|
In computer security, BoKS ServerControl, by Fox Technologies, is a proprietary software product for the centralized management of user authentication and authorization (Role-based access control). The product used to be known as BoKS, or BoKS AccessControl, which is an abbreviation for the Swedish "''Behörighet- och KontrollSystem''", which translates as "''Legitimacy and Control System''". BoKS ServerControl was originally designed for use on Unix systems, Enterprise Linux distributions, and has recently been ported to Windows as well. The product's key features include: * Centrally defined access policies for user access to Unix based, Linux, and Windows servers. * Real-time provisioning of security policies from a web interface or the command line. * Wide range of configuration options, including various levels of security for specific (groups of) servers. * Customized OpenSSH which allows fine-grained access control for SSH subsystems such as SFTP, SCP, X11 forwarding and tunneling, and automatic population of allowed_hosts files. * Extensible beyond initial set of supported protocols through the use of Pluggable Authentication Modules. * Provides tools for proactive security monitoring. * Allows for interoperability with directory services such as NIS+, LDAP, LDAPS, Kerberos and Active Directory. * Active Directory (AD) Bridging capabilities that allows UNIX/Linux systems to join AD and leveraging Kerberos (protocol) for user authentication. * Interoperability (and the ability to define specifically one or a cascade of OTP code systems, Smartcard, PKI certificates, SSH User and Host keys, Kerberos session tickets, re-generated random passwords, and passwords with defined complexity for specific access authentication. == Operation == A basic BoKS ServerControl infrastructure consists of one master server, one or more replica servers and any number of server agent (server or desktop) systems. All communications between these hosts is encrypted ( using AES) and takes place over a reserved set of TCP/IP ports. * The master server runs the main database and the management web interface. Any changes made to accounts, security policies and access routes are all made on the master server. * Replica servers contain a read-only copy of the database which is asynchronously updated. Replicas handle most of the authentication and authorization requests sent by servers and desktops. Replicas can also be promoted to master server for the purpose of disaster recovery. On the server, no modifications to the operating system are required when the agent is installed. The ServerControl daemons run alongside all the other processes, while certain key components of the environment are exchanged to enable ServerControl security. For example, on modern UNIX/Linux platforms (e.g. Solaris, HP-UX, AIX and Linux), PAM is reconfigured in such a way to hand off authentication and authorization requests to the local FoxT ServerControl daemons, which then communicates with a Replica over the network. On older versions of AIX 4.X, 5.0, 5.1, 5.2 and HP-UX 10.X (now all End of Lifed) that are not fully PAM compliant, one usually opts to replace the actual daemons (such as OpenSSH, telnet and ftp) with the FoxT versions which automatically hand over these requests. A similar plug-in experience is used for the Windows Server agent (e.g. in Server 2008 the FoxT ServerControl agent is installed as a credential provider). Once a user attempts to log into a server OS, the daemon in question will ask a FoxT ServerControl Replica to verify the provided user name and password (or other authenticator, see later). If these are found to match, FoxT ServerControl will perform a second check to see whether the user is actually allowed to log into this particular server, at this time and using this access method. If this second check is passed, the user is handed back to the login process to conclude the session in the usual fashion. Common implementation assumes that enterprise (or service provider) provisioning workflow approval of identity occurs elsewhere. Typically user IDs and business groups reside in a corporate databases (Active Directory or LDAP), identity or role managers, and datafeeds. FoxT ServerControl becomes an enforcement and compliance reporting engine. The BoKS ServerControl configuration may be modified in a number of ways. * Through the management web interface. * From the Unix/Linux command line. * Automatic user and group updates from Active Directory and LDAP synchronization * Integration with Role or Identity Managers thu APIs * By dumping the security database, which is then manually edited and restored (not recommended). * Early versions of FoxT ServerControl could be configured using a Tivoli/Plus module. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「FoxT ServerControl」の詳細全文を読む スポンサード リンク
|