REMOTE MANAGED SERVICES REALTIME
RMS EXPANDED SERVICES FAQ
WHAT IS MEANT BY “RMS REALTIME”? The Remote Managed Services group at Lenel has invested in state of the art technology which will enable 24x7 system monitoring and alert capabilities. The implementation of this technology provides the following service benefits: •
Comprehensive monitoring of system performance, and analysis of system vulnerabilities which must be addressed and opportunities for increasing system ROI.
•
Early detection of system errors based on pre-programmed thresholds. Threshold values utilize the years of experience and expertise analysis of the RMS team to maximize system performance while minimizing maintenance needs and hardware expenditures.
•
Streamlined access to customer’s systems for issue resolution.
•
Decreases the time of manual maintenance procedures so RMS Technical System Application Managers can provide increased consultation and technical account management functions (Premiere plus levels)
•
Enhances system performance reporting and analysis capabilities, allowing customers to measure actual ROI of maintenance procedures and accurately budget based on tracked metrics.
HOW DOES THIS TECHNOLOGY WORK? RMS RealTime is a solution which enables Lenel to provide real time monitoring via a secure network connection. By installing an RMS RealTime monitoring service on the Servers, Workstations, or Video Servers covered by a maintenance contract, the RealTime service will monitor pre-defined variables. Threshold values can be set for an unlimited number of system monitoring options (such as CPU utilization, backup success, error log monitoring, etc.), as defined by the level of service enrollment, but customizable as supplemental program features. If the Server exceeds the value set will send an alert to the RMS monitoring team and any other VAR or End Users associated with the system.
1
WHY DO CUSTOMERS CARE? RMS is now able to offer multiple programs, ranging from “notification only” basic packages, to full system consulting, maintenance, and project management. The automated functionalities of the RealTime technology will ensure pending system issues are caught quickly, regardless of the standard maintenance schedule.
HOW IS THE AGENT INSTALLED? The RMS RealTime software core components will be included with OnGuard 2008 Plus [Version 6.1] and higher, but will not be installed or configured until / unless enrollment into an RMS maintenance program occurs. For customers running OnGuard solutions prior to OnGuard 2008 Plus, the installation package will be downloaded to the customer server and installed by the RMS Technical System Account Manager.
WHAT ISTHE NETWORK SECURITY / IT IMPACT… DO CUSTOMERS NEED TO OPEN THEIR FIREWALLS? The RealTime technology was selected with IT Security concerns in mind. This technology uses outward bound communication only, meaning no firewall configuration changes need to occur. Standard internet connectivity does need to exist, but can be limited to outbound communication only. Since the RealTime technology also provides network monitoring features, the net result of installation is a more secure system, and automated monitoring of network security breaches can be implemented. The RealTime technology also provides secure, remote access to defined OnGuard System Devices (Servers, Workstations or Video Servers covered by contract with remote security standards in place) utilizing the secure communication established through the outbound communication. Again, this does not require firewall configuration changes, and all communication is conducted via SSL encrypted communication channels. This will expedite the ability of the RMS team or Lenel’s Technical Support Group to troubleshoot and resolve Server issues without third party intervention. Full details regarding IT Security implications are included as Appendix A, and your RMS Technical System Account Manager will work individually with customer IT departments to ensure full understanding of the security features and address any IT concerns.
DO THE NEW PROGRAMS REPLACE CURRENT SOFTWARE UPGRADE AND SUPPORT PLANS? The Remote Managed Services RealTime programs are designed to complement the existing SUSP structure. Current SUSP plans are required for all customers wishing to enroll in the service programs. 2
SIGN ME UP!! HOW DO I ENROLL? This program is currently in the initial roll-out phase. In consideration of the long standing partnership of existing RMS customers, it is currently being offered exclusively to existing RMS customers, at no additional charge to their existing contracts. Full details will be reviewed during the standard proactive call forums. Following the implementation with existing customers, full program details and pricing information will be made available to Lenel Sales and VARs. As always, information can be obtained via
[email protected].
IF YOU HAVE ADDITIONAL QUESTIONS, OR NEED A QUOTE, PLEASE EMAIL:
[email protected] OR CONTACT YOUR RMS REPRESENTATIVE
3
APPENDIX 1: DATA PRIVACY AND CORPORATE SECURITY WITH RMS REALTIME SECURITY WHITEPAPER
TABLE OF CONTENTS 1Introduction.................................................................................................................................................. 5 RMS RealTime TechnologyOverview ............................................................................................................. 6 Architecture ............................................................................................................................................... 6 RMS RealTime technology Server ............................................................................................................. 6 External Connections ............................................................................................................................. 6 Host Operating System .......................................................................................................................... 6 User Interface......................................................................................................................................... 7 Database ................................................................................................................................................ 7 Notifications........................................................................................................................................... 7 Remote Control ...................................................................................................................................... 7 Agents ........................................................................................................................................................ 8 Windows Software Probes ........................................................................................................................ 8 Active Directory Authentication................................................................................................................ 8 Summary........................................................................................................................................................ 8
4
INTRODUCTION In a world of increasing security consciousness, businesses find themselves under increasing pressure to protect their sensitive data. Similarly, Lenel’s Remote Managed Services (RMS) team recognizes the need to protect their customers’ sensitive data. Recognizing that this data is a core part of their customers’ businesses, RMS must both embrace and support the need for data privacy and corporate security. As such, when working with remote management tools, they must concern themselves with the security of such systems. This whitepaper outlines the security features inherent with RMS RealTime technology, to reinforce to Lenel VARs and their customers that RMS RealTime services will form a secure and effective component of the managed services relationship.
5
RMS REALTIME TECHNOLOGY OVERVIEW RMS RealTime technology is a Web-based remote monitoring and management platform designed specifically for managed service providers. It leverages a distributed, Web services-based architecture to allow service providers to remotely monitor and manage devices at multiple customer sites from a single management console. The nature of the distributed architecture allows secure data collection from devices even if they are located behind NAT firewalls.
ARCHITECTURE As mentioned previously, RMS RealTime technology leverages a distributed architecture. RMS RealTime technology is based on an industry-standard, Web-services model and leverages three discreet types of components. These components include:
• RMS RealTime Server • Probes • Agents
RMS REALTIME TECHNOLOGY SERVER The RMS RealTime Server is the core monitoring component providing the RMS team with a Web-based user interface view to the OnGuard system’s health. In addition, the RMS RealTime Server conducts monitoring of system devices, processes data collected by the agents and probes, provides reporting capabilities, processes rd
and distributes notifications, manages 3 party interactions and maintains all retained historical data. The RMS RealTime Server is designed to be flexible, scalable, simple to use and secure.
EXTERNAL CONNECTIONS The RMS RealTime Server must be connected to the Internet in order to allow communications with its distributed elements. It is located within an access controlled, secure environment at Lenel. The system is designed for a primary system communication’s role, and is appropriately hardened to provide maximized security. Best practices followed for deployment include placing the server in a protected Internet zone, a DMZ, with only ports 443 (HTTPS), 10000 (Admin UI) and 22 (Secure Shell where all traffic is encrypted) open from the internet. The Admin user interface leverages HTTPS communications forwarded over port 10000. Port 22 is used as the underlying protocol for our remote control technologies.
HOST OPERATING SYSTEM RMS RealTime Server leverages a slightly modified version of RedHat Enterprise Server Version. This operating system was customized for use by RMS RealTime technology and has had many extraneous components removed. RMS RealTime Server regularly updates the operating system as required patches are released from RedHat. In the event of critical security patches, RMS RealTime can distribute updates via our auto-upgrade system. The RMS RealTime Server has a built-in firewall that allows connections only on required ports. In addition, the firewall protects the system from many types of common exploit attempts including DDOS, SYN FLOOD, IP Spoofing and others.
6
USER INTERFACE The Web-based user interface is based on J2EE technologies and contains many features designed to ensure security. It provides access to the system only via HTTP(S) Web sessions. On install, RMS RealTime technology rd
generates its own self-signed SSL certificates by default while also supporting the upload of 3 party signed SSL certificates. RMS RealTime requires a username and password combination to access the UI. The user interface enforces a configurable time-based session expiry system. RMS RealTime also provides a flexible and configurable password management system that allows time-based password expiry, forced complexity rules, retry lockouts and password history retention. Once a user is successfully authenticated to the system, RMS RealTime will only provide access to data with the role that the user has been assigned. The roles in the system support segregation of customer information by customer and service organization, read-only access with reporting, read-only access without reporting, administrative access at the customer level and restricted multicustomer access for SO technical staff. In addition, RMS RealTime technology enforces Cross Site Scripting (XSS) controls where possible and appropriate. Finally, the integrated reporting engine provides canned system audit reports that include login and logout information.
