IMPEX Operation Guide

This operation guide is intended to provide assistance and instruction for the operation of hosted IMPEX systems. The document gives general and specific information regarding the operation of stations, ICC and Repo server. This document does not describe the system or application structure which is described in a separate document. This documentation will not explain troubleshooting of USB Protect or DataLock which is described in a separate document.

Definitions

Word Definition
IMPEX The family name of USB Protect, ICC, Repo and DataLock
Stations The family name of USB Protect and DataLock
ICC The server which control the Stations
USB Protect The kiosk computer used to scan mass storage devices
Repo The server that has the updates and definitions
DataLock Server used for network flows that will scan files before transferring them onwards
Network flows This is the description of data being scanned and transferred through the Data Lock to a remote destination. A Data Lock can have multiple remote destinations configured
Operators The users who will use the administrative interface on the ICC server

Contacts

Customers with a valid support contract can send support emails to

support@sysctl.se

System overview

USB Protect is a system for scanning data on USB-devices in a kiosk solution, the stations are managed from a central ICC server. USB Protect scan files from USB-devices and can deny the content by using different rules and technologies. USB Protect initiates all communications to the ICC server on port TCP/443 and uses TLS1.2 for encryption during transit. USB Protect will get the current time and the configuration from the ICC. USB Protect will push logs and operation results from scans and other actions to the ICC server. USB Protect will get engine definitions updates, operating system patches and application upgrades from the Repo server, the Repo server can be installed on the ICC server or on a separate server called Repo server.

The DataLock is just like an USB Protect station but it uses SFTP over the network instead of USB devices and it scans and sends files in different flows.

The ICC server exposes a REST API that requires authentication. The stations will use the REST API but it is also possible to use the interface for other types of integrations. The Repo will sync engine definitions and updates from updates.sysctl.se on port TCP/443 over TLS and expose them to the stations.

All systems(USB Protect, DataLock, ICC and Repo) use CentOS 7 as the base OS. USB Protect and DataLock are not supposed to be logged in to and remote access is not possible, all configuration is created as configuration cards on the ICC server. The ICC and Repo server use local accounts by default, but can be connected to Active Directory, Red Hat Identity Manager, FreeIPA or other LDAP service when using central accounts. Administrators can log in to the Repo and ICC server with SSH or from the console. The application on the ICC has local accounts and the configuration that can be done is mail relay, DNS, NTP and syslog, other configurations are related to the USB Protect and DataLock. System owners can use the web interface to manage the USB Protect and DataLock. It is also possible to analyze the results from the nodes.

System drawing

The impex solution is built to be in architectures based on IEC62443 and similiar zone concept solution as well as other network designs. These are a few examples of how an IMPEX solution can fit in a network. The ICC and the Repo can exist on the same machine and do not need to be separated servers. The solution supports proxies but a proxy is not required.

Network with ICC and Repo installed on the same server in a basic network

                  +-------------------+   +--------------+
                  | updates.sysctl.se |   | Lets Encrypt |
                  +------^------------+   +-----^--------+
    Internet             |                      |
                         |     +----------------+
                         |     |
+------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                      +------------->  Proxy   |
                      |             | if used  |
                      |             +----------+
                      |
                      |
                 +----+--------------------+
                 |                         |
                 |   ICC and optional Repo <------+
                 |                         |      |
                 +-------^-----------------+ +----^----+
                         |                   | Proxy   |
                         |                   | if used |
                         |                   +-+-------+
                         |                     |
+------------------------+---------------------+-------------+
                         |                     |
    Peripheral Network   |                     |
                         |                     |
                  +------+-------+     +-------+------+
                  | USB Protect  |     | USB Protect  |
                  +--------------+     +--------------+

Network with ICC and Repo installed on separate servers in a zone based network

                  +-------------------+   +--------------+
                  | updates.sysctl.se |   | Lets Encrypt |
                  +------^------------+   +-----^--------+
    Internet             |                      |
                         |     +----------------+
                         |     |
+------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                 +------------------>  Proxy   |
                 |                  | if used  |
                 |                  +----------+
            +----+-------------+
            |                  |
            |  Repo, if used   |
            |                  |
            +----+-------------+
                 |
+------------------------------------------------------------+
                      |
    Internal network  |
                      |
                 +----+--------------------+
                 |                         |
                 |   ICC and optional Repo <------+
                 |                         |      |
                 +-------^-----------------+ +----^----+
                         |                   | Proxy   |
                         |                   | if used |
                         |                   +-+-------+
                         |                     |
+------------------------+---------------------+-------------+
                         |                     |
    Peripheral Network   |                     |
                         |                     |
                  +------+-------+     +-------+------+
                  | USB Protect  |     | USB Protect  |
                  +--------------+     +--------------+

