Options are available to control Guest access by
using a default profile for all Guests or
individual profiles for Guests using NetOp authentication,
or for Windows groups and
users using Windows Security Management. The Host
can alternatively delegate Guest
access control to an available NetOp Security Server.
Access can be restricted to Guests
on computers having specified network addresses.
NetOp Security Management
NetOp Security controls the access of NetOp Hosts
by NetOp Guests and can be controlled
locally by each Host, or centrally administered
by the NetOp Security Management. NetOp
Security Management provides centralized control
of NetOp security by using one or more
NetOp Security Servers querying a common database
for NetOp security information. The NetOp
Security Server has the capability of providing
Guest access security data to NetOp Hosts.
NetOp Security Management
1. A Guest calling a Host submits
information that identifies it.
2. The Host submits this information to a
NetOp Security Server, requesting data on
the role of this Guest with itself
3. The NetOp Security Server queries the
database to obtain information on the role
between this Guest and this Host.
4. The NetOp Security Server returns data to
the Host on the role of this Guest with it.
5. The Host accepts connection from the
Guest according to the data received from
the NetOp Security Server (including
denying connection, if specified).
To set up NetOp Security Management, a database must
be selected and
configured to contain the profiles and data required
by the NetOp Security Server(s). The
type and location of the database is optional, but it
must be Windows Open Database Connectivity (ODBC) compliant.
NetOp Security Server follows the SQL92 Standard and
is known to support the following databases: DB2, MS
JetEngine, Oracle, SQL. NetOp does not support MySQL
because MySQL has not implemented the use of 'named primary
key' which is crucial for NetOp Security Server.
The password-protected
database is
configured and managed from an easy to use,
wizard based, NetOp Security Manager that is
a separate program included with NetOp
Security Server. Once the database is
configured, tables for the following data
elements are created:
Security settings data,
including role assignment, role and security policies
data,
Logging data,
including security log, NetOp log and
active connections data,
Scheduling data, including
scheduled jobs data, NetOp definitions
data, including Guest ID,
Guest ID group, Host ID and
Host ID group data, Windows definitions
data, including Windows user,
Windows group,
workstation and domain data.
The key element in NetOp Security Management
is the role assignment specifying
a Guest selection, a Host selection and the role
between them. This is the data
forwarded by the
NetOp Security Server to a Host requesting
security data on a Guest calling
it. The NetOp
Security Server can centrally manage
and administer all of the same
settings as the Local NetOp
Host options.
Local Host security options
Guest Access
The Guest Access provides
options to control what a
NetOp Guest can and can’t do once they are controlling a Host PC. Grant all is a Guests’ default
access
privileges. Other options include Grant
each Guest individual access
privileges using
NetOp authentication, Grant each Guest
individual access privileges
using Windows Security Management or Use NetOp Security
Server.
Confirm Access
This feature prompts the host user to
acknowledge the remote caller
and permit or reject the connection. By enabling this
feature,
users can know when someone is
connecting to
their host computer. When Guest access
confirmation is enabled, a window
appears on
the Host when any connection is attempted
by a Guest. You can also select
Only when
user logged in: Selecting this option
to require the Host user to confirm
Guest access
only when a user is logged in on the
Host computer. This would be
useful to allow an
administrator access to the PC for support
or maintenance reasons without
giving access
to files or programs prohibited under
Windows Security.
Command Line Options
Starting a Host from a command line is
typically used when the Host
must be started by a command from another application.
By
adding this command line setting
you can be
assured that settings and security are
used from the other application.
Password Protection
NetOp lets you enter a password of up
to 16 characters in the field
to enable password protection. Keyboard entries are displayed
as asterisks (*). If the password
is correct,
connection will be established. If the
password is wrong, a message
to reapply the password procedure will be displayed.
When Windows security mode is
used, Guests
enter the Windows username and password
to control a Host.
Login Attempt Limits.
