Wallix vs balabit. Admin Control Software Comparison [rdp]

    Increasingly, large companies are thinking about controlling and monitoring access to business critical servers. Who came in, what did and when? Built-in logging is not always convenient and “readable”, and now products for “privileged user control” gradually began to enter the Russian market. It seemed interesting to me to compare two “main” products of this line, namely Balabit Shell Control Box and Wallix Admin Bastion.

    Note: To reduce the volume of the article, the comparison will be only in the context of the rdp protocol and the functional as a whole, as a result of which it is relatively general. The ssh protocol is also supported by these products, however, in this article it is NOT considered in order not to interfere with everything “in one heap”.


    Who needs admin control systems?


    The system administrator in our computerized time has almost become the “king and god” of the company's it-space. As a result of this, the management prefers not to particularly conflict with them and, if possible, make concessions, because leaving “in a bad way”, the former administrator can cause considerable damage to business. Therefore, the very phrase “admin control” may seem to many top 5 employees to be a deliverance from a sensitive problem and an excellent solution, but ... is it that simple? Of course not. Therefore, first of all, I would like to briefly identify companies in which really similar products can bring some kind of positive exhaust. The list was born on the basis of our own experience and does not claim to be the ultimate truth, i.e. is initially subjective.

    So, the "control admins" come in handy:

    • Companies whose system administrators number exceeds ~ 7-10 people;
    • Companies whose it-support is provided by an external organization (outsourcing);
    • Companies with specific software that need to send vendor / distributor specialists to target servers;
    • Companies that are tormented by regulators and require them to comply with various standards (have not encountered, but do not rule out).

    In other cases, the use of software for admin control is usually not advisable.

    Both systems described below are either hardware or virtual appliance, based on several modified unix systems: Wallix is ​​deployed on the basis of Debian, Balabit - ZorpOS. The required hardware capacity depends on the number of active users and the number of protected servers.

    How it works - Wallix Admin Bastion


    Wallix can only work in bastion mode at the application level of the OSI model, i.e. Is put in a network break in an explicit, visible to the administrator form. Rules are configured on the Wallix server (more about them below), based on which it skips / blocks administrators' connections. The administrator connects to the wallix server using the rdp protocol (standard port) and logs into it using the created local account (or imported from AD). After that, he is provided with an accessible list of server + final accounting pairs, and he selects the desired server. Wallix can set the password for the final account itself, but you can also request this password from the administrator. For clarity, the logical connection diagram is shown below:

    Logical diagram of connecting admins to protected servers via Wallix

    Wallix settings are binary (true-false \ possible-impossible) mappings between two types of groups: groups of accounts on Wallix itself (can be replaced by accounts imported from AD) and groups of Server + final account pairs.


    The form for adding / editing a protected server and final accounting

    The number of such comparisons, as well as the groups themselves, is not limited and on their basis an access matrix is ​​built for whom and where you can connect.

    Wallix stores rdp records in the form of video clips (in file form), which can be run through the built-in text recognizer (ocr), and then search by title (it was promised to fasten the title search within the framework of not only one video in the next versions).


    List of saved video recordings of rdp sessions

    How can I “force” the administrator to go to the necessary servers through wallix?

    • Closing routes at the network level in a compartment with organizational measures “either this way or not, otherwise severe measures will follow ...”;
    • Allow access to protected servers only under specially created domain accounts, the password for which Wallix will change once an hour \ day \ week \ month (passwords are sent in encrypted form to the specified mailbox. You need a GPG certificate and a password to it).

    Product advantages
    • Simple, straightforward setup;
    • Stable operating mode "bastion", the possibility of dual authorization and the compilation of an appropriate access matrix based on it;
    • Ability to integrate with multiple ADs.

    Product Cons
    • There is no stable “transparent” mode. The one that is declared works with a tambourine and through a stump-deck or does not work at all;
    • There are unaccounted for production nuances (version 4.2), which have to be covered with crutches and on the run.