Network for the DataLock

                  +-------------------+   +--------------+
                  | updates.sysctl.se |   | Lets Encrypt |
                  +------^------------+   +-----^--------+
    Internet             |                      |
                         |     +----------------+
                         |     |
+---------------------------------------------------------------------+
                         |     |
    DMZ              +---+-----+---+
                     |  Firewall   <------+
                     +-------------+      |
                                          |
                                    +-----+----+
                      +------------->  Proxy   |
                      |             | if used  |
                      |             +----------+
                      |
                      |
                 +----+--------------------+
                 |                         |
                 |   ICC and optional Repo <------+
                 |                         |      |
                 +-------^-----------------+ +----^----+
                         |                   | Proxy   |
                         |                   | if used |
                         |                   +-+-------+
                         |                     |
+------------------------+---------------------+-----------------------+
                         |                     |
    Office Network       |                     |
                         |                     |
                         |                     |
   +--------+       +----+-----+         +-----+----+      +--------+
   | Sender |-------> DataLock |         | DataLock <------| Sender |
   +--------+       +----------+         +----------+      +--------+
                         |                     |
                         |                     |
+------------------------+---------------------+------------------------+
                         |                     |
    Protected Network    |                     |
                   +-----v----+           +----v-----+
                   | Receiver |           | Receiver |
                   +----------+           +----------+

Interactions with other systems

The table explains the normal interactions used by the system, but it may differ depending on the actual installation if other integrations are used, like Active Directory.

Data Delivers to Receives from Tool Protocol/ Port Short Description
Mail smtp.tld ICC Mail Relay SMTP TCP/25 Information from ICC to end users
Time ICC ntp.tld NTP NTP UDP/123 Time source to ICC
Time Repo ntp.tld NTP NTP UDP/123 Time source to Repo
DNS ICC resolver.dns DNS resolver DNS UDP/53 DNS lookup for ICC
DNS ICC resolver.dns DNS resolver DNS TCP/53 DNS lookup for ICC
DNS Repo resolver.dns DNS resolver DNS UDP/53 DNS lookup for Repo
DNS Repo resolver.dns DNS resolver DNS TCP/53 DNS lookup for Repo
Logs syslog.tld ICC Syslog Syslog UDP/514 Sending syslog to log collector
Logs syslog.tld Repo Syslog Syslog UDP/514 Sending syslog to log collector
Updates USB Protect Repo Patches/ Signatures HTTPS TCP/443 Gets updates from Repo
Updates DataLock Repo Patches/ Signatures HTTPS TCP/443 Gets updates from Repo
Updates ICC Repo Patches/ Signatures HTTPS TCP/443 Gets updates from Repo
Updates Repo updates. sysctl.se Patches/ Signatures HTTPS TCP/443 Sync updates from sysctl
Cert ICC letsencrypt. org Certificate renew ACME TCP/443 Get certificate from letsencrypt
Cert letsencrypt. org ICC Certificate renew ACME TCP/80 Get certificate challenge from ICC

Client software requirements

Software needed to manage the systems.

Using the ICC application

A modern version with one of the following browsers.

Administrative tasks

SSH client software to access the ICC or Repo.

Operation description

Description of different tasks that may be needed for administrative changes.

USB Protect and DataLock

The systems are self maintained and no operations are needed. The systems will check for new updates on a daily basis and regularly check for definition updates several times every day. The systems will reboot every week.

Update interval of definition

USB Protect and DataLock will check for new definitions every hour with a random delay of maximum 30 minutes.

ICC and Repo servers

If the letsencrypt module is not installed and used the certificate needs to be renewed on the servers before the certificate expires. With an expired certificate the USB Protect and DataLock will not get new updates. No other tasks are needed for the day to day work.

Update interval of definition

Sysctl will fetch new definitions and publish them every hour with exception for ClamAV and F-Secure which have rate limiting and those definitions will be fetched every third hour.

Repo will search for new definitions published at updates.sysctl.se every hour with a random delay of maximum 60 minutes.

Passwords in USB Protect and DataLock

The USB Protect and DataLock use a random root password generated during the installation

The root password is rotated on a daily basis and only accessible from the ICC

Passwords in the ICC

The ICC server has two passwords configured after the installation

Passwords in the Repo

The Repo server has one password configured manually during the installation

Default password

The password for the root user must be set during installation. SYSCTL has no knowledge of the passwords.

The password for the admin user is created by the system with a random string and stored in /root/icc_admin. SYSCTL recommends that the password is changed during installation.

USB Protect rotates the root password on a daily basis DataLock rotates the root password on a daily basis

Reset ICC application password

SSH or console access is required to reset the application password. To reset a user’s password the following commands must be used.

sudo -i
cd /opt/sysctl/impex-server/django-app
sudo -u impex-server ./manage.sh changepassword <username>

Administrative login

Login to the system can be done on the server console or remote by using SSH.

