WALLIX Bastion

Privilege Access Management

Gaetano Lo Giudice
Exclusive Networks
glogiudice@exclusive-networks.com
CONFIDENTIAL
FA
Agenda

§ Chi è Wallix
§ Perché il Privilege Access Management
§ Architettura della soluzione Bastion
§ Come funziona il Session Management
§ Demo

CONFIDENTIAL
WALLIX is expanding rapidly in Europe and beyond
Number of Customers

1200

1050

1000

Amsterdam Varsaw
London
800
Montreal
Paris 770
München
Boston
600
570
Dubai

400
420

300
Singapore
200 220

…present in 12.6 M€ turnover 30

60
100
150

55 countries 36% international turnover 0

10

11

12

13

14

15

16

17

18

19
(52% growth year over year)

20

20

20

20

20

20

20

20

20

20
160+ 50+ M€ 150+ 30%
partners and resellers raised between 2008 and 2018 people Growth YoY CONFIDENTIAL
4 good reasons to implement a PAM solution
External service providers
1 3
I have no visibility on what my providers are doing on the
infrastructure
Many people access servers, devices and applications:
I do not know who has access to what, when or how
I must control these accesses and change external
provider if I need to
How can I ensure full access control? How can I find the
origin of the problem? Who is responsible?
2 4
When an incident happens
Origin of an incident and traceability of actions
The customer database crashed after a support
intervention from an external provider during a major
upgrade
We cannot establish responsibilities or find evidence!
Where did the problem come from? Can we review what
happened? How can we determine the origin of the
problem?
Admin Passwords
Post-it notes multiply on computer screens or on the desks or
in unsecured Excel file
Passwords are handled chaotically. Sometimes, they are
only in the admin’s head
Generic accounts (Admin & Root) are not longer an option
What is the best way to handle user authentication?
IT teams turnover
One of my admins is leaving the company
His/her access rights must be listed, deactivated
and modified for every device
These changes must be communicated internally
How can I make sure he/she will no longer be
able to access to the information system?
CONFIDENTIAL
 Certified by ANSSI
French cybersecurity
compliance body

Bastion Key Architecture and Functionalities Certified by FSTEK

Russian cybersecurity
compliance body

§ Web console to access and audit
distributed Bastion architectures
§ LDAP/AD directory
§ Customizable UX
RDP, SSH
§ Privileged accounts mgt & governance
§ Pattern detection with automatic termination
§ Real-time monitoring
§ Session recording and replay
§ Contextualized settings
BASTION
§ Vault to store passwords
§ Integrate with third-party vaults
§ SSH keys as well as Passwords
§ AES 256 encryption

Session RDP

HTTPS Access Manager

SSH
Raw TCP/IP

Privileged users
Manager RLOGIN
Third party VNC
contractors Password TELNET
Auditors, Risk and
Compliance officers Manager Vault RDP HTTPS
Jump Targets

Server

CONFIDENTIAL
Connection Concept

CONFIDENTIAL
 Session Management Global Concepts
Which account can be used to connect to the target ?

Primary connection Secondary connection

RDP, SSH
BASTION RDP, SSH, VNC, TELNET,
RLOGIN, HTTP, HTTPS, Raw TCP
Privileged users
Third party
contractors
Auditors, Risk and Account
Compliance officers

Account mapping BASTION Targets

Interactive login

Profiles

CONFIDENTIAL
 Session Management Global Concepts
Approval Workflow

Primary connection Secondary connection

RDP, SSH
BASTION RDP, SSH, VNC, TELNET,
RLOGIN, HTTP, HTTPS, Raw TCP
Privileged users
Approbation Accept / Reject
Third party
contractors request

Targets

Approver

Concurrent Policy

Without Lock BASTION

With Lock
BASTION
CONFIDENTIAL
 Coming soon

Our 3rd party inter-operability

Standard Identity Multifactor Vulnerability Antivirus /
Protocols IGA/IAM Authentication & SSO
Vault SIEM
Mgt
DevOps DLP

Radius

ITSM

Admin Center

RESTFul API
Web Services
CONFIDENTIAL
Session Manager ephemeral
agent

Session
BASTION
Secure and Trace the Accesses Probe RDP, SSH, VNC, TELNET, RLOGIN,

1
HTTP, HTTPS, Raw TCP/IP

§ Retrieve credentials safely from the Vault

§ Get the approval with quorum for a given time period Approver
Targets
§ Recognize unusual command lines and automatically terminate sessions
§ Manage concurrent user activities

Record the Sessions Replay the Sessions Auditor

2 3
§ Session video recording
§ Real time
• 4 eyes monitoring
• Alerting
• Automatically terminate
sessions
§ Post-incident audit: session replay and metadata
analysis
§ Rich metadata
• Key logging with automatic keyboard layout detection
• Process event
§ Video of any applications including
web applications and other
management consoles CONFIDENTIAL
 Password Manager
Securing passwords in a certified vault, hiding, revealing, changing or
generating target passwords

§ Bastion Vault, the credentials’ secured storage

• SSH key as well as Password
• Password encryption using AES 256

§ Password Manager capabilities

• Automatic or on-demand Targets
password rotation Plugin based architecture to easily
• Check-out/check-in workflow support password change and rotation
• Password complexity generation
Juniper SRX Windows LDAP
• App2App Password Management
• Breaking glass
IBM 3270 Cisco Linux
Bastion Administrator Palo Alto Fortinet
Oracle
PA-500 FortiGate

MySQL SQL Server Teradata CONFIDENTIAL

Coming soon
 Access Manager
A unique interface to access several Bastion instances

§ Single sign-on via Access Manager to your Bastion farm embedding RDP & SSH clients
§ Multi-tenant architecture with organization of users/domains groups

Jump
Access BASTION Server

Internet
Manager
Privileged users
Third party
contractors
Privileged users
Auditors, Risk and
Compliance officers BASTION
Auditor

§ GUI customization Approver

§ Web browser client BASTION

§ Define access for privileged users to all systems,
easily revoke and grant permission to logon
CONFIDENTIAL
 PowerLab
Exclusive Networks

Wallix Bastion Demo

5/22/20 CONFIDENTIAL
21
Demo

.30 .40 .60

10.120.10.0/24
.20
BASTION
.1

.1

10.0.0.0/16

CONFIDENTIAL
Scenari della demo
• Accesso RDP/SSH con Account Locale
• Accesso RDP con Active Directory
• Accesso HTTP App tramite RDS
• Accesso RDP/SSH con Limitazioni
• Accesso RDP con Account Mapping (AD)
• Accesso SSH con Interactive Login
• Accesso RDP con Approvazione
• Accesso MySQL tramite RAWTCP
• Accesso RDP/SSH diretto

CONFIDENTIAL
JOIN THE
DVENTURE

CONFIDENTIAL