DATABASE The core Postgres 7.4 database in the RMS RealTime Server is not exposed to any external access from the network. All interactions are managed through our data management system (DMS), a Java-based web services interface. Third party data export is managed via ODBC and is used only through a “push” type paradigm that must be configured from the Administrator Console. We do not accept ODBC connections to the server.
NOTIFICATIONS RMS RealTime notifies users of detected incidents via email, SMS and pager. To accomplish this, RMS RealTime must be able to send email via SMTP. The RMS RealTime solution does not accept email and does not require any inbound access from the internet to port 25. This eliminates any possibility of open mail relays. Additionally, RMS RealTime will accept a mail-relay server and will proxy the email out to the Internet via the specified mail-relay server. RMS RealTime technology sends SMS- and pager-based notifications via a telephone line leveraging an internal modem.
REMOTE CONTROL RMS RealTime technology includes an integrated remote control technology. This capability provides the ability for a remote administrator to connect via VNC, Terminal Services, or RAdmin to any device under management by the RMS RealTime service offering. To affect this capability, the agents and probes create SSL connections from the target device to the RMS RealTime Server. This is accomplished by forwarding the appropriate port over a secure shell connection over port 22 to the RMS RealTime server. This does not require any inbound ports to be open from the Internet to the target device as all communications are client-side initiated. This also provides a 128-bit encrypted connection over which the remote control session can be initiated. The remote control connection is completed at the other end by establishing a similar secure shell connection between the remote administrator and the RMS RealTime Server. Again, no open ports are required from the Internet to the remote administrator as this connection is initiated from the client side. Once the two SSH connections are completed, RMS RealTime will route traffic between them. Each SSH connection uses session-specific usernames, passwords, and public/private key pairs to ensure that the connections are secure.
7
AGENTS RMS RealTime technology service agents are small software clients installed on devices that are to be monitored. Once installed, they are capable of monitoring those devices for a number of performance related metrics. The agents function by connecting to the RMS RealTime Server using SOAP over HTTPS on port 443. After connecting to the DMS system, they will download a task list, a schedule and monitoring modules appropriate to the tasks assigned. They will then schedule the tasks and conduct monitoring. Depending on the interval, every 60-300 seconds the agents will connect back to the RMS RealTime Server, upload the results of the monitoring, and check for new monitoring tasks. Since the connections to the server are client-side initiated there are no inbound access requirements (open firewall ports) to the device to be managed. Since all communications are SSL encrypted from the agent to the server, the data transport is secure. As an added measure, all agents are provided a key on install that they use to uniquely identify themselves on connection. In this manner, all agent connections from unknown devices are ignored. Finally, the transactions between the agents and the RMS RealTime Server use abstracted data. Customers and devices are identified by numeric IDs and only transmit monitoring data. This ensures customer data privacy by not transmitting personally identifiable information.
WINDOWS SOFTWARE PROBES RMS RealTime Windows Software Probes (WPSs) are similar to agents in design but add several layers of additional functionality. This includes the ability to monitor multiple devices on the same Windows domain, the ability to execute scripts and the ability to remotely install software. In the case of the core communications and monitoring technologies, these are identical to the Windows agents described above.
ACTIVE DIRECTORY AUTHENTICATION The ability to monitor other devices via WMI, as well as the ability to remotely execute scripts and install software requires that the WSP be running with domain administrative credentials. These credentials are entered during installation and stored by the WSP in the Windows secure registry. This ensures that they are available to the probe but are stored securely. It is recommended that a domain admin account be created specifically for this purpose and that it be set with a strong, non expiring password. Access to this account can then be limited, as it is not required for user log in purposes.
SUMMARY The RMS RealTime technology is a distributed Web-based platform designed to securely and effectively provide remote monitoring and management capabilities to MSPs. It has been designed to be placed on the Internet and has been secured appropriately. As a result of its client-side initiated architecture, RMS RealTime technology typically requires no changes to customer firewalls that may compromise security. Additionally, all of RMS RealTime technology’s communications are encrypted to increase the level of confidence that users can place in the solution. In many cases, by leveraging RMS RealTime technology, OnGuard system users will increase the overall level of security for their system by leveraging our encrypted secure remote control capabilities. All of these features and capabilities come together to help the Remote Managed Services team do what they do best: help their customers run their businesses better.
8