By default no other interactive user than root exists in the system. If users are added to the system they can only use the sudo command with the root password. If the user’s password should be used for sudo, /etc/sudoers.d/users needs to be modified.

Service accounts

The servers have one root account with a password set during the initial installation. The password is created during the installation by the system owner. The password is not known by Sysctl. No other accounts besides the root account can be used to log in to the system after installation. SSH with root account is not allowed and login is only possible from the console. Personal accounts are recommended to use for remote login with SSH, and tasks can be performed from a user account with privilege escalations. Personal accounts can exist in a LDAP server like Active Directory.

Use the following command to get root permissions from a personal account.

sudo -i

Termination procedures

Application shutdown

systemctl stop impex-server

Application start

systemctl start impex-server

System shutdown

systemctl poweroff

Server reboot

systemctl reboot

Service window

The servers will check for updates and update the system automatically every day at 01:00, with a random delay of 1 hour. The servers will reboot if needed.

Install and renewal of certificates

Certificates are only required for the ICC server and the Repo server (if a separate Repo server is used).

The installation and renewal of certificates depend on the customer’s PKI policies.

Using Let’s Encrypt

Certificate installation and renewal is automatic when the letsencrypt module is installed.

Proxy configuration of the Let’s Encrypt module can be done in /etc/sysconfig/impex-letsencrypt

Using an internal or external CA

When the ICC uses a certificate from an internal CA or uses a certificate from an external vendor must the certificate be renewed manually.

If the certificate is created outside the ICC or Repo installation, it must be imported into the servers, including the full chain. The files must be stored correctly according to the Certificate path instructions.

If the certificate is created on the ICC or Repo server, some helper scripts can be used after the initial configuration has been completed.

Copy the certificate configuration file

Modify the configuration file and ensure the the section [ v3_req ] have the following content:

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = host1.domain.tld

Run the script bash /opt/sysctl/impex-server/tools/cert.sh and answer the certificate questions, the script requires that the server has a correct hostname. The script will save the private key(hostname.key), and the certificate request(hostname.csr) in the directory /root/pki/timestamp_in_epoch/

The cert.sh also include helper commands if the signed certificate needs to be converted from der or pkcs7 format.

To renew a certificate request the following command can be used: openssl req -new -key “_path_to_private_key” -out “_path_to_new_csr” -config /root/openssl.conf

When a new certificate is signed by the CA, save the cert and chain in the correct directories according to Certificate paths

Certificate path

The paths used for certificates is defined in:

/opt/sysctl/impex-server/etc/apache/conf.d/cert.d/cert.conf

and has by default the following content

Other filenames can be used if configured in the cert.conf file, the FQDN is normally used for the file names.

The certificate chain file must include the root CA and all intermediate issuing certificates ordered by root CA down to the issuer certificate.

Backup

Snapshots of the servers can be done to create backups. With every upgrade of the ICC software the update will create a local backup (snapshot) of the database.

Repo

The repo server can always resync all the data from Sysctl. There is no need to backup any repository data or signature data.

ICC

The ICC stores all application data in a SQLite database.

/opt/sysctl/impex-server/django-app/db/db.sqlite3

To backup the database, the following command can be used.

sqlite3 /opt/sysctl/impex-server/django-app/db/db.sqlite3 .dump > new_backup_file

If YARA rules are used one might want to backup any custom rules uploaded. They are stored as plain files under

/opt/sysctl/impex-server/django-app/upload/yara/custom

Since these were files uploaded by an ICC admin they might already be backed up depending on where they came from.

Monitoring

The ICC can enable USB Protect and DataLock online monitoring and send email if any is offline.

The following should be monitored by an external system on the ICC and Repo.

Syslog

The ICC will generate a syslog message when USB Protect or DataLock has uploaded a scan report that contains malware. The following format is used for the message

Dec 24 15:00:00 icc journal: ICC WARNING [ICC:14] \
Station detected malware (https://icc.domain.tld/v/operations?byId=2)

The message includes a link to the actual scan report on the ICC. It will not include any sensitive information about the data.

Configure remote syslog

ICC application has support for configuring remote syslog and is documented in the ICC manual.

Remote syslog configuration in the Repo server needs to be configured from the console.

Create the file /etc/rsyslog.d/remote.conf and add the below configuration example to send syslog to a remote server.

local6.* action(type="omfwd"
      queue.type="linkedlist"
      queue.filename="icc_remote_queue"
      action.resumeRetryCount="-1"
      queue.saveOnShutdown="on"
      target="IP_ADRESS_OR_FQDN" port="514" protocol="tcp"
     )

The value for target must be changed to a real value and the value for protocol can be either tcp or udp

Before changing any other values please consult with sysctl support.

systemctl restart rsyslog