................................................................... 23
3.17. List of devices accessible by a user ...................................................................................... 24
3.18. List of user groups ............................................................................................................. 25
3.19. Add user group form .......................................................................................................... 26
3.20. List of users in a group ....................................................................................................... 27
3.21. Import users page ............................................................................................................... 28
3.22. Summary of user import from a CSV file .............................................................................. 29
3.23. Import users from a directory .............................................................................................. 31
3.24. List of target devices .......................................................................................................... 32
3.25. Add device form ................................................................................................................ 33
3.26. List of all target accounts for a device .................................................................................. 35
3.27. List of target accounts for a service ...................................................................................... 36
3.28. Add target account form ..................................................................................................... 37
3.29. Device admin credentials .................................................................................................... 38
3.30. Admin credentials on a Linux/Unix device ............................................................................ 39
3.31. Admin credentials on a Windows device ............................................................................... 39
3.32. Admin credentials on a Cisco device .................................................................................... 40
3.33. List of target account groups ............................................................................................... 41
3.34. Add a target account group form .......................................................................................... 42
3.35. Authentication mechanisms ................................................................................................. 43
3.36. List of authorisations .......................................................................................................... 46
3.37. Add authorisation form ....................................................................................................... 47
3.38. Add user profile form ......................................................................................................... 50
3.39. List of time frames ............................................................................................................. 51
3.40. Add time frame form .......................................................................................................... 52
3.41. Add LDAP authentication form ........................................................................................... 54
3.42. Add notification form ......................................................................................................... 56
3.43. 'Password policy' page ........................................................................................................ 58
3.44. 'Secondary password' page .................................................................................................. 59
3.45. 'Secondary password' page .................................................................................................. 61
3.46. 'Logon settings' page .......................................................................................................... 62
3.47. Network configuration ........................................................................................................ 63
3.48. Time service configuration .................................................................................................. 64
3.49. Configuring remote storage ................................................................................................. 65
3.50. Configuring syslog routing .................................................................................................. 66

v
Wallix AdminBastion 3.1 - Administration Guide

3.51. Configuring the SNMP agent ............................................................................................... 67

3.52. SMTP service configuration ................................................................................................ 68
3.53. Managing the licence .......................................................................................................... 69
3.54. 'Back-up/Restore' page ........................................................................................................ 70

vi
Wallix AdminBastion 3.1 - Administration Guide

Chapter 1. Introduction
1.1. Preamble
Thank you for choosing Wallix AdminBastion, also called WAB.

WAB is marketed in the form of a dedicated, ready-to-use server or as a virtual device for the
VMWare ESX 4.x and 5.x environments.

This product has been engineered with the greatest of care by our teams at Wallix and we trust
that it will deliver complete satisfaction.

1.2. Copyright, Licences

This document is the property of Wallix and may not be reproduced without its prior consent.

All the product or company names mentioned herein are the registered trademarks of their respec-
tive owners.

Wallix AdminBastion is subject to the Wallix software licence contract.

Wallix AdminBastion is based on free software. The list and source code of GPL and LGPL licenced
software used by Wallix AdminBastion are available from Wallix. Please send your request by email
to: wabsupport@rt.wallix.com or in writing to:

Wallix
Service Support
118, rue de Tocqueville
75017 Paris
France

1.3. Legend
prompt $ command to input
command output
on one or more lines
prompt $

1.4. About this document

This is the Administration Guide for the Wallix AdminBastion 3.1. Use it to configure the WAB prior
to roll-out, and also for its administration and operation day to day.

Wallix provides dedicated guides covering the configuration and use of the WAB for the following
functionalities:

• Administration console
• X509 authentication
• HA (High Availability)

With in addition:

1
Wallix AdminBastion 3.1 - Administration Guide

• a Quick Start Guide

• a User Guide

2
Wallix AdminBastion 3.1 - Administration Guide

Chapter 2. Concepts
2.1. General information
WAB has been developed for the technical teams that administer IT infrastructure (servers, network
and security devices, etc.). Designed to meet the access control and traceability needs of system
administrators,

Wallix AdminBastion features access control lists (ACLs) and traceability functions. It constitutes a
security buffer for administrators who wish to log on to devices by:

• checking the authentication details provided by the user

• checking their access rights for the resource in question

The WAB also allows you to automate logons to target devices to enhance the security of the
information system by preventing disclosure of server authentication details.

Protocols currently supported are:

• SSH (and its sub-systems)

• Telnet, Rlogin
• RDP and VNC in the user domain
• HTTP and HTTPS

The WAB has a graphic Web interface, validated using Firefox 3, Internet Explorer 7 and Internet
Explorer 8, to monitor activity and connections and to configure its component parts.

2.2. Positioning of the WAB in the network infrastruc-

ture
AdminBastion is positioned between a low trust domain and a high trust domain.

The high trust domain is represented by the devices isolated by the AdminBastion.

These devices and their related accounts are called 'target accounts' in WAB terminology.

The low trust domain is represented by the population with direct access to the Bastion:

• the company's personnel

• Internet zone

For users of the solution, access to the target accounts (high trust domain) is only possible through
the WAB.

3
Wallix AdminBastion 3.1 - Administration Guide

Figure 2.1. Wallix AdminBastion in the network infrastructure

2.3. The concept of WAB ACLs

Wallix AdminBastion features an advanced rights management engine to determine who has ac-
cess to what, when and with which protocol(s).

These ACLs consist of the following objects:

• users: i.e. physical users of the AdminBastion

• user groups: sets of users
• devices: i.e. physical or virtualised devices to which access is requested via the AdminBastion
• target accounts: the accounts declared on a device
• target account groups: a set of target accounts

In the WAB, access to a target account by a user depends on an authorisation profile. Authorisations
are declared between a group of users and a group of target accounts (which means that each target
account must belong to a target account group, and that each user must belong to a user group).

The authorisation allows users in group X to access target accounts in group Y, via protocols A,
B, or C.

Entities are added to these primary entities allowing you to define:

• connection time frames

• criticality of access to target resources
• whether the session is recorded or not
• the type of user authentication procedure

You can also define a number of different WAB administrator profiles, with rights limited, for exam-
ple, to audit, adding users, system administration, authorisations, etc.

2.4. Roll-out
The WAB includes a set of import tools to facilitate roll-out.

However, to ensure the WAB is commissioned successfully, we recommend inventorying: