FoxT ServerControl

BoKS ServerControl by Fox Technologies
Developer(s) FoxT
Stable release 7.0
Operating system Cross-platform
Type computer security
License Proprietary
Website www.foxt.com

In computer security, BoKS ServerControl, by Fox Technologies, is a proprietary software product for the centralized management of user authentication and authorization (Role-based access control). The product used to be known as BoKS, or BoKS AccessControl, which is an abbreviation for the Swedish "Behörighet- och KontrollSystem", which translates as "Legitimacy and Control System". BoKS ServerControl was originally designed for use on Unix systems, Enterprise Linux distributions, and has recently been ported to Windows as well.

The product's key features include:[1]

Operation

A basic BoKS ServerControl infrastructure consists of one master server, one or more replica servers and any number of server agent (server or desktop) systems. All communications between these hosts is encrypted ( using AES) and takes place over a reserved set of TCP/IP ports.

On the server, no modifications to the operating system are required when the agent is installed. The ServerControl daemons run alongside all the other processes, while certain key components of the environment are exchanged to enable ServerControl security. For example, on modern UNIX/Linux platforms (e.g. Solaris, HP-UX, AIX and Linux), PAM is reconfigured in such a way to hand off authentication and authorization requests to the local FoxT ServerControl daemons, which then communicates with a Replica over the network. On older versions of AIX 4.X, 5.0, 5.1, 5.2 and HP-UX 10.X (now all End of Lifed) that are not fully PAM compliant, one usually opts to replace the actual daemons (such as OpenSSH, telnet and ftp) with the FoxT versions which automatically hand over these requests.

A similar plug-in experience is used for the Windows Server agent (e.g. in Server 2008 the FoxT ServerControl agent is installed as a credential provider).

Once a user attempts to log in to a server OS, the daemon in question will ask a FoxT ServerControl Replica to verify the provided user name and password (or other authenticator, see later). If these are found to match, FoxT ServerControl will perform a second check to see whether the user is actually allowed to log in to this particular server, at this time and using this access method. If this second check is passed, the user is handed back to the login process to conclude the session in the usual fashion.

Common implementation assumes that enterprise (or service provider) provisioning workflow approval of identity occurs elsewhere. Typically user IDs and business groups reside in a corporate databases (Active Directory or LDAP), identity or role managers, and datafeeds. FoxT ServerControl becomes an enforcement and compliance reporting engine.

The BoKS ServerControl configuration may be modified in a number of ways.

Terminology

The following terms are frequently used in the management of a BoKS ServerControl infrastructure.

Term Explanation
host Any system on the network, be it master, replica, server agent (client) or non-BoKS ServerControl host.
host group A logical grouping of hosts. These can be multi-dimensional, a host can be in many intersecting hostgroups
user account A combination of a username, plus its intended target host or hostgroup.
access route One specific security authorization, assigned to a user account or a user class providing a specific linkage to a host or host group.
user class A role description assigning a set of access routes to a user account.
access method A communications protocol, such as telnet, ftp and SSH. Also includes su and suexec.
program group A logical grouping of commands to be executed through suexec, which can be used in an access route.

A few notes:

Supported protocols

BoKS ServerControl supports the following protocols: Serial & network port login(UNIX/Linux), console login (UNIX/Linux & Windows), su, suexec (UNIX/Linux equivalent to sudo), BoKS ServerControl runas (Windows equivalent to runas), secure RDP(Windows) secure telnet (UNIX/Linux), XDM and SSH (UNIX/Linux & Windows). The SSH protocol may be sub-defined and further split into ssh_sh (shell), ssh_exec (remote command execution), ssh_scp (SCP only), ssh_sftp (SFTP only), ssh_x11 (X11 forwarding), ssh_rfwd (remote port forwarding), ssh_fwd (local port forwarding) and ssh* (all of the above).

Older non-secure protocols: rlogin, rsh, rexec, ftp, rex, telnet are also supported for legacy purposes, but more typically are set up as banned across your server estate for compliance reasons. Support for PC-NFS and s-telnet has been deprecated.

Each protocol definition (defined in an Access Route) can be configured to change or require multiple factors of authentication

A typical use case might be: server support staff are challenged by a SecurID request to log in on a server console in the computer room, and to use a PKI token on their own PC in their normal work area.

It is possible to plug other protocols into FoxT ServerControl, though this will require some customization. It is easiest if the software in question has support for Pluggable Authentication Modules, as there is a standard BoKS ServerControl module for PAM.

History

Over the years the Fox Technologies family of products has changed names and vendors a few times via product and company acquisition. It originated as BoKS UnixControl at DynaSoft AB in Sweden (1987), later Dynasoft International, after which it was sold to Security Dynamics, then absorbed into RSA Security (where the product was branded as part of the Keon family), and from 2002 latterly by TFS Technology (known as UnixControl or ServerControl). The company changed its name in 2004 to Fox Technologies Inc, moved its headquarters to the USA, and uses the sales/marketing label FoxT.

Apart from direct and VAR partner sales, the product has been sold under OEM licenses by other server vendors (HP, SUN) with alternate product names.

ServerControl was used in the early days of virtualization to secure the minimal OS of a Type 2 Hyper-visor, the most common use-case VMware releases prior to version 4.

The product has been and is resold as a white-label service enhancement by a number of service providers worldwide in the Telco, Oil&Gas, Mining, FMCG, Financial Services, Healthcare, Digital Movie Distribution, Retail and Government sectors. It is also used by Platform As a Service providers to isolate customer virtual infrastructures above the network level.

See also

External links

References

This article is issued from Wikipedia - version of the Monday, May 02, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.