SMP Web Session functionality for ITMS 8.7.3

Products

Server Management Suite

Issue/Introduction

Security enhancement functionality in ITMS 8.7.3

In previous ITMS 8.7 releases there was this functionality "Web Sessions" but it allowed only 2 rules "Deny" or "Allow" access to SMP Console for appropriate account(s) or Security Role(s) from appropriate device hostname or IP Address:

Under Settings>All Settings>Notification Server>Internals>Web Sessions>Configure Sessions

Environment

ITMS 8.7.3

Resolution

Starting from ITMS 8.7.3 Release Notes, "Web Sessions" functionality allows to use own created rules to allow, deny or allow single session for appropriate Account(s), Security Role(s), IP addresses or sub-nets.

New design of the UI and internal engine is made to allow more flexible controlling of Web Sessions in the ITMS.

The “Configure Sessions” page is now allowing to create custom “rules” and order them to achieve the logical result by customer needs.

Example # 1

Current state of UI design for the Web Session settings.

View Sessions

The “View Sessions” page allows to identify current web sessions and manipulate those sessions.

Short description:
1. "Log off" button allows admin to force log off web session for appropriate account/address, otherwise this user will be automatically logged off from SMP Console.
2. "Reset" button allows admin to return any web session to normal state. Otherwise if there is "Limited" , "Logged Off" web sessions, then admin can click on in it "Sessions" section grid and click "Reset", now this web session will be returned to normal state.
3. "Delete" button allows admin to delete current active or archived web sessions to do not see them in "Sessions" section grid.
4. "Purge" button allows admin to force purging of archived web sessions. Archived web sessions will be purged from grid according to "Keep archive for: % Days" settings in "Configure Sessions" page.

"View:" drop-down menu offers admin to see "All" web sessions, "Active" web sessions only or "Archive" web sessions only in "Sessions" section grid
"Active in:" drop-down menu offers admin to filter active web sessions by last activity time "5 minutes", "15 minutes", "1 hour", "3 hours", "1 day", "3 days", "1 week"
"Requests:" drop-down menu offers admin to filter web sessions in grid that have at least requests "1", "10" or "100"
"Status:" drop-down menu offers admin to filter web sessions in grid and see "Any", only "Normal", "Limited", "Logged off", "Single Sessions".

Rules

The rules out of defined list are being sequentially executed against web request.

Rule is “matched” when it’s logic is applicable to the request details.

Rules can be of following types:

“Allow” – grant request to be executed and session to proceed
“Deny” – denies the same
“Single Session” – special one, described later in this document

All rules have only two main sets of values:

Accounts or Roles – specify matching trustees to check
Hosts – list of the IP addresses and Subnets to check

Example # 2 – Simple “Deny” rule

rule type choice
rule logic choice (how we treat users and hosts)
buttons to move up / down / delete rule
On / Off toggle – rule can be disabled for processing
Picker to choose accounts or roles
Edit box to enter CSV list of IP’s or subnets
Description of rule definition

Example # 3 – Rules with configuration issues

When something is not defined in the rule, warning will be shown about what is suspicious.

Extra logic for “Allow” & “Deny” rules

When rule type is either “Allow” or “Deny” – the special dropdown shown in the rule title to choose how we treat values of the rules:

Available options:

“Any” – any host / user match, that is specified and active (checked) – will produce rule “match” result.
“Host by user” - host list is checked first and rule being executed only when request is matched by the host entries. If no account / role specified, rule is treated as “match”
“User by host” – host list is checked first and rule being executed only when request is matched by the host entries.

“Single Session” Rule

Requests, that match by this rule will be treated as “single session”. Other sessions of same user will be marked as “logoff” for 2 minutes (timeout will be customizable).

Note, that this functionality is per specific user, i.e. if “account or role” match criteria is defining roles, any other users from this role will not be blocked.

Extra logic for “Single Session” rules

This type of rules has different “logic” to choose:

“Default behavior” – matching rule will “mark” request as “single session” and continue to next rules.
“Break on match” – same as for “default”, but no further rules to be executed.
“Break on mismatch” – only matching requests will be marked as “single session” and continue to execute next rules. Otherwise, the request will be limited.

Application Identity

The special “Application Identity” user, that we have in ITMS is not checked against the “rules”, i.e. is always granted to access ITMS from any place.

Hosts

This entry in the “rule” can be a CSV (comma separated value) list and can contains IP’s as following:

Direct IP match, i.e. IP address is fully specified, like “10.127.134.168”
Subnet, like “10.127.132.0/22” – any IP from the subnet will be matched
Tail wildcard, like “10.127.*” – this will match any IP, that is started with “10.127.”
Head wildcard, “*.127.128” – IP have to end with “.127.128”

Also, any entry in the list can be prefixed with “~” to negate the check, example: