Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.0.9 - Release Notes

One Identity Safeguard for Privileged Sessions 5 LTS

One Identity Safeguard for Privileged Sessions 5 LTS

Release Notes

December 2018

These release notes provide information about the One Identity Safeguard for Privileged Sessions release.

Topics:

About this release

Welcome to One Identity Safeguard for Privileged Sessions. This document describes what is new in the latest version of One Identity Safeguard for Privileged Sessions (SPS).

New features

Changes since SPS 4 F4

Changes since SPS 4 F4

New user interface design

The user interface has received a facelift and now has a more modern look-and-feel.

Figure 1. The Search page after the facelift

The Search page after the facelift

New One Identity Desktop Player

You can use the One Identity Desktop Player application to replay audit trail files that you have downloaded from the One Identity Safeguard for Privileged Sessions.

Figure 2. One Identity Desktop Player

One Identity Desktop Player

For further details on the One Identity Desktop Player application, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Modifying the disk size of a SPS virtual appliance

Newly installed SPS 5 LTS virtual instances come with a simplified filesystem structure, making online disk resizing possible. That way, you can more easily accommodate the disk requirements of your stored audit trails. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Backup and archiving improvements

SPS now fully supports backups and archiving using the NFSv4 protocol. NetApp devices are also supported.

API changes in the AA plugin

There were API changes in the AA plugin, therefore the old plugins require an update.

  • The authorize hook is now mandatory, and it must return at least an ACCEPT verdict.

  • The gateway_user is now a separate argument and not a value in key-value pairs.

Changes in the ticketing plugin

SPS 4 F3 and 4 F4 included a ticketing plugin framework to integrate SPS to ticketings systems, for example, to request a valid ticket ID from the user to authorize the connection. In SPS 5 LTS and later, this functionality is available using the Authentication and Authorization (AA) plugin.

You cannot use ticketing plugins in SPS 5 LTS, they must be reimplemented as AA plugins. Contact the vendor who created the ticketing plugin for you for details on updating the ticketing plugins to AA plugins. If you received the ticketing plugin from One Identity contact your service delivery partner, or contact our Support Team.

REST API changes

The following new details are available about the recorded sessions when you access the api/audit/sessions/<connection-key> endpoint. For details on these fields, see One Identity Safeguard for Privileged Sessions - Technical Documentation: _connection_id, alerts, archived, auth_method, command_extracted, events, index_status, network_id, window_title_extracted. Also, note that the connection_policy field now contains the name of the Connection Policy that handled the session (in earlier version it contained the key of the session, which is now available in the connection_policy_id field).

The timestamps returned in the REST API now use the ISO 8601 format instead of UNIX timestamp.

The events of a session and the alerts triggered by such events is available in the api/audit/sessions/<connection-key>/events and api/audit/sessions/<connection-key>/alerts endpoints. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation and One Identity Safeguard for Privileged Sessions - Technical Documentation.

From now on, you can search in metadata and session content at the same time, for example: api/audit/sessions?q=protocol:ssh&content=sudo"

The REST API now supports X.509 certificate based authentication as well.

Unsupported browsers and operating systems

Support for the following browsers and operating systems is discontinued starting from SPS 5 LTS:

  • Browsers: Internet Explorer 10

  • Operating systems: Windows 2003 Server, Windows Vista

Extended support period for SPS 4 F3

Version 4 F3 has extended support period, and will be supported for 6 months after SPS 5 LTS is released.

New SNMP/email alert when a service fails

There is a new SNMP/email alert, which is triggered when a service fails. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

New authentication protocol options when authenticating users to a RADIUS server

When authenticating users to a RADIUS server, you can now specify authentication protocol options Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP). For more information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Export/import the configuration of SPS using the console

You can now export/import the configuration of SPS from the console using a script. For further details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Improved search in reports created from audit trail content

The character limit on search words when looking for specific search expressions in content subchapters has been raised from 150 to 255 characters. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Changes between SPS 4 LTS and 4 F4

Changes between SPS 4 LTS and 4 F4

Installation and upgrade-related improvements

Installing One Identity Safeguard for Privileged Sessions as a Kernel-based Virtual Machine

You can deploy SPS as a virtual appliance using the Kernel-based Virtual Machine (KVM) solution. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

SPS in Azure Marketplace

You can deploy SPS from the Microsoft Azure Marketplace, with a bring-your-own-license model. For details, see the One Identity Safeguard for Privileged Sessions virtual machine page.