    How it works - Balabit Shell Control Box


    Balabit is also put in the “gap”, but can work in several modes on different OSI models. In this case, the setting of the "transparent" \ "opaque" mode is performed directly in the connection itself, which is very convenient from the point of view of the "fine" setting of a connection.

    Transparent Mode


    The main advantage of Balabit is that it can work in a "transparent" mode, being located on the network in a form hidden to administrators. IP-spoofing allows you to make it “invisible” even for FW and routers, substituting the IP address of the PC admin as ip-src, so there is no need to configure separate permissions for it on network equipment.

    For balabit to work in transparent mode, the corresponding routes are registered on the router (that we send all traffic from subnet N to the Balabit IP address). At the same time, traffic that balabit cannot recognize (identify controlled protocols in it) will be passed on without changes (to the specified gateway).

    Note: in transparent mode, authorization on the balabit server is not performed, however, the system records under which account the administrator has authorized on the protected server, which allows you to subsequently set the required filters and find the desired video clip.

    Balabit settings are cut across the protected servers - each server has its own instant settings and access rights (for transparent mode: from which network you can connect to the protected server). The settings option is presented below:


    Settings for access to the protected server via balabit

    In transparent mode, the main layer of settings falls on the routing of traffic and the configuration of network equipment. Settings on balabit itself are minimal and operate with IP addresses from which they access protected servers, and not users and their rights, as is implemented in Wallix.

    Bastion mode


    The bastion mode has several implementations:
    1. TS Gateway mode. In this mode, the DNS name of the balabit server is registered in the rdp client as the remote desktop gateway server. This mode uses certificates, encrypting traffic up to TS GW (balabit server certificate) and from balabita to the protected server (either a certificate generated on the fly or uploaded to balabit). With such a connection, it is possible to substitute the password for the final account that was set up in advance on the balabit server, so the administrator may not know the credentials for connecting to the protected server. However, balabit itself does not automatically know how to change passwords and somehow “manage” them. Integrates with a separate Thycotic Secret Server SSO system.

      Note: This scheme is very capricious in its performance, because It requires a fairly decent amount of fine-tuning and understanding what is being configured and why. Sometimes there may be some unpredictable “gags” (for example, when the proxy is specified in the browser properties, the rdp client refused to resolve the balabit DNS name of the server).

    2. Authorization on GW mode. In this mode, the administrator needs to have two monitors, you will need to start connecting to the protected server, after initializing the connection, log in to the balabit web interface and "allow" your connection. This connection option also requires routing network traffic and corresponding settings on the router (s).
    3. 4 eyes mode. The principle of operation is the same as in paragraph 2, but here another person must already “allow”.


    Each mode has its own settings, which I would not want to delve into now. Suffice it to say that sometimes the eyes run up from the number of fields :))

    The system also stores all sessions in the form of video clips. OCR is performed once. Search for recognized text in all videos is already present. To view the session, you need client software (Audit Player), which comes with the distribution kit and is installed on the “operator” PC with the MS OS on board.


    List of saved video recordings of rdp sessions

    Product advantages
    • Able to work stably and professionally in transparent-MiTM mode;
    • It has many subtle settings for almost every taste;

    Product Cons
    • Integrates with only one AD (requires input to AD);
    • The "bastion" mode sometimes requires dancing with a tambourine and prolonged smoking of manuls;
    • Does not know how to manage passwords;
    • Dual authorization has a rather confusing character and disposition;

    Summarizing


    As you can see from the text above, each product has its own strengths and weaknesses - it all depends on the pool of tasks assigned to it. All features of the systems did not participate in the comparison.

    I would also like to note separately that, like Wallix, the CyberArk system is on the market, which has a similar, but more advanced functionality in the "bastion" mode. The basis of its work is taken by the MS Remote Application mechanism, which allowed to increase the number of supported protocols and connectivity. Unfortunately, the author does not have sufficient competence to add it to the comparison, however, he considers it criminal to remain silent about it.

    Also popular now: