TCPWave IPAM is the world's first acclaimed DNS or DHCP management software to pass the most stringent Information security tests. TCPWave IPAM has nullified attacks and exploits using the vector attack methods such as SQL Injection, SQL Injection (Boolean), SQL Injection (Blind), Cross-site Scripting, Command Injection, Command Injection (Blind), Local File Inclusion, Remote File Inclusion, Code Evaluation, HTTP Header Injection, Open Redirection, Web App Fingerprint, WebDAV, Reflected File Download; Insecure Reflected Content, XML External Entity, File Upload, Cross-Origin Resource Sharing (CORS), HTTP Methods, Server-Side Request Forgery (Pattern Based), Server-Side Request Forgery (DNS), XML External Entity (Out of Band), Cross-site Scripting (Blind), Code Evaluation (Out of Band).
With increasing security attacks, TCPWave keeps up with the latest security measures for providing fool-proof appliances to mission-critical business environments. Some of the information security enhancements that TCPWave delivers to its customers:
to know more about our security features.
TCPWave also enhances the BIND open-source code with custom security enhancements that make BIND work securely on the TCPWave DNS appliances. There are no plain text usernames or passwords when updates are made to any cloud DNS provider. Communication with the cloud DNS providers for management updates takes place with SSL.
TCPWave automatically encrypts all the cloud provider credentials with the best possible encryption and uses them for cloud DNS management. In addition to this, there is no plain text username/password when a third-party application wants to communicate with the TCPWave IPAM. SSL authentication from a specific IP address to run a particular set of API calls is defined in the IPAM for the users to invoke IPAM RestAPI calls.
We use a specially crafted appliance with a hardened Operating System. TCPWave appliance can easily handle DDOS attacks. TCPWave appliance has the second DNS application backing up BIND DNS in case of failure of the first DNS application. When the system detects an unusual DNS trend on performance management charts, it sends automatic alerts to the NOC. The NOC team can fix the bug or deny the attack.
TCPWave appliance can send the SNMP alerts to SMARTS when it has over-utilized or detected a failed resource (CPU/disk/memory). SNMP is the core of the appliance's fault management system. It manages network resources and enables network administrators to monitor network performance. SNMP agent is responsible for sending the traps.
DNS Security is a vast and complex topic. At TCPWave, we understand the complexity and importance of security in running your mission-critical DNS infrastructure. While doing so, we have perfected our DNS appliance making it harder to penetrate and poison.
The TCPWave appliances can self defend themselves against various security levels. They can calculate the baseline trend and compare the DNS traffic pattern with the baseline. The users can track any abnormality against the baseline via SNMP alerts. Finally, the TCPWave appliances run BIND as the non-root user and in a chroot directory to increase security.
If someone attempts to crack BIND, users cannot go beyond the chroot environment and make a malicious change to the underlying operating system.
TCPWave appliances use ethical hacking and penetration testing to find the vulnerabilities in a network or computer. Each TCPWave appliance build version is certified after two weeks of repeated simulated DDOS attacks using various open-source and commercial frameworks. The prototype's performance, stability, scalability, and sustainability undergo a rigorous QA check, and the system generates comprehensive compliance reports. The product gets a GA( Global Availability) only after accomplishing a 100% in the penetration testing and ethical hacking test. The TCPWave DNS appliances are tested for BGP, OSPF routing exploits, and underlying hardened operating system exploits. They are cross-checked when Juniper, Cisco, and Arista Networks publish their exploits to TCPWave using our valued partner channels.
The enhanced monitoring that TCPWave offers allows you to automatically monitor all the appliances' critical hardware and software components. Each TCPWave appliance build version comes pre-installed with a superior SNMP (Simple Network Management Protocol) MIB (Message Information Base). The SNMP MIB assists the TCPWave IPAM in collecting vital statistics on each TCPWave appliance that runs a critical component of your core network infrastructure. The DNS and DHCP SNMP MIBs perform a baseline determination when provisioned initially. After the baseline is established, they actively monitor any abnormal traffic flow patterns related to DNS and DHCP. When an anomaly is detected, alerting occurs in multiple configurable methods in the TCPWave IPAM's dashboard.
The TCPWave IPAM automatically backed up each TCPWave appliance's configuration and checked for policy violations. The configuration assurance policies are defined by the TCPWave IPAM administrator when the appliance is provisioned using the TCPWave SDN for DNS and DHCP appliances.
TCPWave has also partnered with HP and has developed HPNA adapters to backup and restore the appliances. HPNA backs up a tiny footprint of the configuration files. Our appliances reduce your backup costs significantly compared to a full server backup..
If the appliance fails, the Dell Technician replaces the failed drive within 4 hours (Dell support contract required). If both the drives fail, a new set of drives with the software pre-loaded is installed. The TCPWave IPAM or HPNA would restore the original configurations, thereby getting you up and running much faster than our competition. When a TCPWave appliance is down, the business would not see any outage because of the multiple layers of redundancy in the design of the Anycast layer.
Unlike our competitors, we do not use RFC 2136 UDP-based updates to the remote master or slave DNS server. The Information Security experts of TCPWave have attended multiple security conferences and had brainstorming sessions with the product development team. We have redesigned how BIND or NSD receives DNS updates. We use TCPWave Message Routes, which use SSL over TCP to perform security updates to the remote DNS server. Our transmission cannot be intercepted by a DNS spoof attack or a man-in-the-middle attack. We also have an integrity checker to ensure that the remote DNS server runs the exact version of the DNS configuration mandated by the IPAM. A robust monitoring mechanism reinforces this integrity check.
TCPWave IPAM system is designed to enable different authentication modules. The IPAM Authentication module offers a secure and flexible mechanism to allow user authentication in the IPAM. It supports a wide array of popular centralized Authentication mechanisms, including the following.
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between various parties. Principal, Identity Provider (IDP), and Service Provider (SP) are the three main roles defined in a SAML ecosystem. Typically, the principal requests a service from the Service Provider. The Service Provider requests and obtains an authentication assertion from the Identity Provider. Based on the assertion, the SP makes an access control decision and performs the service for the connected principal. Many commercial solutions for SAML IDP and SP, like Okta, OneLogin, Shibboleth, Gluu, etc. TCPwave IPAM acts as a Service Provider for IPAM applications and supports integration with any third-party IDP already in use in an enterprise. TCPWave supports both SP initiated, and IDP initiated authentication flow.
