Network Security

Xnet Secure Gate

2015
Year
European Cental Bank
Client
European Central Bank

SOLUTION DESCRIPTION:

Xnet Secure Gate - Auditable Administration

Full control of priviledged, administrative access in a heterogeneous IT environment.

In a public tender multinational telecommunications services company won the contract to provide and operate system for the one of the largest banks in Europe. One of the key features/requirements was the implementation of a high security access system. Xnet was commissioned by telecommunications company to ensure audit compliancy for administrative access within the solution.

THE PRODUCER

Xnet Communications GmbH

was founded in 1996 and is providing independent system integration for a wide range of tasks in data communication with corporate clients. With a total of 80 employees, 50 of which are working in development, Xnet has created its own product families for IT management and data distribution. In addition, Xnet is German distributor of Netop products for remote maintenance of the Danish manufacturer Netop Solutions A/S. The technically oriented team combines its own products with standard components. According to individual needs complete solutions are designed developed and implemented. The results are customised turnkey solutions. On request, Xnet also provides consulting, support and SLA services. Xnet‘s headquarter is located in Hamburg / Germany. Besides the headquater Xnet owns offices in Frankfurt / Germany, Atlanta / USA and Poznan / Poland.

THE CHALLENGE

Already during the planning phase telecommunications company determined that a number of different systems had to be administered:e.g. switches, firewalls from different manufacturers, database servers, virtualization servers, gateways, among many others. As it is typical for such a heterogenous environment the administration of so many different systems requires the use of specified tools. Plus owing to the complexity of the tasks specifically highly trained staff is needed. On top of this telecommunications company realised that support by external specialists from other consulting firms was frequently required. To make things just a little bit more complicated: every one of these different tools delivers proprietary log files. Proprietary logs are difficult to interpret for the revision staff. Some may even not be comprehensive at all. Often enough it is the same contractor who is generating remote session log files, who has later to be consulted for an interpretation of exactly the same files. Another frequently used method for controling remote sessions of external experts - the four-eye meeting - is also insufficient because it lacks documentation for compliancy. Furthermore are the activities carried out by external staff highly specialized and details often impossible to verify on the fly by an internal employee. This is not to speak of the implications any local activity may have on the whole environment.

THE REQUEST

Bank was looking for a solution, which is capable to support this kind of heterogeneous administration and maintenance environment. And - most importantly - to guarantee traceability of all activities during remote maintenance sessions at all times. Xnet had already successfully implemented remote access/control solutions for some well-known companies in the past. Because of Xnet’s experience in remote control solutions in highly security sensitive environments telecommunications company got in touch with Xnet. In collaboration a completely new approach to a remote access solution for remote staff and service providers has been developed for the Bank.

THE SOLUTION - SINGLE POINT OF ACCESS

On consultation the specialists from Xnet realised very quickly, that a centralised “access system“ was needed. The solution had to cover every administrative task, no matter which backend system was addressed and no matter which kind of tool was used to undertake the maintenance work. Furthermore for revision control purposes all remote access activities had to be recorded in detail - every single action. This demand was exceeding the abilities of the customary logging features of remote access sessions. Additionally the vast amount of different systems, the number of interchanging administrators and operators generated an enormous amount of sessions. As an objective of audit compliancy it was required to store those recorded sessions securely and unchangeably. Concurrently all access to the recordings had to be secured according to the guidelines of data protection and data security. Data integrity for one and the protection of data privacy for another demanded all stored data to be encrypted. Access to this data is only to be granted by explicit order of the management. To fullfill these very complex needs Xnet Communications developed the Xnet Secure Gate Software.

THE PRODUCT XNET SECURE GATE

It wasn’t for the first time that the specialists from Xnet have been faced with exactly the same demand from customers: most companies are working in close relationship with external contractors whose experts need remote access. Depending on the specific service level agreement and the kind of activity performed until now it was necessary to create specific isolated access solutions for each contractor. A centralised entity which was setting up, controlling, administrating and documenting all remote access sessions and activities was missing. For this reason Xnet decided not to develop a special solution for the Bank, but actually to create a completely new solution: the Xnet Secure Gate.

Essentially the Xnet Secure Gate consists of the three major components:

  • Xnet Security Server
  • Xnet Secure Console
  • Xnet Movie Admin

Remote maintenance solution Central System

XSG Scheme

IN DETAIL THE SERVER

The Xnet Security Server manages all authentification and authorisation of employees of consulting firms no matter if it is a system administrator or another expert.This central component is administering and linking the access authorisations (roles) for the support staff with the appropriate target systems and permitted/required remote tools. To avoid duplicate data and sources of error, the Security Server is referring to the existing LDAP/AD database when a remote session has to be established.

THE CONSOLE

The external administrator or analyst who needs to undertake the work, registers at the central remote access point. This first access is generally performed using RDP. The advantage: only one sort of remote access must be granted and RDP is widely available. The contractor will be placed in the Xnet Secure Console - a published application. From this „location“ an encrypted session to the Xnet Security Server is established where authorisation for the actual target system and appropriate remote access role takes place. Only now the service technician can start a session with a suitable tool to the target system and carry out the necessary work. All remote sessions are recorded (as films) and combined with the matching connection information (source, destination, time/duration, service). This information is encrypted, signed and the files are stored in a central database.

THE MOVIE ADMIN

If after the event a specific session and executed tasks need to be reviewed, the Xnet Movie Admin module will be needed. Only with the Movie Admin tool access to the recorded sessions is possible and films can be viewed. Company internal service regulations will regulate who, when, how and by what preconditions such reviews may take place.

CONCLUSION & THE BENEFITS

With the Xnet Secure Gate the customer obtains a centralised access point for all remote sessions. This includes logging and recording of every processed administrative job. All commonly used remote control tools are covered. Revision control and compliance is ensured by standardised documentation for very different remote control tools. Even tools which do not provide such functionality off works are supported.

  • Centralized system for maintenance & administrative access
  • Recording of all activities for audit compliancy
  • Support of multiple maintenance tools
  • Selective and controlled access to session movies from the past