Shell Control Box
Related pages
Shell Control Box 2.0 Roadmap
This roadmap summarizes the features of the next major version of the BalaBit Shell Control Box (SCB) and the BalaBit Audit Player. SCB 2.0 is scheduled for release in the last quarter of 2008 (2008Q4), and will have the following new features:Improved 4-eyes authorization with real-time monitoring
Enhanced authorized-authorizer model with fine-grained and group-based control will allow authorizer users to accept or deny connections on the web interface. Authorized connections will be streamed and can be monitored real-time using BAP.
Fine-grained data access control
User rights and permissions will be much more detailed in SCB 2.0. For example, access to audit-trails can be set individually for every connection, etc. The authentication of the SCB web interface will support authentication to an external LDAP database.
Digitally signed audit trails
SCB 2.0 will be able to digitally sign the audit trails, and to apply trusted timestamps (from external or internal source) on the audit trail files. Optionally, SCB will store the keys used for the digital signature on a hardware security module (HSM).
Encrypting audit trails with multiple keys
SCB 2.0 will be able to use different keys to encrypt different connections, and also to encrypt the upstream/downstream traffic of a connection with different keys. SCB 2.0 will also support encrypting an audit trail with multiple keys, so the audit trail can be replayed only with multiple different keys, enforcing the 4-eyes principle for accessing the audit trails as well.
X.509 certificate-based authentication in SSH
It will be possible to authenticate users and servers with X.509 certificates in the SSH protocol. This authentication will work in concert with the solutions of SSH Tectia and the pending SSH X.509 standards.
Improved transparency via SSH agent-forwarding
Agent-forwarding simplifies the public-key authentication of the users, because the users will be able to use their own keys to access the servers without having to configure keys on SCB or in external databases.
Extract additional metadata from the username
SCB can already extract information like the address of the remote server from the username, this behavior will be extended in SCB 2.0. It will be possible to pass information like the fingerprint of the remote server, the username to be used on the server-side, or the ID of a support request ticket.
Virtual Network Computing (VNC) support
SCB 2.0 will be able to control and audit the Virtual Network Computing (VNC) graphical desktop sharing protocol (versions 3.3-3.8).
Remote Desktop Protocol (RDP) v6 support
SCB 2.0 will be able to control and audit the RDP6 protocol used to access Windows Server 2008 and Windows Vista hosts.Balabit Audit Player
The next main version of BAP will be released together with SCB 2.0, and will have the following new features:TN3270 support
BAP will be able to replay the Telnet 3270 traffic.
X11 support
BAP will be able to replay the graphical X11 sessions from audited SSH traffic that enabled X11 forwarding.
Virtual Network Computing (VNC) support
BAP will be able to replay and search the audited Virtual Network Computing (VNC) traffic.
Save screenshots and movie files
BAP will support exporting screenshots and entire audit trails into PNG and AVI files, respectively.
Automated searches
BAP will be able to automatically download the current audit trail files from SCB and execute predefined searches. It will also automatically generate reports from the search results.
After SCB 2.0
Later versions of SCB (scheduled for 2009) will be able to control and audit the Citrix Independent Computing Architecture (ICA) protocol.