NetOp lets users limit the number of
times a remote user can attempt
to login during a single session to protect against hacker
attacks. You can set up options
that will limit the
number of false attempts and control
what would happen after that
number of false
attempts has been reached, such as Hang-up,
Disable NetOp or Restart the
Host PC.
Automatic Call Back (for dial-up connections)
Selecting this option and entering a
telephone number in the field
will automatically disconnect from a Guest call and they
reconnect to that Guest by calling
the telephone
number entered in the field. With this
option someone would have to
be sitting at a known Guest PC, at that specific phone
number, and knowing the password
in order to
access the Host PC. NetOp also provides
a Roving Call Back option that
provides a box
to the Guest user who can enter a phone
number and be called back by
the Host. This
option is useful more to reverse phone
charges. Also works for TCP/IP (TCP)
Individual Access Privileges
NetOp can enable you to say what a Guest
can and can not do while connected
to a Host using security roles and security role
folders. Under each security
role folder Guests and
groups can be added and assigned a security
role. This option enables you
to prohibit
individual users from sending or receiving
files, restarting the PC, launching
an
application, sending or receiving Windows
clipboard contents, sending chat
messages,
printing, or even remotely controlling
the Host PC. You can set up individual
Guests for
specific roles or even Groups of users
using Windows Security Management.
Authentication
Authentication is the process
of checking a Guest’s
credentials and identifies that user
by
verifying them against a directory or access
list to determine if the user is
authorized to
connect to a NetOp Host. NetOp provides
a check of Guest users and
lets you add users
to folders and assign security roles.
NetOp
provides for Directory Service authentication using the
NetOp Security Server against via the LDAP protocol. The
authentication depends on the user name, password and
directory service name supplied by the Guest user.
To secure the LDAP communication, the Security Server can
SSL to encrypt the transmission between the Security
Server and the Directory Service. The Security Server
configuration is open by design to support all Directory
Service vendors. All
Windows 32 bit modules plus Linux, Mac OS X, Solaris and
Windows CE Hosts support the Directory Service
authentication via Security Server.
NetOp's
support for RSA SecureID authentication allows the NetOp
Windows Security Server to authenticate the Guest user
against an RSA ACE/Server. The authentication depends on
the user name plus password and current token (together
called PASSCODE) supplied by the Guest user. As an
extension to the RSA SecureID authentication, the Security
Server allows definition of a special shadow Guest ID
account to further increase the security level for use in
environments requiring very high security. By enabling the
shadow Guest ID an additional check is performed against a
corresponding NetOp Guest ID password. Shadow Guest ID
password policies are maintained and enforced separately
from the RSA ACE/Server policies.
Authorization
To control the Guest user's allowed session actions
the NetOp Windows Security Server can check group
membership against a Directory Service via LDAP for the
authenticated Guest user. After the authentication
process, the Security Server binds with a pre-defined
account to the Directory Service the Guest was validated
by and gets the list of groups the Guest user has
membership of. The group names and the validated Guest
user name are matched with all Security role assignments
using the same Directory Service to get the accumulated
allowed actions for the session. To secure the LDAP
communication, the Security can use SSL to encrypt the
transmission between the Security Server and the Directory
Server.
Restricting access to internal machines
through a MAC/IP address list
One of the best ways to ensure security
is to restrict connections from
outside your organization. Users may enable MAC/IP
address check to allow connections
only from
Guests whose addresses appear in the
list. Note: IP addresses apply
when communicating using TCP/IP. MAC addresses apply
when
communicating using all other
communication devices.
Closed User Group
NetOp Remote Control provides an option
where the developers can embed
a security code into the Host and Guest modules
that they create. This security
code must be present
on both ends for a connection to be made.
Contact your Account Manager
for more
information on this security option.
Enabled Encryption Types
NetOp provides multiple layers of encryption
for
protecting the data stream
from “sniffers” or
others
who may be able to tamper or read the raw data.
NetOp Encryption options include: None (which
may be fine for internal network remote control).
