SecureSphere followed Action and OS Integration - Part 2

June 22, 2009

I decided to write in more details about SecureSphere's "content out" integration with different systems, starting with the generic interfaces first. In Part I I wrote about Action Sets and Action Interfaces and showed how Action Sets are used within policies. In this post I'll write about a specific type of the Action Interface: OS Command.

Using the OS command Action Interfere, SecureSphere administrators can run any shell command or script from the management appliance. This creates integration options with external applications that are executed when an event is generated.

Picture 1: OS Command Interface

To invoke an OS command, one should verify that required executable rights on the management server are set. The following list describes the different OS parameters defined:

Command: The full path to the OS command
Arguments: Arguments that should be passed to the Command.
Working Dir: The location on the management computer where the OS command should run

To show how this feature is useful I am using a real example that was provided by one of our system Integrator partners to a customer. This customer requested to track an entire telnet session when specific users are accessing a specific sensitive system that could not support SSH.

The partner created a custom security policy to match when telnet was being used to the DBMS. The he used the OS command followed action to execute a script that started a TCP packet capture of the source IP and telnet port and then stopping the packet capture when the session ends. Once the PCAP had been saved he had a second script that ran and parsed the PCAP into an HTML document with the SecureSphere heading (see picture 2 below).

The HTML document displayed every telnet action taken from the client to the DB and the response.

telnet monitor via OS command integration.png

Picture 2: Telnet Report Created by Followed Action

Posted by Rob Rachwald at 06:22:00 PM | Guest Bloggers

Comments

@Brian,

I will try to post additional information about this specific solution.

I agree with you that SecureSphere as a platform can deliver additional capabilities far beyond what we advertise. I am thankful for blogs like Practical Tactics (http://practical.wordpress.com/) that helps to spread the knowledge.

--Sharon

Posted by: sharon Besser | June 25, 2009 at 06:28 AM

I would be interested to hear how this telnet tracking policy was constructed. I envision a unique firewall policy applied to the specific dbms server/server_group with this new followed action specified.

I think you touched on another item that doesn't get much press. The Imperva platform can see and react to more than just http/https/dbms calls and traffic. To take advantage of these capabilities today, you really need engineers and partners that truly understand the Imperva platform.

-- Brian

Posted by: Brian | June 24, 2009 at 05:44 PM

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.