Important

   

Starting version 8.9.03, BMC Network Automation is renamed to TrueSight Network Automation. This space contains information about BMC Network Automation 8.9.02 and previous versions. For TrueSight Network Automation 8.9.03 and later releases, see the TrueSight Network Automation documentation.

Security planning

Review the following topics for information about how BMC Network Automation provides security and for recommendations on deploying securely:

Related topics
 Where to find more information

Handling web security vulnerabilities in BMC Network Automation

BMC Network Automation is capable of handling the following web security vulnerabilities:

  • Cross-Site Scripting (XSS) attack
  • Cross-Site Request Forgery (CSRF) attack
  • Brute force attack

Handling the XSS attacks

XSS attack is a type of web application vulnerability wherein an attacker can execute malicious scripts (also known as a malicious payload) into a legitimate website or web application. XSS enables attackers to inject a client-side script (usually JavaScript) into web pages that are to be viewed by other users through HTTP requests. Attackers can use this type of vulnerability to bypass access controls such as the same-origin policy.

To run the malicious JavaScript in the victim's browser, the attacker usually injects it into one of the pages that the victim downloads from the website. This can happen if the website directly includes user input in its pages.

To handle XSS, BMC Network Automation includes an optional filter that restricts certain characters and patterns from being included in the HTTP request from a user. If the filter detects these characters or patterns in the request, BMC Network Automation denies the response to the request and generates an error message.

You can configure this filter to restrict various characters and patterns by setting these properties in the global.properties file. Note that the web server service must be restarted in order to use any updated settings.

  • badInputFilterEnabled: If set to true (default), it validates the incoming HTTP requests against the characters and patterns that could be embedded in the malicious scripts. If you set its value to false, the filter is disabled and HTTP requests are not validated.
  • badInputFilterDeny: Contains the characters and patterns against which to validate the incoming HTTP requests. If the request contains any of these characters or patterns, the user is redirected to the following error message:

    Not acceptable.
    Your request triggered an error! You may have entered illegal characters 
    into one or more data entry fields. Please contact your system administrator 
    for assistance.

    Note

    Microsoft Internet Explorer might display a different message than the stated above. To display the actual message that the Web server sends, follow these steps:

    1. In Internet Explorer, on the Tools menu, click Internet Options.
    2. On the Advanced tab, under the Browsing section, clear the Show friendly HTTP error messages check box, and then click OK.
    3. Close the browser.

    If you encounter this error message, open the BCA-Networks.log file. You will find an error message similar to the following one, which includes the characters or patterns that caused the HTTP request to be denied:

    com.bmc.bcan.webapp.filter.security.BadInputFilter checkDenies
    SEVERE: [Thread=http-nio-443-exec-7] Request is not acceptable (Error code: 406). 
    Deny pattern [<] found in request property [Device Name <]
    

    When you upgrade to version 8.9.01 or 8.9.02, the following characters and patterns are restricted by default. Configure the global.properties  file according to your requirements to allow characters or patterns.


    \x00,\x04,\x08,",`,<,>,document(.*)\\.(.*)cookie,eval(\\s*)\\(,setTimeout(\\s*)\\(,setInterval(\\s*)\\(,execScript(\\s*)\\(,(?i)javascript(?-i):,(.*\\.|^|.*|\\[('|\"))(c|C)lass(\\.|('|\")]|\\[).*

    When you upgrade to version 8.9.00, the following characters and patterns are restricted by default. Configure the global.properties file according to your requirements to allow characters or patterns.

    \x00,\x04,\x08,",`,<,>,document(.*)\\.(.*)cookie,eval(\\s*)\\(,setTimeout(\\s*)\\(,setInterval(\\s*)\\(,execScript(\\s*)\\(,(?i)javascript(?-i) 


    Note

    If you are using these default characters and patterns widely in your BMC Network Automation system, and you are getting the error message frequently (for example, after upgrade to 8.9), you can disable the filter. However, for enhanced security, BMC recommends that you clean up the system to eliminate these characters and patterns, and then enable the filter.

  • badInputFilterWhitelistUrls: Contains the URLs or the specific parameters within URLs that must be ignored by the filter. Some features in BMC Network Automation (for example, Injection Templates) use the characters or patterns that are by default included in badInputFilterDeny. However, these characters or patterns are mandatory for those features to work. Default value of this property is the URL of the Injection Template that is restricted by badInputFilter due to use of characters included in badInputFilterDeny. Use the following guidelines to specify URLs and parameters:
    • To ignore any specific URL, specify that URL as the value of badInputFilterWhitelistUrls.
    • To ignore multiple URLs, separate them by spaces.
    • To ignore only specific parameters within a URL, use the question mark (?) after the URL and then specify the parameter. For example, /bca-networks/admin/saveLoggingProperties.do?loggingProperties.
    • To ignore multiple parameters within a URL, separate them by commas. For example, /bca-networks/admin/saveLoggingProperties.do?loggingProperties,defaultLoggingProperties.

For detailed information about these properties, see Default global.properties file.

Handling the CSRF attacks

CSRF attack is a type of vulnerability that forces users into submitting malicious requests and executing unwanted actions on a web application in which they are currently authenticated. This attack usually targets requests that cause a state change on the server, such as changing password for a user.

BMC Network Automation prevents the CSRF attacks by associating a session token (also called CSRF token) with every state-changing request by a user. The session token changes with every subsequent request. This token is generated by a secure random number generator. The server rejects the request if the token cannot be validated and the following error message appears:

Security Violation
You cannot view the requested page or perform the requested action. Please verify 
that your login privileges allow you to access the page or perform the action, 
your session has not been timed out, and you have not accidentally double-clicked 
on active buttons.

Handling the brute force attacks

Brute force attack is a trial and error method used by application programs to obtain information such as a password or personal identification number (PIN). The application programs try to decode encrypted data through exhaustive efforts rather than employing intellectual strategies.

BMC Network Automation prevents brute force attacks by locking a user. If a user provides an incorrect password while logging in to BMC Network Automation, the user gets locked after a particular number of failed login attempts. Either the user gets unlocked automatically after a specific time period or a user with the Unlock Users right can unlock the user. For more details, see Locking or unlocking users.

Data security

BMC Network Automation is capable of using SSL and HTTPS for all communications between the BMC Network Automation application server, BMC Network Automation remote device agents, devices, and users. It is also capable of using secure protocols such as SSH and Secure Copy Protocol (SCP) to that extent that devices support them.

User access requires a user name and password. Fine-grained control for the roles and rights of users is provided; see the Managing access.

Encrypting the Oracle external database

To manage devices in BMC Network Automation, the infrastructure manager must be able to encrypt BMC Network Automation data files on the file system and when performing client-server CRUD operations in the Oracle Database. BMC Network Automation version 8.9.x supports encryption for Oracle database 11g R2 and 12c.

Prerequisites

Ensure that you meet the following preconditions before encrypting the Oracle external database:

  • BMC Network Automation is integrated with Oracle Enterprise database
  • Wireshark is installed on the computer on which BMC Network Automation is installed

To enable network-level encryption on an existing BMC Network Automation server or a freshly installed server

  1. Log on to the computer where Oracle Enterprise database has been installed.
  2. Open sqlnet.ora located at %ORACLE_HOME%\NETWORK\ADMIN and add the following entries:

    SQLNET.ENCRYPTION_SERVER = REQUESTED
    SSL_CLIENT_AUTHENTICATION = true
    SSL_CERT_REVOCATION = NONE
  3. Restart the BMC Network Automation server.
  4. Use Wireshark to snoop and check whether the data is encrypted.

Back to top

To enable Oracle transparent data encryption (TDE) on a fresh BMC Network Automation installation

  1. Create an Oracle database wallet with a master encryption key by using the tutorial at http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/prod/security/tde/tde.htm.
  2. Verify that the DB vault has been created and is in the open state.
  3. Create an encrypted Tablespace within the Oracle server.
  4. Create a user on the Oracle server, which is tied with the encrypted Tablespace created in step 3.
  5. Choose Oracle Database when installing BMC Network Automation afresh, specify the user credentials created in step 4, and complete the installation.

    Note

    Do not create the Oracle user by using the BMC Network Automation installation program.

  6.  Verify tables and database-related details from the Oracle Console.

    Note

    The database wallet must be open to enable the BMC Network Automation server to access the database.

Back to top

To enable Oracle TDE on an existing BMC Network Automation installation

  1. Stop the BMC Network Automation server.
  2. Create a new encrypted Tablespace within the Oracle server.
  3. Export the BMC Network Automation database schema to a backup dump file.
  4. Import the BMC Network Automation database schema that is exported in step 3 to the newly created encrypted Tablespace. (Use the  remap_tablespace=old_tablespace : encrypted_tablespace parameter).
  5. Verify the database objects and data from the Oracle Console.
  6. Start the BMC Network Automation server and verify the integrity of the BMC Network Automation server and all the data.

    Note

    The database wallet must be open to enable the BMC Network Automation server to access the database.

Back to top

Was this page helpful? Yes No Submitting... Thank you

Comments