Important This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Security planning

Review the following topics for information about how TrueSight Network Automation provides security and for recommendations on deploying securely:

Related topics

 Roles and permissions

 Planning

Security assessment FAQs

Question

Response

Does the product development follow a Security Development Lifecycle (SDL) process?

No. The TrueSight Network Automation product does not follow a formal SDL process. However, many aspects of the SDL process are considered during our development lifecycle and are documented as follows.

Do you conduct security reviews? If so, what?

Yes. Security-related product testing is done as part of each release. In addition, the BMC AppSec team performs penetration and other security tests on our product prior to each release.  

Do you use any tools to test for vulnerabilities?

Static Code Analysis tools

Yes. FindBugs is run against each nightly build. The results are analyzed frequently and all high severity items are addressed before product release.

Dynamic Code Analysis tools

Yes. Nexus IQ Server dependency checks are run against each nightly build. The results are analyzed frequently and all high severity items are addressed before product release.

Penetration testing tools

Yes. IBM AppsScan and Nessus are used by the BMC AppSec team to perform penetration testing before each release. The results are analyzed and all high severity items are addressed before product release.

Can you provide the results of these vulnerability reviews performed?

Yes. BMC can provide the report from the BMC AppSec team upon request.

Have you closed on vulnerabilities found for the subject application using these application security reviews?

Yes. All High/Severe issues are required to be closed before releasing the software as part of our Quality Certification (QCert) checkpoint; low/medium issues are reviewed and assessed on a case-by-case basis.

Are you committed to perform regular security reviews of the application and resolving vulnerabilities identified?

Yes, BMC is committed to resolve all Common Vulnerability Scoring System (CVSS) High and Critical vulnerabilities found in our code and remediate any found in 3rd party components we include and ship with our product. BMC's AppSec team performs regular penetration tests during the product's release lifecycle. See www.bmc.com/security for BMC's disclosure and alert details.

BMC and the TrueSight Network Automation product are committed to monitor, find, and resolve security-related product issues both during our release process and after releases are available to customers. For the TrueSight Network Automation Product:

  • Nexus IQ Server 3rd Party dependency checks are run and reviewed on every nightly build; issues are resolved shortly after they are detected
  • 3rd Party Dependencies are updated to the latest versions several times during our release lifecycle
  • BMC AppSec team performs penetration and other security-related testing on the product at least once prior to release
  • QA team runs AppsScan (penetration testing tool) regularly during the release lifecycle; issues are resolved shortly after they are detected
  • BMC Quality Certification (QCert) contains a security section that all products must complete and pass before receiving executive sign-off for release

Is the product FIPS-140 compliant?

Yes. TrueSight Network Automation is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. TrueSight Network Automation uses the RSA JSafeJCE security provider for FIPS compliance.

What type of encryption is used for storing sensitive data?

AES256 is used for storing sensitive data.

What type of encryption is used for communication between the application server and remote device agents, and agent and devices?

  • For communication between the TrueSight Network Automation application server and the TrueSight Network Automation remote device agents, TrueSight Network Automation uses the TLSv1.2 handshaking protocol and the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite (versions 8.9.02 and earlier) and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (version 8.9.03 and later).
  • For communication between the agent and devices, TrueSight Network Automation establishes an SSH connection with the device. TrueSight Network Automation supports the Advanced Encryption Standard (AES) algorithm with 128, 192, or 256-bit key lengths.

What kind of encryption is used when the database is not fully encrypted, for example, when using Oracle?

All passwords used for local authentication and in Device Security Profiles (DSPs) are encrypted. Configuration files do not reside in the file system but are encoded and stored in the database.

Back to top

Handling web security vulnerabilities in TrueSight Network Automation

TrueSight Network Automation is capable of handling the following web security vulnerabilities:

  • Cross-Site Scripting (XSS) attack
  • Cross-Site Request Forgery (CSRF) attack
  • Brute force attack

Handling the XSS attacks

XSS attack is a type of web application vulnerability wherein an attacker can execute malicious scripts (also known as a malicious payload) into a legitimate website or web application. XSS enables attackers to inject a client-side script (usually JavaScript) into web pages that are to be viewed by other users through HTTP requests. Attackers can use this type of vulnerability to bypass access controls such as the same-origin policy.

To run the malicious JavaScript in the victim's browser, the attacker usually injects it into one of the pages that the victim downloads from the website. This can happen if the website directly includes user input in its pages.

To handle XSS, TrueSight Network Automation includes an optional filter that restricts certain characters and patterns from being included in the HTTP request from a user. If the filter detects these characters or patterns in the request, TrueSight Network Automation denies the response to the request and generates an error message.

You can configure this filter to restrict various characters and patterns by setting these properties in the global.properties file. Note that the web server service must be restarted in order to use any updated settings.

  • badInputFilterEnabled: If set to true (default), it validates the incoming HTTP requests against the characters and patterns that could be embedded in the malicious scripts. If you set its value to false, the filter is disabled and HTTP requests are not validated.

  • badInputFilterDeny: Contains the characters and patterns against which to validate the incoming HTTP requests. If the request contains any of these characters or patterns, the user is redirected to the following error message:

    Not acceptable.
    Your request triggered an error! You may have entered illegal characters
    into one or more data entry fields. Please contact your system administrator
    for assistance.

    Note

    Microsoft Internet Explorer might display a different message than the stated above. To display the actual message that the Web server sends, follow these steps:

    1. In Internet Explorer, on the Tools menu, click Internet Options.
    2. On the Advanced tab, under the Browsing section, clear the Show friendly HTTP error messages check box, and then click OK.
    3. Close the browser.

    If you encounter this error message, open the BCA-Networks.log file. You will find an error message similar to the following one, which includes the characters or patterns that caused the HTTP request to be denied:

    com.bmc.bcan.webapp.filter.security.BadInputFilter checkDenies
    SEVERE: [Thread=http-nio-443-exec-7] Request is not acceptable (Error code: 406).
    Deny pattern [<] found in request property [Device Name <]

    When you upgrade to version 8.9.01 or later, the following characters and patterns are restricted by default. Configure the global.properties  file according to your requirements to allow characters or patterns.

    \x00,\x04,\x08,",`,<,>,document(.*)\\.(.*)cookie,eval(\\s*)\\(,setTimeout(\\s*)\\(,setInterval(\\s*)\\(,execScript(\\s*)\\(,(?i)javascript(?-i):,(.*\\.|^|.*|\\[('|\"))(c|C)lass(\\.|('|\")]|\\[).*

    When you upgrade to version 8.9.00, the following characters and patterns are restricted by default. Configure the global.properties file according to your requirements to allow characters or patterns.

    \x00,\x04,\x08,",`,<,>,document(.*)\\.(.*)cookie,eval(\\s*)\\(,setTimeout(\\s*)\\(,setInterval(\\s*)\\(,execScript(\\s*)\\(,(?i)javascript(?-i) 

    Note

    If you are using these default characters and patterns widely in your TrueSight Network Automation system, and you are getting the error message frequently (for example, after upgrade to 8.9), you can disable the filter. However, for enhanced security, BMC recommends that you clean up the system to eliminate these characters and patterns, and then enable the filter.

  • badInputFilterWhitelistUrls: Contains the URLs or the specific parameters within URLs that must be ignored by the filter. Some features in TrueSight Network Automation (for example, Injection Templates) use the characters or patterns that are by default included in badInputFilterDeny. However, these characters or patterns are mandatory for those features to work. Default value of this property is the URL of the Injection Template that is restricted by badInputFilter due to use of characters included in badInputFilterDeny. Use the following guidelines to specify URLs and parameters:
    • To ignore any specific URL, specify that URL as the value of badInputFilterWhitelistUrls.
    • To ignore multiple URLs, separate them by spaces.
    • To ignore only specific parameters within a URL, use the question mark (?) after the URL and then specify the parameter. For example, /bca-networks/admin/saveLoggingProperties.do?loggingProperties.
    • To ignore multiple parameters within a URL, separate them by commas. For example, /bca-networks/admin/saveLoggingProperties.do?loggingProperties,defaultLoggingProperties.

For detailed information about these properties, see Default-global-properties-file.

Handling the CSRF attacks

CSRF attack is a type of vulnerability that forces users into submitting malicious requests and executing unwanted actions on a web application in which they are currently authenticated. This attack usually targets requests that cause a state change on the server, such as changing password for a user.

TrueSight Network Automation prevents the CSRF attacks by associating a session token (also called CSRF token) with every state-changing request by a user. The session token changes with every subsequent request. This token is generated by a secure random number generator. The server rejects the request if the token cannot be validated and the following error message appears:

Security Violation
You cannot view the requested page or perform the requested action. Please verify
that your login privileges allow you to access the page or perform the action,
your session has not been timed out, and you have not accidentally double-clicked
on active buttons.

Handling the brute force attacks

Brute force attack is a trial and error method used by application programs to obtain information such as a password or personal identification number (PIN). The application programs try to decode encrypted data through exhaustive efforts rather than employing intellectual strategies.

TrueSight Network Automation prevents brute force attacks by locking a user. If a user provides an incorrect password while logging in to TrueSight Network Automation, the user gets locked after a particular number of failed login attempts. Either the user gets unlocked automatically after a specific time period or a user with the Unlock Users right can unlock the user. For more details, see Locking-or-unlocking-users.

Data security

TrueSight Network Automation is capable of using SSL and HTTPS for all communications between the TrueSight Network Automation application server, TrueSight Network Automation remote device agents, devices, and users. It is also capable of using secure protocols such as SSH and Secure Copy Protocol (SCP) to that extent that devices support them.

User access requires a user name and password. Fine-grained control for the roles and rights of users is provided; see the Managing-access.

Encrypting the Oracle external database

To manage devices in TrueSight Network Automation, the infrastructure manager must be able to encrypt TrueSight Network Automation data files on the file system and when performing client-server CRUD operations in the Oracle Database. TrueSight Network Automation version 8.9.x supports encryption for Oracle database 11g R2 and 12c.

Prerequisites

Ensure that you meet the following preconditions before encrypting the Oracle external database:

  • TrueSight Network Automation is integrated with Oracle Enterprise database
  • Wireshark is installed on the computer on which TrueSight Network Automation is installed

To enable network-level encryption on an existing TrueSight Network Automation server or a freshly installed server

  1. Log on to the computer where Oracle Enterprise database has been installed.

  2. Open sqlnet.ora located at %ORACLE_HOME%\NETWORK\ADMIN and add the following entries:

    SQLNET.ENCRYPTION_SERVER = REQUESTED
    SSL_CLIENT_AUTHENTICATION = true
    SSL_CERT_REVOCATION = NONE
  3. Restart the TrueSight Network Automation server.
  4. Use Wireshark to snoop and check whether the data is encrypted.

Back to top

To enable Oracle transparent data encryption (TDE) on a fresh TrueSIght Network Automation installation

  1. Create an Oracle database wallet with a master encryption key by using the tutorial at http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/prod/security/tde/tde.htm.
  2. Verify that the DB vault has been created and is in the open state.
  3. Create an encrypted Tablespace within the Oracle server.
  4. Create a user on the Oracle server, which is tied with the encrypted Tablespace created in step 3.

  5. Choose Oracle Database when installing TrueSight Network Automation afresh, specify the user credentials created in step 4, and complete the installation.

    Note

    Do not create the Oracle user by using the TrueSight Network Automation installation program.

  6.  Verify tables and database-related details from the Oracle Console.

    Note

    The database wallet must be open to enable the TrueSight Network Automation server to access the database.

Back to top

To enable Oracle TDE on an existing TrueSight Network Automation installation

  1. Stop the TrueSight Network Automation server.
  2. Create a new encrypted Tablespace within the Oracle server.
  3. Export the TrueSight Network Automation database schema to a backup dump file.
  4. Import the TrueSight Network Automation database schema that is exported in step 3 to the newly created encrypted Tablespace. (Use the  remap_tablespace=old_tablespace : encrypted_tablespace parameter).
  5. Verify the database objects and data from the Oracle Console.

  6. Start the TrueSight Network Automation server and verify the integrity of the TrueSight Network Automation server and all the data.

    Note

    The database wallet must be open to enable the TrueSight Network Automation server to access the database.

Encrypting the SQL Server database

To manage devices in TrueSight Network Automation, the infrastructure manager must be able to encrypt TrueSight Network Automation data files on the file system and when performing client-server CRUD operations in the SQL Server Database.

Enabling the network-level encryption on SQL Server

TrueSight Network Automation 8.9.supports network-level encryption for the following SQL Server versions:

  • SQL Server 2016 
  • SQL Server 2014 
  • SQL Server 2012 
  • SQL Server 2008 R2 SP3
  • SQL Server 2008 

To enable the network-level encryption

  1. Log on to the SQL Server Configuration Manager.
  2. Under SQL Server Network Configuration, double-click MSSQLSERVER.
  3. On the Flags tab, check the value of the Force Encryption parameter.
    • If the value of Force Encryption is set to Yes, you do not need to perform any steps on TrueSight Network Automation. The network-level encryption is forced for all the communication.
    • If the value of Force Encryption is set to No, while installing TrueSight Network Automation, on the Database Information panel, in the Additional Database URL Options field, specify encrypt=true. For information about this field, see Installing-the-application-server-on-Windows or Installing-the-application-server-on-Linux.

Enabling SQL Server TDE

TDE uses Database Encryption Key (DEK) which is secured by a certificate and kept in the master database. DEK is either protected by certificate or an asymmetric key secured by Extensible Key Management (EKM) handler with the help of Microsoft Cryptographic API (MSCAPI). In TDE, data is encrypted using Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES) encryption algorithms.

TrueSight Network Automation version 8.9.03 supports TDE for the following SQL Server versions:

  • SQL Server 2016 
  • SQL Server 2014 
  • SQL Server 2012 

Note

  • TrueSight Network Automation supports TDE out-of-box and no changes are required on the TrueSight Network Automation side. You need to make changes on the database side. Contact your database administrator to enable TDE.
  • The instructions provided in the following procedure are only for reference purpose. For detailed instructions, see the SQL Server documentation.


To enable SQL Server TDE

  1. Create a master key with a strong password:

    USE master;
    GO
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>';
    GO

  2. Create a certificate:

    CREATE CERTIFICATE <certificateName> WITH SUBJECT = '<subject>';
    GO

  3. Create the DEK with AES_128 algorithm using the certificate you created:

    USE <databaseName>;
    GO
    CREATE DATABASE ENCRYPTION KEY
    WITH ALGORITHM = AES_128
    ENCRYPTION BY SERVER CERTIFICATE <certificateName>;
    GO

    The following warning appears which indicates that you should back up the certificate and private key (DEK):

    The certificate used for encrypting the database encryption key has not been backed up.
    You should immediately back up the certificate and the private key associated with the certificate.
    If the certificate ever becomes unavailable or if you must restore or attach the database on another server,
    you must have backups of both the certificate and the private key or you will not be able to open the database.

  4. (Optional) Back up the certificate and DEK:

    USE master
    GO
    BACKUP CERTIFICATE <certificateName>
    TO
    FILE = 'C:\Backup\<certificateName>'
    WITH PRIVATE KEY (FILE = 'C:\Backup\<DEK>', ENCRYPTION BY PASSWORD = '<password>')
    GO

  5. Enable encryption on the database that you want to enable for TDE:

    ALTER DATABASE <databaseName>
    SET ENCRYPTION ON;
    GO

  6. Verify certificate details and DEK details:

    USE master
    GO
    SELECT encryptor_type, key_length, key_algorithm, encryption_state, create_date
    FROM sys.dm_database_encryption_keys
    GO

     A value of 3 for encryption_state indicates that TDE has been enabled.

Back to top

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*