Single-interface transparent mode is similar to transparent mode, but both client-side and server-side traffic use the same interface. An external device \xe2\x80\x94 typically a firewall or a router (or a layer3 switch) \xe2\x80\x94 is required that actively redirects the audited traffic to SPS. To accomplish this, the external device must support advanced routing (also called policy-based routing or PBR). For details on configuring an external devices to work with SPS in single-interface transparent mode, see Configuring external devices.
Figure 9: SPS in single-interface transparent mode
The advantages of using the single-interface transparent mode are:
Totally transparent for the clients, no need to modify their configuration
The network topology is not changed
Only the audited traffic is routed to SPS, production traffic is not
The disadvantages of using the single-interface transparent mode are:
SPS acts as a man-in-the-middle regarding the connection between the client and the target server. Instead of a single client-server connection, there are two separate connections: the first between the client and SPS, and a second between SPS and the server. Depending on how you configure SPS, the source IP in the SPS-server connection can be the IP address of SPS, or the IP address of the client. In the latter case — when operating in transparent mode (including single-interface transparent mode) — SPS performs IP spoofing. Consult the security policy of your organization to see if it permits IP spoofing on your network.
Traffic must be actively routed to SPS using an external device, consequently a network administrator can disable SPS by changing routing rules.
When adding a new port or subnet to the list of audited connections, the configuration of the external device must be modified as well.
A network administrator can (intentionally or unintentionally) easily disable monitoring of the servers, therefore additional measures have to be applied to detect such activities.
In non-transparent mode, SPS acts as a bastion host — administrators can address only SPS, the administered servers cannot be targeted directly. The firewall of the network has to be configured to ensure that only connections originating from SPS can access the servers. SPS determines which server to connect based on the parameters of the incoming connection (the IP address of the administrator and the target IP and port).
Non-transparent mode inherently ensures that only the controlled (management and server administration) traffic reaches SPS. Services and applications running on the servers are accessible even in case SPS breaks down, so SPS cannot become a single point of failure.
Non-transparent mode is useful if the general (not inspected) traffic is very high and could not be forwarded by SPS.
In case there is a high number of target devices, do not Use fixed address rules in non-transparent mode as configuration validation might fail. Consider using one of the dynamic configuration options, such as inband destination selection or transparent mode.
Figure 10: SPS in non-transparent mode
Non-transparent mode is often used together with inband destination selection. For details, see Inband destination selection).
Inband destination selection allows you to create a single connection policy and allow users to access any server by including the name of the target server in their username (for example, ssh username@targetserver:port@scb_address). SPS can extract the address from the username and direct the connection to the target server.
Figure 11: Inband destination selection
Since some client applications do not permit the @ and : characters in the username, therefore alternative characters can be used as well:
To separate the username and the target server, use the @ or % characters, for example: username%targetserver@scb_address
To separate the target server and the port number, use the :, +, or / characters, for example: username%targetserver+port@scb_address
You can use both IPv4 and IPv6 addresses with inband destination selection. For IPv6 addresses, add square brackets to separate the address and the port number:
When Network Level Authentication (NLA) is disabled, you can omit the username when starting an RDP connection (for example, use only %targetserver). The user can type the username later in the graphical login screen. However, the username must be specified if Network Level Authentication (NLA) is used in the connection.
For other details on inband destination selection in RDP connections, see Inband destination selection in RDP connections.
You can find examples of using inband destination selection in Using inband destination selection in SSH connections.
When a client initiates a connection to a server, SPS performs a procedure similar to the ones detailed below. The exact procedure depends on the protocol used in the connection.