NetWitness

NextGen

RSA SecurID Ready Implementation Guide

Last Modified: October 27, 2009

Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description NetWitness Corporation www.netwitness.com NextGen 9.0 NetWitness NextGen is an enterprise software framework that captures all network traffic and reconstructs the network sessions to the application layer for automated alerting and monitoring, and interactive analysis and review. Intrusion Detection System (IDS)

Product Category

Solution Summary
RSA SecurID authentication enhances security for NetWitness solutions by creating a trusted and secured solution for our users. The SecurID solution offers a more robust authentication method that the previous user name and password standard.
Partner Integration Overview
Authentication Methods Supported RSA SecurID Library Version Used RSA Authentication Manager Replica Support * RSA Authentication Agent Host Type for 6.1 RSA Authentication Agent Host Type for 7.1 RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token and RSA SecurID 800 Automation Native RSA SecurID Authentication Authentication Agent 6.0 for PAM Full Replica Support Net OS Standard Agent Designated Users Yes No

* = Mandatory Function when using Native SecurID Protocols

NetWitness Appliance (Agent Host)

Authentication Manager

Product Requirements
Partner Product Requirements: NetWitness NextGen Appliance
Version 9.0

Agent Host Configuration

Important: Agent Host and Authentication Agent are synonymous. Agent Host is a term used with the RSA Authentication Manager 6.x servers and below. RSA Authentication Manager 7.1 uses the term Authentication Agent. Important: All Authentication Agent types for 7.1 should be set to Standard Agent.

To facilitate communication between the NetWitness NextGen Appliance and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the NetWitness NextGen Appliance within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information.
Hostname IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the NetWitness NextGen Appliance as UNIX Agent Host. This setting is used by the RSA Authentication Manager to determine how communication with the NetWitness NextGen Appliance will occur.
Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

RSA SecurID files

RSA SecurID Authentication Files
Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location /var/ace None stored None stored /var/ace

Partner Product Configuration

Before You Begin
This section provides instructions for integrating NetWitness NextGen with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

RSA Authentication Agent 6.0 for PAM Installation

Installing the PAM Agent involves setting up your environment; enabling the PAM Agent, and running the installation script.
Note: The PAM Agent is available as a download from RSA.

Setting Up Your Environment

Before you perform the installation, verify that:

You have root permissions on the Agent Host. You have created and installation directory on the machine on which you are installing the PAM Agent. You have the most up-to-date version of the sdconf.rec from the RSA Authentication Manager stored in an accessible directory, such as /var/ace, on the Agent Host. Note: The root administrator on the Host must have write permission to the directory in which the sdconf.rec is stored. You have created an Agent Host record for the PAM Agent in the RSA Authentication Manager database. For more information, see the RSA Authentication Manager documentation. You have set an environment variable called VAR_ACE that points to the location of sdconf.rec.

To install the PAM Agent:

1. Change to the directory you created when you copied the software, and untar the file. Type: tar xvf filename.tar 2. Run the install script. Type: ./install_pam.sh 3. Follow the prompts until you are prompted for the sdconf.rec directory. If the path is correct, press ENTER. If the path is incorrect, verify that it is correctly defined in the VAR_ACE environment variable. For each of the remaining installation prompts, press ENTER to accept the default value or type in a different path.

4.

To specify the Agent Host IP address:

Note: The Agent Host uses the IP address that you specify to communicate with the Authentication Manager. 1. 2. Use any text editor to create an sdopts.rec file in the /var/ace directory. Type the line below, where x.x.x.x is the IP address of the Agent Host: CLIENT_IP=x.x.x.x Note: Use only uppercase letters, and do not include any spaces. 3. Save the file.

Configuring the PAM Agent Editing the netwitness file via command line:
1. 2. Change to the /etc/pam.d directory. Open the netwitness file in a text editor and edit the text to the following: #%PAM-1.0 #auth include auth required auth required account required password required session required system-auth pam_unix.so pam_securid.so pam_deny.so pam_deny.so pam_deny.so

Editing the netwitness file via the NetWitness Administrator application:

1. 2. Open the NetWitness Administrator and connect to the Appliance (Agent Host). Click on the Files icon in the top right hand corner of the details pane.

3.

Select the netwitness file from the drop down list.

4.

Edit the netwitness file text to the following: #%PAM-1.0 #auth include auth required auth required account required password required session required system-auth pam_unix.so pam_securid.so pam_deny.so pam_deny.so pam_deny.so

Note: This scenario assumes that the customer will want to use a user name, password and PASSCODE to authenticate. In this scenario, it is required to create a Linux user that matches the NetWitness user created in the next section.

Creating a NetWitness User that Authenticates Using RSA:

1. 2. Open NetWitness Administrator and connect to the Appliance (Agent Host). From the Edit menu, select Users and Groups.

3.

Select the appropriate appliance from the Services column and select the green + icon in the users column.

4. 5.

Enter the user name. For AuthType, select External.

6.

Finally, select the group(s) that you want the user to be a part of and click OK.

Performing a Test Authentication

To successfully test authentication, you must use a token with a PIN that is already registered in the Authentication Manager database. Follow the New PIN procedure for proper registration. For additional information, contact your Authentication Manager administrator.
To perform a test authentication:
1. Change to the /opt/pam/bin directory. Type: ./acetest 2. Enter you user name and passcode.

If you are repeatedly denied access, contact your Authentication Manager administrator.

Logging Into a NetWitness Appliance Using RSA

1. Click on the Add/Create icon in the top left of the Navigation Pane.

or
2. Enter the Server IP address or name, port, username and password.

or

3. 4.

Now the added Appliance should be listed in the Navigation Pane. Double click on the appliance to connect. You should be prompted for your password.

or

5.

After successfully entering the password, the user will be prompted to enter their passcode.

6.

After entering their passcode the user should be successfully connected.

10

Certification Checklist for RSA Authentication Manager v6.x

Date Tested: October 13, 2009
Product Name RSA Authentication Manager RSA Authentication Agent NetWitness RSA Native Protocol
New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Passcode 16 Digit Passcode 4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) Name Locking Enabled No RSA Authentication Manager

Certification Environment Version Information

6.1 PAM 6.0 NextGen 9.0

Operating System
Windows 2003 SP2 Fedora Core 9 Fedora Core 9

Mandatory Functionality RADIUS Protocol

Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN 16 Digit Passcode 4 Digit Password Next Tokencode Mode Failover Name Locking Enabled No RSA Authentication Manager

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Credential Functionality Determine Cached Credential State Set Credential Retrieve Credential
DRP / PAR

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Determine Cached Credential State Set Credential Retrieve Credential
= Pass

N/A N/A N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

11

Certification Checklist for RSA Authentication Manager 7.x

Date Tested: October 9, 2009
Product Name RSA Authentication Manager RSA Authentication Agent <Partner Product> RSA Native Protocol
New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager

Certification Environment Version Information

7.1 PAM 6.0 NextGen 9.0

Operating System
Windows 2003 SP2 Fedora Core 9 Fedora Core 9

Mandatory Functionality RADIUS Protocol

Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Failover No RSA Authentication Manager

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode
DRP / PAR

N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode
= Pass

N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

12