This short document is about a special implementation of the One Identity Safeguard for Privileged Sessions. This makes it possible to deploy the device without changing the network topology, but keeping all the advantages of the transparent mode of the SPS.
The One Identity Safeguard for Privileged Sessions connection policies can work in different network models to make it easy to integrate it into an existing network. These two modes are transparent, and non-transparent modes (for details on modes of operation, see "Modes of operation" in the Administration Guide). The aim is usually the transparent implementation. Although the non-transparent mode can provide some transparency, it is not the best to be used for that purpose.
For the easy-to-deploy and totally transparent solution the transparent mode would be the best. This mode requires integrating SPS in the network level, so all the administrative traffic could pass the box to make it controllable and auditable (for details and illustrations on transparent mode, see "Transparent mode" in the Administration Guide).
Figure 1: SPS in transparent mode
In most cases it is not possible, or not optimal to integrate SPS into the network as in the abovementioned example, because it would require significant changes to the network topology, and SPS could act as a single point of failure. However, it is possible to use SPS in transparent mode transparently without changing the network layout, with a few additional configuration steps in some of the active network devices (firewalls or routers) and the SPS itself. The following sections will describe this in detail.
SPS has two physical network interfaces that are normally used for production (monitored) traffic: “External” and “Internal”. The function of these interfaces is interchangeable, the names are only used in this document for easier identification. SPS is implemented as it is visible on Figure SPS in transparent mode. In this case the connections are coming from the client's network (define it as 192.168.0.0/24) and heading towards the server's network (define it as 10.0.0.0/24).
The routing on the client is configured so that it uses SPS as a gateway, when the server network is accessed. The servers are configured so that they send the answers into the client network through SPS. Also, all the networks and gateways are defined in the routing table of SPS, to send the traffic out on the appropriate interface.
SPS does not check whether the client is coming from the “External” interface or if the connections are going out on the “Internal” interface. Because of this, it is possible to create a topology, where both the clients and the servers are located on the “External” side.
Single-interface transparent mode is similar to transparent mode, but both client-side and server-side traffic use the same interface. An external device that actively redirects the audited traffic to One Identity Safeguard for Privileged Sessions (SPS) (typically, a firewall, a router, or a layer3 switch) is required . To accomplish this, the external device must support advanced routing (also called policy-based routing or PBR). For details on configuring an external device to work with SPS in single-interface transparent mode, see Configuring external devices.
Figure 2: SPS in single-interface transparent mode
The advantages of using the single-interface transparent mode are:
Totally transparent for the clients, no need to modify their configuration.
The network topology is not changed.
Only the audited traffic is routed to SPS, production traffic is not.
The disadvantages of using the single-interface transparent mode are:
SPS acts as a man-in-the-middle regarding the connection between the client and the target server. Instead of a single client-server connection, there are two separate connections: the first between the client and SPS, and a second between SPS and the server. Depending on how you configure SPS, the source IP in the SPS-server connection can be the IP address of SPS, or the IP address of the client. In the latter case — when operating in transparent mode (including single-interface transparent mode) — SPS performs IP spoofing. Consult the security policy of your organization to see if it permits IP spoofing on your network.
Traffic must be actively routed to SPS using an external device. Consequently, a network administrator can disable SPS by changing routing rules.
When adding a new port or subnet to the list of audited connections, the configuration of the external device must be modified as well.
A network administrator can (intentionally or unintentionally) easily disable monitoring of the servers, therefore additional measures have to be applied to detect such activities.