TCPWave IPAM is the world’s first acclaimed DNS/DHCP management software to pass the most stringent Information security tests. TCPWave IPAM has nullified attacks and exploits using the vector attack methods such as SQL Injection, SQL Injection (Boolean), SQL Injection (Blind), Cross-site Scripting, Command Injection, Command Injection (Blind), Local File Inclusion, Remote File Inclusion, Code Evaluation, HTTP Header Injection, Open Redirection, Web App Fingerprint, WebDAV, Reflected File Download, Insecure Reflected Content, XML External Entity, File Upload, Cross-Origin Resource Sharing (CORS), HTTP Methods, Server-Side Request Forgery (Pattern Based), Server-Side Request Forgery (DNS), XML External Entity (Out of Band), Cross-site Scripting (Blind), Code Evaluation (Out of Band).
Why is Information Security important?
- To keep the data confidential and accurate
- To keep the data available for authorized users only
- To reduce the risk of unauthorized access
- To reduce the risk to business management and improve the way we do business
- Increases Computer security
- Assures clients and customers that their information is safeguarded
How does TCPWave do it?
With increasing security attacks TCPWave keeps up with the latest security measures for providing fool-proof appliances to mission critical business environments. Restricting DNS updates from management devices to use strict encrypted TCP, full support for BIND RPZ, seamless switching between BIND to non-BIND, DNS firewall to drop specific regex matches, TACACS+ authentication, hardened operating system, extensive SNMP monitoring, non-root processes, built-in TCPWave IDS sensors to detect, correct and alert unauthorized configuration changes are some of the information security enhancements that TCPWave provides its customers. TCPWave also enhances the BIND open source code with custom security enhancements that make BIND work securely on the TCPWave DNS appliances. Communication with the cloud DNS providers for management updates takes place with SSL. There are no plain text username/passwords when updates are made to any cloud DNS provider. TCPWave automatically encrypts all the cloud provider credentials with the best possible encryption and uses them for cloud DNS management. In addition to this, there is no plain text username/password when a third party applications wants to communicate with the TCPWave IPAM. SSL authentication from a specific IP address to run a specific set of API calls is defined in the IPAM for the users to invoke IPAM RestAPI calls.
Centralized AAA using TACACS+
TCPWave appliances for network infrastructure services use TACACS+ for authentication, authorization and accounting. TCPWave has developed a unique methodology with which our appliances do not need a user to be defined as a local account on each appliance. Secure Shell (SSH) access to each appliance takes place by proxying the user’s credentials to a foreign AAA server. If the user is defined on the foreign AAA server and has permissions to enter the TCPWave appliance using SSH, access is granted. This approach dramatically reduces the operational overhead to define local accounts. When an administrator leaves the organization, there is no necessity to update all the TCPWave Appliances. Removing that user from the AAA server would do the job.
TCPWave has further enhanced the TACACS+ security by sending each keystroke typed by the users to the AAA logs. Multiple AAA servers can be configured into the TCPWave TACACS module so that the AAA process does not have a single point of failure.
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX workstation. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.
- Offers multiprotocol support
- Allows a network administrator to define what commands a user may run. This fine grain level of control allows more controlled access for a greater number of users on a network.
- Full support for IPV4 and IPV6
- No limit on number of users, clients or servers
- Allows control of commands
- Separates Authentication, Authorization and Accounting makes it more flexible
- Encrypted username and passwords
- Flexible external backend for user profiles
Benefits it provides to organization:
- Centralized User Management
- Flexible authorization policies
- Multiple Data sources support
TCPWave appliance can easily handle the DDOS attacks. We use a specially crafted appliance with a hardened Operating System. TCPWave appliance has the second DNS application backing up BIND DNS in case of failure of first DNS application. When an unusual DNS trend is detected on performance management charts automatic alerts are sent to the NOC. The NOC team has the ability to fix the bug or deny the attack.
Seamless Fault Management
TCPWave appliance has the ability to send the SNMP alerts to SMARTS when it has over utilized or detected a failed resource (CPU/Disk/Memory). SNMP is the core of the appliance’s fault management system. It is used to manage network resources and to enable the network administrators to monitor the network performance. All the network devices are fitted with an SNMP agent who is responsible for sending the Traps.
Operating at elevated security
DNS Security is a huge and complex topic. At TCPWave we understand the complexity and importance of security in running your mission critical DNS infrastructure. While doing so, we have perfected our DNS appliance making it harder to penetrate and poison.
The TCPWave appliances can self defend themselves against various security levels. They can calculate the base line trend and compare the DNS traffic pattern with the baseline. Any abnormality that takes place against the baseline is reported to the management via SNMP alerts.
Finally, the TCPWave appliances run bind as the non-root user and in a chroot directory to increase the security because if someone attempts to crack BIND, they cannot go beyond the chroot environment and make malicious change to the underlying operating system.
TCPWave appliances uses ethical hacking and penetration testing to find the vulnerabilities in a network or computer. Each TCPWave appliance build version is certified after a two weeks of repeated simulated DDOS attacks using various exploit frameworks, both open source and commercial versions. The performance, stability, scalability and sustainability of the prototype undergoes a rigorous QA check and a comprehensive compliance report is then generated. The product gets a GA( Global Availability) only after accomplishing a 100% in the penetration testing and ethical hacking test. The TCPWave DNS appliances are also tested for BGP, OSPF routing exploits, underlying hardened operating system exploits and are comprehensively cross checked when Juniper, Cisco and Arista Networks publish their exploits to TCPWave using our valued partner channels.
TCPWave MIB that can be integrated into EMC SMARTS, InfoVista, IBM Tivoli, HP NNM
Each TCPWave appliance build version comes pre-installed with a superior SNMP (Simple Network Management Protocol) MIB (Message Information Base). The SNMP MIB assists the TCPWave IPAM to collect vital statistics on each TCPWave appliance that runs a critical component of your core network infrastructure. The enhanced monitoring that TCPWave offers allows you to automatically monitor all the critical hardware and software components of the appliances. The DNS and DHCP SNMP MIBs perform a baseline determination when provisioned initially. After the baseline is established, they actively monitor for any abnormal traffic flow patterns related to DNS and DHCP. When an anomaly is detected, alerting takes place in multiple methods, that are configurable in the TCPWave IPAM’s dashboard.
Each TCPWave appliance’s configuration is automatically backed up by the TCPWave IPAM and it is checked for policy violations. The configuration assurance policies are defined by the TCPWave IPAM administrator when the appliance is provisioned using the TCPWave SDN for DNS and DHCP appliance.
TCPWave has also partnered with HP and has developed HPNA adapters to backup and restore the appliances. Our appliances reduce your backup costs significantly when compared to a full server backup. A tiny footprint of the configuration files is backed up by HPNA.
If the appliance fails, the Dell Technician replaces the failed drive within 4 hours (Dell support contract required). If both the drives fail, a new set of drives with the software pre-loaded is installed. The TCPWave IPAM or HPNA would then restore the original configurations, thereby getting you up and running much faster than our competition. When a TCPWave appliance is down, the business would not see any outage because of the multiple layers of redundancy in the design of the Anycast layer.
Secure DNS Updates from Management
Unlike our competitors, we do not use RFC 2136 UDP based updates to the remote master or slave DNS server. The Information Security experts of TCPWave have attended multiple security conferences and had brain storming sessions with the product development team. We have redesigned how BIND or NSD receive DNS updates. We use TCPWave Message Routes, which use SSL over TCP to perform secure updates to the remote DNS server. Our transmission cannot be intercepted by DNS spoof attack or a man-in-the-middle attack. We also have an integrity checker to ensure that the remote DNS server is running the exact same version of the DNS configuration as mandated by the IPAM. A robust monitoring mechanism reinforces this integrity check.