Professional Documents
Culture Documents
WALLIX Bastion Tech
WALLIX Bastion Tech
WALLIX Bastion Tech
Gaetano Lo Giudice
Exclusive Networks
glogiudice@exclusive-networks.com
CONFIDENTIAL
FA
Agenda
§ Chi è Wallix
§ Perché il Privilege Access Management
§ Architettura della soluzione Bastion
§ Come funziona il Session Management
§ Demo
CONFIDENTIAL
WALLIX is expanding rapidly in Europe and beyond
Number of Customers
1200
1050
1000
Amsterdam Varsaw
London
800
Montreal
Paris 770
München
Boston
600
570
Dubai
400
420
300
Singapore
200 220
10
11
12
13
14
15
16
17
18
19
(52% growth year over year)
20
20
20
20
20
20
20
20
20
20
160+ 50+ M€ 150+ 30%
partners and resellers raised between 2008 and 2018 people Growth YoY CONFIDENTIAL
4 good reasons to implement a PAM solution
External service providers Admin Passwords
1 3
I have no visibility on what my providers are doing on the Post-it notes multiply on computer screens or on the desks or
infrastructure in unsecured Excel file
Many people access servers, devices and applications: Passwords are handled chaotically. Sometimes, they are
I do not know who has access to what, when or how only in the admin’s head
I must control these accesses and change external Generic accounts (Admin & Root) are not longer an option
provider if I need to
What is the best way to handle user authentication?
How can I ensure full access control? How can I find the
origin of the problem? Who is responsible?
2 4
When an incident happens IT teams turnover
Origin of an incident and traceability of actions One of my admins is leaving the company
The customer database crashed after a support His/her access rights must be listed, deactivated
intervention from an external provider during a major and modified for every device
upgrade
These changes must be communicated internally
We cannot establish responsibilities or find evidence!
How can I make sure he/she will no longer be
Where did the problem come from? Can we review what able to access to the information system?
happened? How can we determine the origin of the
problem? CONFIDENTIAL
Certified by ANSSI
French cybersecurity
compliance body
§ Web console to access and audit § Privileged accounts mgt & governance § Vault to store passwords
distributed Bastion architectures § Pattern detection with automatic termination § Integrate with third-party vaults
§ LDAP/AD directory § Real-time monitoring § SSH keys as well as Passwords
§ Customizable UX § Session recording and replay § AES 256 encryption
§ Contextualized settings
BASTION
RDP, SSH
Session RDP
Privileged users
Manager RLOGIN
Third party VNC
contractors Password TELNET
Auditors, Risk and
Compliance officers Manager Vault RDP HTTPS
Jump Targets
Server
CONFIDENTIAL
Connection Concept
CONFIDENTIAL
Session Management Global Concepts
Which account can be used to connect to the target ?
RDP, SSH
BASTION RDP, SSH, VNC, TELNET,
RLOGIN, HTTP, HTTPS, Raw TCP
Privileged users
Third party
contractors
Auditors, Risk and Account
Compliance officers
Interactive login
Profiles
CONFIDENTIAL
Session Management Global Concepts
Approval Workflow
RDP, SSH
BASTION RDP, SSH, VNC, TELNET,
RLOGIN, HTTP, HTTPS, Raw TCP
Privileged users
Approbation Accept / Reject
Third party
contractors request
Targets
Approver
Concurrent Policy
Radius
ITSM
Admin Center
RESTFul API
Web Services
CONFIDENTIAL
Session Manager ephemeral
agent
Session
BASTION
Secure and Trace the Accesses Probe RDP, SSH, VNC, TELNET, RLOGIN,
1
HTTP, HTTPS, Raw TCP/IP
2 3
§ Session video recording § Post-incident audit: session replay and metadata
analysis
§ Real time
• 4 eyes monitoring § Rich metadata
• Alerting • Key logging with automatic keyboard layout detection
• Automatically terminate • Process event
sessions
§ Video of any applications including
web applications and other
management consoles CONFIDENTIAL
Password Manager
Securing passwords in a certified vault, hiding, revealing, changing or
generating target passwords
§ Single sign-on via Access Manager to your Bastion farm embedding RDP & SSH clients
§ Multi-tenant architecture with organization of users/domains groups
Jump
Access BASTION Server
Internet
Manager
Privileged users
Third party
contractors
Privileged users
Auditors, Risk and
Compliance officers BASTION
Auditor
5/22/20 CONFIDENTIAL
21
Demo
.1
10.0.0.0/16
CONFIDENTIAL
Scenari della demo
• Accesso RDP/SSH con Account Locale
• Accesso RDP con Active Directory
• Accesso HTTP App tramite RDS
• Accesso RDP/SSH con Limitazioni
• Accesso RDP con Account Mapping (AD)
• Accesso SSH con Interactive Login
• Accesso RDP con Approvazione
• Accesso MySQL tramite RAWTCP
• Accesso RDP/SSH diretto
CONFIDENTIAL
JOIN THE
DVENTURE
CONFIDENTIAL