NetOp 6.x/5.x Compatible: applies encryption
that is
compatible with earlier versions of NetOp
Remote
Control. Data integrity: applies data
stream integrity
control. Keyboard: encrypts keyboard
entries. You
can select any one or more of the above
options or
select High or Very High.
• Encryption
Protects against third party being able to read a
data-stream transmitted between
two entities by using AES for encryption
with key lengths up to 256 bits.
• Data integrity
Protects against third party being able to alter a data-stream
transmitted between two entities
by using HMAC for integrity
check based on 160-bit SHA -1 or 256-bit SHA -2.
• Key exchange
Protects against compromised keys by using a combination
of up to 2048 bits Diffie-Hellman,
256 bits AES and 512 bits
SHA HMACs integrity check.
• NetOp 6.x/5.x compatible mode
Allow communication with older NetOp modules
Encoding Strength
1024 bit Encoding for new Passwords: Select this option
to make the Host require a
calling Guest to use 1024 bit encoding
for new passwords defined on
the Host. 2048 bit Encoding for new Passwords:
Select this option to make the
Host require a
calling Guest to use 2048 bit encoding
for new passwords defined on
the Host for extra
password security.
Maintenance password
A Maintenance password can be used so
the security settings of
the Host machine can not be changed by the Host user or a
Guest
PC visitor. NetOp also allows
you to store the
configuration files elsewhere and pull
from there so you always
pull
your configurations
from a ‘gold’ source. NetOp also enables these configuration
files to be ‘read only’ files.
Windows Security Management
NetOp supports Windows Security Management
in Windows NT, 2000 and XP.
Windows administrators can use Windows
groups, or user profiles, to
assign certain
NetOp rights or you can select Users
and Groups from Windows Domains
and assign
them further NetOp rights using the NetOp
Security Server. NetOp Windows
Security
Management support includes Microsoft
Active Directory.
Non-Scanning
NetOp is unique in that it will NOT respond
to a non-NetOp network packet.
Thus if there is no response, no perimeter scan
is possible by hackers who might
which to access
that PC.
Extended Logging
NetOp can create a log file that will
act as an audit trail and tell
the user who has controlled their machine and what they
did while they were connected.
The file can log over 100 different NetOp events and can
be kept on the Host machine,
NetOp Security Server database or within another Windows
security file (Event Viewer),
or by SNMP.
Stealth Mode
NetOp provides an interesting option
that “hides” the
Host from the user of that
machine.
This makes it more difficult for the
Host to stop the program
or change the Host settings.
While in the Stealth Mode the Host program
will launch during Windows
start-up and then be removed from the task bar or
task list. While the Stealth
mode is running you can
still allow the Host user to send a NetOp
Guest a NetOp instant message
to Request Help.
This option is provided with a Request
Help icon that can be displayed
on the users task bar.
Separate Guest and Host Programs
By design the NetOp Guest and Host programs
can be installed separately.
This could keep the ability of all users having
Guest access limited. By
enabling a user to only be
able to install the Host module they
would not be able to control
any other PC in the organization.
NetOp Gateway
NetOp Gateway Server provides for routing
of NetOp traffic
between different communication devices.
The Gateway
routes both inbound and outbound NetOp
traffic. Because
the NetOp Gateway only responds to NetOp
software traffic
it can be seen as a choke point that
prohibits everything
except authorized NetOp traffic. The
NetOp Gateway has the
ability to route NetOp traffic between
a point-to-point
communication device and a networking
communication
device, or between two networking communication
devices
or protocols. The NetOp Gateway supports
the same local Security, Windows
Security Management and NetOp Security Server
options that a NetOp Host would support.
mission
critical database application managing a major European stock
market. As you
can imagine,
from its very inception, NetOp had to focus on
providing bulletproof security. Today, after 14 years of
designing quality
remote support and access software, NetOp continues
to
provide the most comprehensive security on market.
NetOp provides impenetrable security for your
organization by offering multiple layers
of protection including: