Security planning
Review the following topics for information about how BMC Network Automation provides security and for recommendations on deploying securely:
Related topics
Security assessment FAQs
Question | Response |
|---|---|
Does the product development follow a Security Development Lifecycle (SDL) process? | No. The BMC Network Automation product does not follow a formal SDL process. However, many aspects of the SDL process are considered during our development lifecycle and are documented as follows. |
Do you conduct security reviews? If so, what? | Yes. Security-related product testing is done as part of each release. In addition, the BMC AppSec team performs penetration and other security tests on our product prior to each release. |
Do you use any tools to test for vulnerabilities? | |
Static Code Analysis tools | Yes. FindBugs is run against each nightly build. The results are analyzed frequently and all high severity items are addressed before product release. |
Dynamic Code Analysis tools | Yes. Nexus IQ Server dependency checks are run against each nightly build. The results are analyzed frequently and all high severity items are addressed before product release. |
Penetration testing tools | Yes. IBM AppsScan and Nessus are used by the BMC AppSec team to perform penetration testing before each release. The results are analyzed and all high severity items are addressed before product release. |
Can you provide the results of these vulnerability reviews performed? | Yes. BMC can provide the report from the BMC AppSec team upon request. |
Have you closed on vulnerabilities found for the subject application using these application security reviews? | Yes. All High/Severe issues are required to be closed before releasing the software as part of our Quality Certification (QCert) checkpoint; low/medium issues are reviewed and assessed on a case-by-case basis. |
Are you committed to perform regular security reviews of the application and resolving vulnerabilities identified? | Yes, BMC is committed to resolve all Common Vulnerability Scoring System (CVSS) High and Critical vulnerabilities found in our code and remediate any found in 3rd party components we include and ship with our product. BMC's AppSec team performs regular penetration tests during the product's release lifecycle. See www.bmc.com/security for BMC's disclosure and alert details. BMC and the BMC Network Automation product are committed to monitor, find, and resolve security-related product issues both during our release process and after releases are available to customers. For the BMC Network Automation Product:
|
Is the product FIPS-140 compliant? | Yes. BMC Network Automation is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. BMC Network Automation uses the RSA JSafeJCE security provider for FIPS compliance. |
What type of encryption is used for storing sensitive data? |
|
What kind of encryption is used when the database is not fully encrypted, for example, when using Oracle? | All passwords used for local authentication and in Device Security Profiles (DSPs) are encrypted. Configuration files do not reside in the file system but are encoded and stored in the database. |
Handling web security vulnerabilities in BMC Network Automation
BMC Network Automation is capable of handling the following web security vulnerabilities:
- Cross-Site Scripting (XSS) attack
- Cross-Site Request Forgery (CSRF) attack
- Brute force attack
Handling the XSS attacks
XSS attack is a type of web application vulnerability wherein an attacker can execute malicious scripts (also known as a malicious payload) into a legitimate website or web application. XSS enables attackers to inject a client-side script (usually JavaScript) into web pages that are to be viewed by other users through HTTP requests. Attackers can use this type of vulnerability to bypass access controls such as the same-origin policy.
To run the malicious JavaScript in the victim's browser, the attacker usually injects it into one of the pages that the victim downloads from the website. This can happen if the website directly includes user input in its pages.
To handle XSS, BMC Network Automation includes an optional filter that restricts certain characters and patterns from being included in the HTTP request from a user. If the filter detects these characters or patterns in the request, BMC Network Automation denies the response to the request and generates an error message.
You can configure this filter to restrict various characters and patterns by setting these properties in the global.properties file. Note that the web server service must be restarted in order to use any updated settings.
- badInputFilterEnabled: If set to true (default), it validates the incoming HTTP requests against the characters and patterns that could be embedded in the malicious scripts. If you set its value to false, the filter is disabled and HTTP requests are not validated.
badInputFilterDeny: Contains the characters and patterns against which to validate the incoming HTTP requests. If the request contains any of these characters or patterns, the user is redirected to the following error message:
Not acceptable.
Your request triggered an error! You may have entered illegal characters
into one or more data entry fields. Please contact your system administrator
for assistance.If you encounter this error message, open the BCA-Networks.log file. You will find an error message similar to the following one, which includes the characters or patterns that caused the HTTP request to be denied:
com.bmc.bcan.webapp.filter.security.BadInputFilter checkDenies
SEVERE: [Thread=http-nio-443-exec-7] Request is not acceptable (Error code: 406).
Deny pattern [<] found in request property [Device Name <]When you upgrade to version 8.9.01 or 8.9.02, the following characters and patterns are restricted by default. Configure the global.properties file according to your requirements to allow characters or patterns.
\x00,\x04,\x08,",`,<,>,document(.*)\\.(.*)cookie,eval(\\s*)\\(,setTimeout(\\s*)\\(,setInterval(\\s*)\\(,execScript(\\s*)\\(,(?i)javascript(?-i):,(.*\\.|^|.*|\\[('|\"))(c|C)lass(\\.|('|\")]|\\[).*
When you upgrade to version 8.9.00, the following characters and patterns are restricted by default. Configure the global.properties file according to your requirements to allow characters or patterns.