When deployed from the Azure Marketplace, you can use Azure File storage shares in your for Backup and Archive Policies. This is very useful as the quota for the files storage can be changed dynamically, so the cumulative size of the audit trails is not limited to the OS disk size. You can set up this share as a normal SMB shares in your Backup and Archive policies. The parameters for the policy can be obtained from the Azure portal.

SPS in Azure Cloud

You can deploy SPS as a virtual machine in the Microsoft Azure cloud computing platform. This allows you to conveniently audit access to your entire virtualized infrastructure.

Simplified, more robust upgrade process

SPS 4 F1 offers a more robust upgrade process that allows you to test upgrading your configuration and correct any problems that are not compatible with version 4 F1. Also, firmware upgrading has been simplified: instead of uploading the boot and core firmwares separately, you only have to upload a single ISO file, and SPS extract the firmwares on the box.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation and One Identity Safeguard for Privileged Sessions - Technical Documentation.

Protocol-related improvements

Credential store fallback

Until now, if you have configured SPS to use a credential store, but accessing the password or the credential store failed for some reason, SPS rejected the session. From now on, SPS automatically requests a password from the user in such scenario, so your users can access the target server. This fallback is supported in the RDP, SSH, and Telnet protocols.

Inband destination selection improvements in RDP

Using inband destination selection in RDP connections without a Terminal Services Gateway was difficult and limited, because Windows RDP clients often send only the first 9 characters of the username to the server. SPS now supports parsing key-value pairs from the username, making it possible to encode the address and port of the target server into the username of the client.

Plugin framework for authentication and authorization (AAPlugin)

SPS now includes a new plugin framework that allows you to integrate with external third-party tools to request authentication or authorization for connections that SPS monitors. As a first step, AAPlugins are supported only in RDP connections.

Such plugins allow you, for example, to request additional challenge-response information from the user or an external system (for example, LDAP or Active Directory), and permit or deny the connection based on this information. For details, contact the One Identity Support Team.

Windows 10 support and new client applications

SPS now supports the Remote Desktop client of Windows 10.

In addition, the Royal TSX client application running on OS X, and the WinFIOL SSH client are also supported.

Network Level Authentication in RDP without domain membership

There are scenarios when you want to use SPS to monitor RDP access to servers that accept only Network Level Authentication (NLA, also called CredSSP), but SPS is not a member of the same domain (or of a trusted domain) as the RDP server. For example, you cannot add SPS to that domain for some reason, or the RDP server is a standalone server that is not part of a domain. Now SPS support such scenarios as well.

Authentication improvements in HTTP

SPS now supports the following inband authentication methods for the HTTP protocol: Basic Access Authentication (according to RFC2617), and the NTLM authentication method commonly used by Microsoft browsers, proxies, and servers. This allows SPS to identify HTTP sessions better, and also makes it possible to match authorized sessions to real users.

Furthermore, for authenticated sessions, SPS can perform group-based user authorization that allows you to finetune access to your servers and services: you can now set the required group membership in the Channel policy of the HTTP connection.

Integrating ticketing systems for RDP connections

SPS provides a plugin framework to integrate SPS to external ticketing (or issue tracking) systems, allowing you to request a ticket ID from the user before authenticating on the target server. That way, SPS can verify that the user has a valid reason to access the server — and optionally terminate the connection if he does not. In addition SSH and Telnet, SPS 4 F1 adds ticketing support for the Remote Desktop (RDP) protocol.

To request a plugin that interoperates with your ticketing system, contact our Support Team. For details on configuring SPS to use a plugin, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Telnet improvements

SPS 4 F1 supports the Telnet 5250 terminal protocol, as described in RFC2877. Extracting usernames from TN5250 connections is not supported.

SPS 4 F1 can properly replay TN3270 audit trails without the upstream encryption key.

Audit trails and indexing

Audit Player indexer service EOL

The Audit Player indexer service has been deprecated and is not supported in SPS 4 F4. Before upgrading, you must configure SPS to use the Indexer service running on SPS, and install and configure external indexers. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation and One Identity Safeguard for Privileged Sessions - Technical Documentation.

If you need help to estimate the required number and resources of the external indexers, contact the One Identity Support Team.

Caution:

Enabling the indexer without any previous estimations is dangerous and might result in overloading the box.

The indexer does not support USB Hardware security modules (HSMs). If your audit trails are encrypted and the related private keys are stored on a HSM, DO NOT UPGRADE to SPS 4 F4 or later.

Indexing improvements in graphical protocols

To optimize indexing resources and improve the speed and performance of Optical Character Recognition in graphical protocols, you can now configure Indexer policies for every Connection policy to specify the languages typically used in these connections. For example, if you know that your users use only a few languages in their connections (for example, because they use the Remote Desktop Protocol (RDP) to access only English and French software), then setting these languages in the Indexer policy improves accuracy and reduces the time required to perform character recognition.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Indexing Arabic text in graphical protocols

To make the audit trails of graphical protocols easier to review and manage in forensic situations, SPS 4 F3 adds support for Optical Character Recognition for languages that use Arabic characters. That way your auditors can search in the content of the graphical protocols, for example, in the texts typed or seen by a user in RDP, even if the text is Arabic.

Scaling audit trail processing

If SPS audits lots of connections, processing and indexing the created audit trails requires significant computing resources, which may not be available in the SPS appliance. To decrease the load on the SPS appliance, you can install the indexer service on external Linux hosts. These external indexer hosts run the same indexer service as the SPS appliance, and can index audit trails, or generate screenshots and replayable video files from the audit trails as needed. The external indexers register on SPS, wait for SPS to send an audit trail to process, process the audit trail, then return the processed data to SPS. The external indexer hosts do not store any data, thus any sensitive data is available on the host while it is being processed.

IPv6 support for the audited traffic

SPS now supports the auditing of IPv6 environments. You can audit IPv4 clients accessing IPv6 servers, IPv6 clients accessing IPv4 servers, and naturally, IPv6 clients accessing IPv6 servers. You can also use IPv6 addresses with inband destination selection.

Replaying audit trails in your browser

With SPS 4 F1, you can conveniently replay audit trails in your browser, without having to install extra software.

Figure 3. Replaying audit trails in your browser

Replaying audit trails in your browser

Directly search for commands and window titles

When using the indexer service of SPS (that is, not the Audit Player application), you can directly search in the detected window titles or the commands of the audit trails. For example, the command:sudo search expression will return the relevant audit trails from terminal connections, while the title:properties search expression will return audit trails from graphical connections. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Figure 4. Searching for commands in terminal connections

Searching for commands in terminal connections

REST API

More SPS features accessible using the REST API

To make integrating SPS into various management systems easier and more complete, you can now use the following SPS features using the RESTful API:

Upload and update plugins using the API. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

The documentation of the REST API received a major update, including sections on several previously undocumented features, an index of the API parameters, and a reorganization of the reference chapter.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

More SPS features accessible using the REST API

To make integrating SPS into various management systems easier and more complete, you can now access the several SPS features using the RESTful API, including:

Other features will be available via the REST API in future releases.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Configuring SPS using a REST API

To make integrating SPS into various management systems possible, you can now access SPS using a RESTful API. Currently the API supports only the parts of the configuration that are changed most often at large enterprises, namely Channel policies.

Other features will be available via the REST API in future releases.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Compliance and awards

HPE Security ArcSight CEF Certification

SPS, formerly known as Shell Control Box has received the HPE Security ArcSight CEF Certification, and can send logs to the HPE ArcSight Data Platform via a syslog-ng relay (syslog-ng Premium Edition 5 F6 or syslog-ng Open Source Edition 3.8 and later).

Cybersecurity Excellence Awards

The SPS, formerly known as Shell Control Box, was a finalist of the 2016 Cybersecurity Excellence Awards in the Privileged Access Management category. Another One Identity product, the syslog-ng Store Box (SSB), won in the Forensics category. Cybersecurity Excellence Awards are rewarded each year to individuals, products and companies that demonstrate excellence, innovation and leadership in information security. Nominees are awarded based on the content of their nomination and the popular vote by the Information Security Community.

SPS, formerly known as Shell Control Box wins at SC Awards Europe

The One Identity Safeguard for Privileged Sessions has won the SC Awards Europe in Best Identity Management category.

FSTEK certification

SPS, formerly known as Shell Control Box has obtained the Federal Service for Technical and Export Control (FSTEK) certification, which is compulsory for information security products in Russia.

Reports and PCI DSS compliance

To help you comply with the regulations of the Payment Card Industry Data Security Standard (PCI DSS), SPS can generate reports on the compliance status of SPS. Note that this is not a fully-featured compliance report: it is a tool to enhance and complement your compliance report by providing information available in SPS. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

The charts in the general operational reports of SPS have been redesigned. In addition, you can replace the One Identity logo on the cover page of SPS reports with your own logo. For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Other

New guides

Separate installation guide. To improve how information is organized in the documentation set and make it easier for users to find information relevant to their roles we have moved the chapters related to installing SPS to a separate installation guide For more information on the installation guide, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Getting your SPS ready for Blindspotter. Blindspotter is the real-time user behavior analytics tool developed by One Identity, that can monitor the behavior of your privileged users based on the data extracted from SPS sessions. One Identity Safeguard for Privileged Sessions - Technical Documentation collects the most important configuration tasks to prepare your SPS installation to integrate with Blindspotter.

Auto-assign option for web gateway authentication

The new auto-assign option simplifies using the web gateway authentication if your users have multiple connections. After you enable auto-assignment, your users can turn on auto-assigning for their connections on the web gateway authentication page. After that, your users do not need to access the SPS web interface to assign every connection individually, it will happen automatically after the initial login. Note that this feature is available only in SPS version 4.4.1 and later.

10Gbit interface support

The SPS T-10 appliance is equipped with a dual-port SFP+ interface card labeled A and B. You can use the 10Gbit interface both for proxy traffic and for local services. This means that these interfaces can be used for the same purposes as the other 3 physical interfaces. That way, you can use SPS without any additional changes even if your network devices support only 10Gbit, and you must connect SPS to a 10Gbit-only network.

Splunk integration

One Identity provides an add-on and an app for Splunk, integrating SPS logs into Splunk, and making SPS information available in other Splunk apps, for example, in the Splunk Enterprise Security app. The One Identity SPS Add-On for Splunk and the One Identity SPS App for Splunk are both available for free in the splunkbase.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Integration with Blindspotter

SPS now supports the operation of Blindspotter, the real-time user behavior analytics solution of One Identity. Blindspotter is a monitoring tool that maps and profiles user behavior to reveal human risk, and can analyze user behavior using the data from the audit trails recorded by SPS. Learn more about Blindspotter

Flexible network configuration and VLAN support

To improve the networking flexibility of SPS and make it easier to integrate into complex environments, the networking configuration of SPS has been significantly changed. The most important improvements are as follows:

  • The Bastion and Router modes of operation have been removed, and now you can use SPS in both transparent and non-transparent connections. SPS will automatically handle nontransparent (Bastion-mode) and transparent (Router-mode) connections simultaneously.

  • Bridge mode has been removed from SPS.

  • The network interfaces labeled as LAN1, LAN2, and LAN 3 (earlier labeled as external, internal, and management) of the appliance were dedicated to specific tasks, and you could not use them for other purposes. Now you can configure and use them any way you need to. For example, you can receive transparent connections on LAN1 and LAN2, and route them to LAN3.

  • You can configure multiple logical interfaces for every physical interface. Each logical interface can belong to a different VLAN, and have multiple alias IP addresses.

  • You can configure the services available on SPS (for example, remote SSH access to SPS, access to the web interface, and so on) to be available only on specific IP addresses and ports. You can also restrict access to these services based on the IP address or network of the clients.

  • You can control how SPS routes unmanaged traffic (that is, traffic that passes SPS but is not inspected or audited) between its network interfaces. You can connect interface pairs, and SPS will route all unmanaged traffic between the specified interface pairs.

For details, see One Identity Safeguard for Privileged Sessions - Technical Documentation and One Identity Safeguard for Privileged Sessions - Technical Documentation.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating