Your web servers might capture and process sensitive data at any time, so you must constantly control access to data at rest and in transit and secure all Tealeaf systems in your environment.
Pre-installation considerations
Administrators should be aware of any enterprise security policies that may be applied to any Tealeaf servers. Any one-time or periodic changes to user accounts, security policies, or other system configuration that may affect the performance or availability of Tealeaf software should be monitored by application administrators.
For example, some customers may reapply all their security settings as a nightly job to all machines, which may disrupt configurations or fixes applied to Tealeaf. These types of enterprise policies must be synchronized with the Tealeaf team.
PCA security
The CX Passive Capture Application is a passive network appliance that functions essentially as an advanced packet sniffer. The PCA maintains dedicated connections with the SPAN port or switch feeding data to it and should not have access to the wider Internet. As a result, security issues related to a web server having access to a live network connection do not apply.
openssl
, which is integrated into the application and is not patchable.Operating system
The CX PCA is hosted on a separate Linux™ server, which can be secured by removing unneeded services and securing vulnerabilities.
Web console
The PCA provides the Web Console, a web interface for configuring the application. The web console can be configured to transmit traffic over HTTPS.
The web console is the PCA administration console and is not intended for deployment over the open Internet. The PCA web console does not see any of the capture traffic and is dedicated to its web management functions.
If desired, you can disable the PCA web console. Configuration of the CX Passive Capture Application can then be applied through the configuration file (ctc-conf.xml
).
If operating system changes are not possible or if editing the web console configuration file is problematic, through the console you can specify specific traffic addresses and ports to ignore. Wildcards are accepted.
The Web Console is served by a standard Apache server. If desired, security enhancements can be applied through Apache. For more information, please see the Apache documentation.
Apply enterprise private keys
To decrypt SSL communications, you must provide enterprise privacy keys. Tealeaf loads an encrypted version of the privacy key and decrypts it internally using a provided hash key.
- Export the key in PEM format from any of the supported web servers.
- Set up Tealeaf to use the exported key.
- You might also need to perform any of the following SSL key operations:
- Generate a self-signed certificate
- Generate a self-signed certificate using utility scripts
- Set up the transport service for SSL encryption
- Set up the Portal Status/Web Console certificate
- Remove or view certificate
- Validate PEM keys
Private keys can be added through SSL Keys tab on the web console, and you can review the keys that the PCA identifies as missing.
Secure communications with the processing server
The PCA can be configured to send secure communications (HTTPS/SSL) to the Tealeaf Processing server or servers in your environment.
When enabled, the PCA delivers hits over HTTPS using a private key provided to the CX Passive Capture Application.
Windows IIS Security
The Tealeaf Web Application Utility manages installation of the Tealeaf Portal and all file/group permissions required for IIS.
For enhanced security, you may consider purchasing and implementing an SSL certificate for the IIS web server to enable SSL access to the portal.
Windows server account permissions
Check the Microsoft Support site for information about permissions and user rights for IIS6, IIS 7.0 and later.
Configure the Portal authentication mode
The Tealeaf Portal supports multiple modes of authentication:
- NT authentication
Tealeaf can authenticate users using Active Directory through the NT domain with which it is associated and it inherits all of the security features of NT authentication.
- Portal authentication
The Portal provides its own authentication methods, in which user accounts are encrypted and stored in the Tealeaf database. Portal authentication enables enterprises to separate user management from internal systems. Portal authentication supports MD5, RC2, or 3DES encryption algorithms.
- Single sign on
Tealeaf supports integration with CA Siteminder or with other authentication providers that also use HTTP header requests. These credentials behave like Portal authentication credentials. SSO authentication is configured via external file stored in the Tealeaf installation directory.
- Mixed Mode
In Mixed Mode, users can choose to login through Portal Authentication or NT Authentication modes. The login screen provides a link to switch between these login modes, so that administrators can use the security features of both modes, as needed.
To configure the authentication mode, complete the following steps:
- Log in to the portal as an administrator and navigate to TMS.
- Select the node.
- Select Shared configuration information. In the Config Actions pane, click View/Edit.
- Click the Portal tab.
Tealeaf installation directory
On each server, the installed Tealeaf software components are stored in the Tealeaf installation directory. This directory should be secured to prevent access by unauthorized local users and across the network. Only Tealeaf administrators should have read-write access to the installation directory.
Define password security
Depending on the Tealeaf modules that are enabled in your environment, one user account and one admin account are created by default.
Administrators can define various password security options through Portal Management for cxImpact, cxReveal, and cxView.
- To access these settings, navigate to Portal Management in the Portal menu.
- Select the appropriate settings to modify.
Note: The cxImpact setting is on the CX Settings tab.
Tealeaf databases
Depending on the components that are installed for your Tealeaf solution, the following database schemas must be secured from unauthorized access.
TL_SYSTEM |
Tealeaf system configuration database. |
TL_REPORTS |
Tealeaf cxImpact reporting database. |
TL_RSEXTRACTOR |
Segment Session analysis database. |
TL_STATISTICS |
Tealeaf Statistics database. |
All applicable schemas should be secured from unauthorized access. Passwords to these databases should be distributed only to authorized personnel.
By default, the Tealeaf SQL database files are installed in the installation directory.
SQL required logins
Tealeaf requires two SQL logins (TLADMIN
and TLUSER
) to complete installation and management tasks for the databases.
A SQL login with sysadmin privileges is useful but not required for installation. If the SQL login does not have sysadmin privileges, a DBA is required to run scripts to complete the login.
RTV security
RTV is a Windows application installed on the local desktop, which provides search and replay capabilities to Tealeaf users.
RTV makes requests to the Search Server to search and retrieve data. Depending on whether NT or Portal authentication is enabled, Search Server returns a different challenge string to which RTV responds in a way that's appropriate for the mode that it sees.
- For NT authentication, RTV uses the Windows account info of the current user.
- For Portal authentication, the username and password to use must be configured on the cxImpact tab in the Options screen. RTV requests are made using the HTTP protocol. Data that is returned to RTV is always encrypted.
Security best practices
In general, Portal authentication and NT authentication provide equivalent data and access security. Depending on your specific enterprise needs, you may find the following sections helpful in making your choices.
Data security
For each of the following components, Tealeaf recommends the following security option for best results in securing data transmission across the network.
Component | Security feature |
---|---|
CX Passive Capture Application Server | Enable SSL connection. |
cxImpact Web Portal | Enable SSL on IIS. |
IIS Webserver | Enable SSL on IIS. |
Report server | Enable NT authentication. |
Replay server | Enable NT authentication. |
Unauthorized login attempts
For each of the following components, Tealeaf recommends the following security option for best results in securing the Tealeaf Portal from unauthorized access.
Component | Security feature |
---|---|
CX Passive Capture Application Server |
|
Report server | Enable NT authentication. |
Replay server | Enable NT authentication. |