\x00,\x04,\x08,",`,<,>,document(.*)\\.(.*)cookie,eval(\\s*)\\(,setTimeout(\\s*)\\(,setInterval(\\s*)\\(,execScript(\\s*)\\(,(?i)javascript(?-i)- badInputFilterWhitelistUrls: Contains the URLs or the specific parameters within URLs that must be ignored by the filter. Some features in BMC Network Automation (for example, Injection Templates) use the characters or patterns that are by default included in badInputFilterDeny. However, these characters or patterns are mandatory for those features to work. Default value of this property is the URL of the Injection Template that is restricted by badInputFilter due to use of characters included in badInputFilterDeny. Use the following guidelines to specify URLs and parameters:
- To ignore any specific URL, specify that URL as the value of badInputFilterWhitelistUrls.
- To ignore multiple URLs, separate them by spaces.
- To ignore only specific parameters within a URL, use the question mark (?) after the URL and then specify the parameter. For example, /bca-networks/admin/saveLoggingProperties.do?loggingProperties.
- To ignore multiple parameters within a URL, separate them by commas. For example, /bca-networks/admin/saveLoggingProperties.do?loggingProperties,defaultLoggingProperties.
For detailed information about these properties, see Default-global-properties-file.
Handling the CSRF attacks
CSRF attack is a type of vulnerability that forces users into submitting malicious requests and executing unwanted actions on a web application in which they are currently authenticated. This attack usually targets requests that cause a state change on the server, such as changing password for a user.
BMC Network Automation prevents the CSRF attacks by associating a session token (also called CSRF token) with every state-changing request by a user. The session token changes with every subsequent request. This token is generated by a secure random number generator. The server rejects the request if the token cannot be validated and the following error message appears:
You cannot view the requested page or perform the requested action. Please verify
that your login privileges allow you to access the page or perform the action,
your session has not been timed out, and you have not accidentally double-clicked
on active buttons.
Handling the brute force attacks
Brute force attack is a trial and error method used by application programs to obtain information such as a password or personal identification number (PIN). The application programs try to decode encrypted data through exhaustive efforts rather than employing intellectual strategies.
BMC Network Automation prevents brute force attacks by locking a user. If a user provides an incorrect password while logging in to BMC Network Automation, the user gets locked after a particular number of failed login attempts. Either the user gets unlocked automatically after a specific time period or a user with the Unlock Users right can unlock the user. For more details, see Locking-or-unlocking-users.
Data security
BMC Network Automation is capable of using SSL and HTTPS for all communications between the BMC Network Automation application server, BMC Network Automation remote device agents, devices, and users. It is also capable of using secure protocols such as SSH and Secure Copy Protocol (SCP) to that extent that devices support them.
User access requires a user name and password. Fine-grained control for the roles and rights of users is provided; see the Managing-access.
Encrypting the Oracle external database
To manage devices in BMC Network Automation, the infrastructure manager must be able to encrypt BMC Network Automation data files on the file system and when performing client-server CRUD operations in the Oracle Database. BMC Network Automation version 8.9.x supports encryption for Oracle database 11g R2 and 12c.
Prerequisites
Ensure that you meet the following preconditions before encrypting the Oracle external database:
- BMC Network Automation is integrated with Oracle Enterprise database
- Wireshark is installed on the computer on which BMC Network Automation is installed
To enable network-level encryption on an existing BMC Network Automation server or a freshly installed server
- Log on to the computer where Oracle Enterprise database has been installed.
Open sqlnet.ora located at %ORACLE_HOME%\NETWORK\ADMIN and add the following entries:
SQLNET.ENCRYPTION_SERVER = REQUESTED
SSL_CLIENT_AUTHENTICATION = true
SSL_CERT_REVOCATION = NONE- Restart the BMC Network Automation server.
- Use Wireshark to snoop and check whether the data is encrypted.
To enable Oracle transparent data encryption (TDE) on a fresh BMC Network Automation installation
- Create an Oracle database wallet with a master encryption key by using the tutorial at http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/prod/security/tde/tde.htm.
- Verify that the DB vault has been created and is in the open state.
- Create an encrypted Tablespace within the Oracle server.
- Create a user on the Oracle server, which is tied with the encrypted Tablespace created in step 3.
Choose Oracle Database when installing BMC Network Automation afresh, specify the user credentials created in step 4, and complete the installation.
Verify tables and database-related details from the Oracle Console.
To enable Oracle TDE on an existing BMC Network Automation installation
- Stop the BMC Network Automation server.
- Create a new encrypted Tablespace within the Oracle server.
- Export the BMC Network Automation database schema to a backup dump file.
- Import the BMC Network Automation database schema that is exported in step 3 to the newly created encrypted Tablespace. (Use the remap_tablespace=old_tablespace : encrypted_tablespace parameter).
- Verify the database objects and data from the Oracle Console.
Start the BMC Network Automation server and verify the integrity of the BMC Network Automation server and all the data.