PAM deployment and security
I am currently tasked with deploying PAM in our organization, and while coming up with a rough concept, these security-related questions arised:
1) What's up with FIPS 140-2 mode?
In the manual, and within the PAM web interface, FIPS mode is mentioned and only roughly explained in regards of compliance with a standard. However, what does actually get changed when enabling this mode and why is it impossible to undo this step? Looking up documents related to FIPS 140-2 does not really boil it down.
What kind of encryption and signature algorithms does PAM use by default and which algorithms are being used once FIPS mode is enabled?
These details should be added to the manual to clear up any confusion and point out the actual changes that occur when enabling FIPS mode. This is the only way to allow customers to come up with decisions based on their requirements.
2) Deploying PAM for providing access to external contractors
Within the documentation - both the admin and the user manual - i could only find very little guidance in regards to "best practices" for deploying PAM within an organizations network.
To get a bit more specific, I'm talking about things like "which services to deploy on which machines", "reducing attack surface", "controlling which data is stored on which machine", ...
Since we're looking to use PAM as a gateway for external contractors do use for maintaining internal machines, we would like to have a dedicated machine within our DMZ to allow the contractors to use the ssh relay without setting them up with a VPN first.
(Since putting an ssh server with PasswordAuthentication enabled on the internet is a bad idea, it would be nice to [only] allow client authentication via PublicKeyAuthentication, too.)
This would imply hosting the PAM web interface on an additional machine in our DMZ, so our contractors can log in, change their PAM password and launch the PAM ssh client.
This kind of setup makes me worry about a bunch of things:
For example, a machine running the PAM web interface might get compromised while being accessible on the internet, and an attacker would be able to use that machine and everything stored on it to communicate with other PAM services on different machines.
In addition to that, I'm starting to suspect that running PAM services that are publicly accessible on the internet is a bad idea in general due to the current frequency of security patches or new releases in general.
To boil this question down a bit:
* What kind of deployment strategies are recommended for PAM?
* Which services can be run on separate machines to reduce attack surface and/or impact in case of a compromised machine?
* How - if any - can parts of PAM be exposed to the internet in a more secure way?
Any input in regards to these questions is appreciated!
Stay safe and healthy. 🙂
FIPS-mode; FIPS 140-2.
The infrastructure of PAM and authorization for peer communication within the framework among hosts and for connections going through PAM are affected as documented, so it's quite a big change to enable in the environment where a lot of propagating changes must take place throughout the environment. Due to the complexity of these changes, it is an opt-in, enable-once mode. It may be possible to enhance to be able to toggle in and out of it FIPS-mode, but likely wasn't a requirement for those that needed to just be in that mode and stay in that mode for compliance reasons. If you have a strong use-case need for the capability of toggling on/off FIPS-mode, please do add this as an idea in our PAM Idea Exchange for the community and the Product Team to evaluate and potentially scope into the Roadmap.
Regarding the improvements that should be made to the documentation, I recommend that you provide that feedback within the documentation tool so that it can be tracked and improved. There is a comment/message icon at the very top of every page (to the right of the print icon), where you can provide this valuable feedback for the team.
I believe the current list of FIPS 140-2 "Approved Security Functions Security Requirements for Cryptographic Modules" can be found here.
Design & Architecture related questions are best suited for our Professional Services Team, who can help really customize / fine-tune a deployment strategy that best suites your needs. Your concerns here with security are certainly valid. Please see Additional Support Options. Also Creating a Service Request with Support can help make some general recommendations.
There are also courses available to become PAM certified offered by Micro Focus, which may help when planning a Deployment strategy.
One specific thing I would like to recommend here is knowing that all the modules/packages in PAM can be deployed separately, so one "manager" server could simply have the auth, sshrelay module capabilities to serve the external contractors so they can sshrelay for example, while the Audit Manager storing the audits could be deployed on other "manager" servers within the framework. So not all modules / packages need to be deployed on the same "manager" server because the hosts within the framework are able to locate / discover nearby services. Please see our Primary Components which break down the purpose of each module / package. Also, I strongly recommend the secure approach of requiring VPN-first before exposing any sort of ssh server publicly. Any specific recommendations regarding this deployment, I highly recommend engaging either Support or the other Additional Support Options available.
Thank you for your detailed reply!
Regarding FIPS mode, I understand that it's primary reason of existance is for compliance.
However, as an administrator, I would really like to know the technical details that are going on behind the scenes.
Going through the list of Approved Security Functions for FIPS that you linked in your post does give me a rough idea, but it does not really boil it down.
The FIPS 140-2 document lists an approved collection of cryptographic tools, but it is still a collection containing a wide variety of tools with different strengths - some of which I would avoid in favor of better tools on that list.
For example, depending on the use case, there can be a huge difference between using SHA-1 or SHA-256 as a hashing algorithm for cryptographic signatures. You may recognize this example from upgrading X.509 Public Key Certificates a bunch of years ago due to SHA-1 being not strong enough for that use case anymore.
I would propose adding a small extra chapter within the PAM admin manual, which might present a table that lists the cryptographic algorithms that PAM uses for certain activities within the rows and has two columns for "non-FIPS mode" and "FIPS mode", so comparing the algorithms being used is straight forward.
This way, PAM is not only able to supply means for achieving compliance, but its transparency also allows educated fine-tuning to internal requirements and ressource budgets.
Thank you for pointing out the options regarding Support Requests and Additional Support Options.
Since I still consider myself a beginner with PAM, I will first continue exploring the product and conducting a bunch of experiments in my testing environment.
Since distributing the different PAM modules/packages across different machines makes the product almost a bit too flexible, there is a lot for me to try.
Also, your recommendation for the VPN-first approach really helped me out!
I will certainly adopt this strategy when it comes to dealing with contractors accessing PAM.
Glad the information was helpful. 👍
Regarding the FIPS security guide recommendation, I strongly agree with you here, it would certainly be a great addition. Please do add this as an idea in our PAM Idea Exchange for the community and the Product Team to evaluate and potentially scope into the Roadmap.