NetWitness NextGen 9.0 RSA AM 6.1 7.1

7/31/2019 NetWitness NextGen 9.0 RSA AM 6.1 7.1

1/12

NetWitnessNextGen

RSA SecurID Ready Implementation Guide

Last Modified: October 27, 2009

Partner Information

Product InformationPartner Name NetWitness CorporationWeb Site www.netwitness.comProduct Name NextGenVersion & Platform 9.0Product Description NetWitness NextGen is an enterprise software framework that captures all network

traffic and reconstructs the network sessions to the application layer for automatedalerting and monitoring, and interactive analysis and review.

Product Category Intrusion Detection System (IDS)


2/12 2

Solution Summary

RSA SecurID authentication enhances security for NetWitness solutions by creating a trusted

and secured solution for our users. The SecurID solution offers a more robust authenticationmethod that the previous user name and password standard.

Partner Integration OverviewAuthentication Methods Supported Native RSA SecurID Authentication

RSA SecurID Library Version Used Authentication Agent 6.0 for PAM

RSA Authentication Manager Replica Support * Full Replica Support

RSA Authentication Agent Host Type for 6.1 Net OS

RSA Authentication Agent Host Type for 7.1 Standard Agent

RSA SecurID User Specification Designated Users

RSA SecurID Protection of Administrative Users Yes

RSA Software Token and RSA SecurID 800 Automation No* = Mandatory Function when using Native SecurID Protocols

AuthenticationManager

NetWitness Appliance(Agent Host)

Product Requirements

Partner Product Requirements: NetWitness NextGen ApplianceVersion 9.0


3/12 3

Agent Host Configuration

Important: Agent Host and Authentication Agent are synonymous. AgentHost is a term used with the RSA Authentication Manager 6.x servers and below.RSA Authentication Manager 7.1 uses the term Authentication Agent.

Important: All Authentication Agent types for 7.1 should be set to StandardAgent.

To facilitate communication between the NetWitness NextGen Appliance and the RSAAuthentication Manager / RSA SecurID Appliance, an Agent Host record must be added to theRSA Authentication Manager database. The Agent Host record identifies the NetWitnessNextGen Appliance within its database and contains information about communication andencryption.

To create the Agent Host record, you will need the following information. Hostname IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the NetWitness NextGen Applianceas UNIX Agent Host. This setting is used by the RSA Authentication Manager to determine howcommunication with the NetWitness NextGen Appliance will occur.

Note: Hostnames within the RSA Authentication Manager / RSA SecurIDAppliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information aboutCreating, Modifying and Managing Agent Host records.

RSA SecurID files

RSA SecurID Authentication FilesFiles Locationsdconf.rec /var/aceNode Secret None storedsdstatus.12 None storedsdopts.rec /var/ace


4/12 4

Partner Product Configuration

Before You BeginThis section provides instructions for integrating NetWitness NextGen with RSA SecurIDAuthentication. This document is not intended to suggest optimum installations orconfigurations.

It is assumed that the reader has both working knowledge of all products involved, and theability to perform the tasks outlined in this section. Administrators should have access to theproduct documentation for all products in order to install the required components.

All vendor products/components must be installed and working prior to the integration. Performthe necessary tests to confirm that this is true before proceeding.

RSA Authentication Agent 6.0 for PAM InstallationInstalling the PAM Agent involves setting up your environment; enabling the PAM Agent, andrunning the installation script.

Note: The PAM Agent is available as a download from RSA.

Setting Up Your Environment

Before you perform the installation, verify that: You have root permissions on the Agent Host. You have created and installation directory on the machine on which you are installing the PAM Agent. You have the most up-to-date version of the sdconf.rec from the RSA Authentication Manager stored in an accessible

directory, such as /var/ace, on the Agent Host.

Note: The root administrator on the Host must have write permission to thedirectory in which the sdconf.rec is stored.

You have created an Agent Host record for the PAM Agent in the RSA Authentication Manager database. For moreinformation, see the RSA Authentication Manager documentation.

You have set an environment variable called VAR_ACE that points to the location of sdconf.rec.


5/12 5

To install the PAM Agent:

1. Change to the directory you created when you copied the software, and untar the file. Type:

t ar x vf f i l ename . t a r

2. Run the install script. Type:. / i ns t a l l _pam. s h

3. Follow the prompts until you are prompted for the sdconf.rec directory. If the path is correct, press ENTER. If thepath is incorrect, verify that it is correctly defined in the VAR_ACE environment variable.

4. For each of the remaining installation prompts, press ENTER to accept the default value or type in a different path.

To specify the Agent Host IP address:

Note: The Agent Host uses the IP address that you specify to communicatewith the Authentication Manager.

1. Use any text editor to create an sdopts.rec file in the /var/ace directory.

2. Type the line below, where x.x.x.x is the IP address of the Agent Host:

CLI ENT_I P= x . x . x . x

Note: Use only uppercase letters, and do not include any spaces.

3. Save the file.

Configuring the PAM Agent

Editing the netwitness file via command line:

1. Change to the /etc/pam.d directory.2. Open the netwitness file in a text editor and edit the text to the following:

#%PAM- 1. 0#au t h i ncl ude sy s t em- a ut haut h r equ i r ed pam_un i x . s oaut h r equ i r ed pam_se cu r i d . s oaccount r equi r ed pam_deny. sopasswor d r equi r ed pam_deny. sosess i on r equi r ed pam_deny. so

Editing the netwitness file via the NetWitness Administrator application:

1. Open the NetWitness Administrator and connect to the Appliance (Agent Host).2. Click on the Files icon in the top right hand corner of the details pane.


6/12 6

3. Select the netwitness file from the drop down list.

4. Edit the netwitness file text to the following:

#%PAM- 1. 0#au t h i ncl ude sy s t em- a ut haut h r equ i r ed pam_un i x . s oaut h r equ i r ed pam_se cu r i d . s oaccount r equi r ed pam_deny. sopasswor d r equi r ed pam_deny. sosess i on r equi r ed pam_deny. so

Note: This scenario assumes that the customer will want to use a user name,password and PASSCODE to authenticate. In this scenario, it is required to createa Linux user that matches the NetWitness user created in the next section.


7/12 7

Creating a NetWitness User that Authenticates Using RSA:

1. Open NetWitness Administrator and connect to the Appliance (Agent Host).2. From the Edit menu, select Users and Groups.

3. Select the appropriate appliance from the Services column and select the green + icon in the users column.


8/12 8

4. Enter the user name.5. For AuthType, select External.

6. Finally, select the group(s) that you want the user to be a part of and click OK.

Performing a Test Authentication

To successfully test authentication, you must use a token with a PIN that is already registered inthe Authentication Manager database. Follow the New PIN procedure for proper registration.

For additional information, contact your Authentication Manager administrator.To perform a test authentication:

1. Change to the /opt/pam/bin directory. Type:

. / ac et es t

2. Enter you user name and passcode.

If you are repeatedly denied access, contact your Authentication Manager administrator.


9/12 9

Logging Into a NetWitness Appliance Using RSA

1. Click on the Add/Create icon in the top left of the Navigation Pane.

or

2. Enter the Server IP address or name, port, username and password.

or


10/12 10

3. Now the added Appliance should be listed in the Navigation Pane. Double click on the appliance to connect.4. You should be prompted for your password.

or

5. After successfully entering the password, the user will be prompted to enter their passcode.

6. After entering their passcode the user should be successfully connected.


11/12

11

Certification Checklist for RSA Authentication Manager v6.x

Date Tested: October 13, 2009

Certification EnvironmentProduct Name Version Information Operating System

RSA Authentication Manager 6.1 Windows 2003 SP2RSA Authentication Agent PAM 6.0 Fedora Core 9NetWitness NextGen 9.0 Fedora Core 9

Mandatory FunctionalityRSA Native Protocol RADIUS Protocol

New PIN ModeForce Authentication After New PIN Force Authentication After New PIN N/ASystem Generated PIN System Generated PIN N/AUser Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/AUser Defined (5-7 Numeric) User Defined (5-7 Numeric)

N/AUser Selectable User Selectable N/ADeny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/ADeny Alphanumeric PIN Deny Alphanumeric PIN N/APasscode16 Digit Passcode 16 Digit Passcode N/A4 Digit Password 4 Digit Password N/ANext Tokencode ModeNext Tokencode Mode Next Tokencode Mode N/ALoad Balancing / Reliability TestingFailover (3-10 Replicas) Failover N/AName Locking Enabled Name Locking Enabled

No RSA Authentication Manager No RSA Authentication Manager N/A

Additional FunctionalityRSA Software Token AutomationSystem Generated PIN N/A System Generated PIN N/AUser Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/AUser Selectable N/A User Selectable N/ANext Tokencode Mode N/A Next Tokencode Mode N/ARSA SecurID 800 Token AutomationSystem Generated PIN N/A System Generated PIN N/AUser Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/AUser Selectable N/A User Selectable N/ANext Tokencode Mode N/A Next Tokencode Mode N/ACredential FunctionalityDetermine Cached Credential State N/A Determine Cached Credential StateSet Credential N/A Set CredentialRetrieve Credential N/A Retrieve Credential

DRP / PAR = Pass = Fail N/A = Non-Available Function


12/12

12

Certification Checklist for RSA Authentication Manager 7.x

Date Tested: October 9, 2009

Certification EnvironmentProduct Name Version Information Operating SystemRSA Authentication Manager 7.1 Windows 2003 SP2RSA Authentication Agent PAM 6.0 Fedora Core 9 NextGen 9.0 Fedora Core 9

Mandatory FunctionalityRSA Native Protocol RADIUS Protocol

New PIN ModeForce Authentication After New PIN Force Authentication After New PIN N/ASystem Generated PIN System Generated PIN N/AUser Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/AUser Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A

Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/ADeny Alphanumeric PIN Deny Alphanumeric PIN N/ADeny Numeric PIN Deny Numeric PIN N/APIN Reuse PIN Reuse N/APasscode16 Digit Passcode 16 Digit Passcode N/A4 Digit Fixed Passcode 4 Digit Fixed Passcode N/ANext Tokencode ModeNext Tokencode Mode Next Tokencode Mode N/ALoad Balancing / Reliability TestingFailover (3-10 Replicas) Failover N/ANo RSA Authentication Manager No RSA Authentication Manager

N/AAdditional Functionality

RSA Software Token AutomationSystem Generated PIN N/A System Generated PIN N/AUser Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/ANext Tokencode Mode N/A Next Tokencode Mode N/ARSA SecurID 800 Token AutomationSystem Generated PIN N/A System Generated PIN N/AUser Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/ANext Tokencode Mode N/A Next Tokencode Mode N/A

DRP / PAR = Pass = Fail N/A = Non-Available Function

Date post:	05-Apr-2018
Category:	Documents
Upload:	ajayjo4567
View:	221 times
Download:	2 times

NetWitness NextGen 9.0 RSA AM 6.1 7.1

Documents