Table of Contents

Preface

1. Summary of contents

2. Target audience and prerequisites

3. Products covered in this guide

4. Typographical conventions

5. Contact and support information

5.1. Sales contact

5.2. Support contact

5.3. Training

6. About this document

6.1. Version information

6.2. Feedback

1. Introduction

1.1. What SCB is

1.2. What SCB is not

1.3. Why is SCB needed?

1.4. Who uses SCB?

1.5. Public references for BalaBit Shell Control Box

2. The concepts of SCB

2.1. The philosophy of SCB

2.2. Supported protocols and client applications

2.3. Modes of operation

2.3.1. SCB in Bridge mode

2.3.2. SCB in Router mode

2.3.3. SCB in Bastion mode

2.3.4. SCB in Nontransparent mode

2.4. Connecting to a server through SCB

2.5. SSH hostkeys

2.6. Authenticating clients using public-key authentication in SSH

2.7. Gateway authentication

2.8. 4-eyes authorization

2.9. Network interfaces

2.10. High Availability support in SCB

2.11. Firmware in SCB

2.11.1. Firmwares and high availability

2.12. Accessing and configuring SCB

2.13. Licenses

3. The Welcome Wizard and the first login

3.1. The initial connection to SCB

3.2. The Welcome Wizard

3.3. Logging in to SCB and configuring the first connection

4. Configuring and managing SCB

4.1. Supported web browsers

4.2. The structure of the web interface

4.2.1. Elements of the main workspace

4.2.2. Multiple web users and locking

4.3. Basic settings

4.3.1. Network settings

4.3.2. Date and time configuration

4.3.3. System logging, SNMP and e-mail alerts

4.3.4. Configuring system monitoring on SCB

4.3.5. Data and configuration archiving and backups

4.4. User management and access control

4.4.1. Managing SCB users locally

4.4.2. Managing SCB users from an LDAP database

4.4.3. Authenticating users to a RADIUS server

4.4.4. Managing user rights and usergroups

4.4.5. Listing and searching configuration changes

4.5. Managing SCB

4.5.1. Controlling SCB — restart, shutdown

4.5.2. Upgrading SCB

4.5.3. Troubleshooting SCB

4.5.4. Accessing the SCB console

4.5.5. Sealed mode

4.5.6. Changing the certificates used on SCB

5. Configuring connections

5.1. General connection settings

5.1.1. Modifying the destination address

5.1.2. Modifying the source address

5.1.3. Channel Policies

5.1.4. Time Policies

5.1.5. User lists

5.1.6. Authenticating users to an LDAP server

5.1.7. Audit policies

5.1.8. Verifying certificates with Certificate Authorities

5.1.9. Signing certificates on-the-fly

5.1.10. Forwarding traffic to an IDS or DLP system

5.2. SSH-specific settings

5.2.1. Setting the SSH host keys and certificates of the connection

5.2.2. Supported SSH channel types

5.2.3. Authentication Policies

5.2.4. Server host keys and certificates

5.2.5. Protocol-level SSH settings

5.3. RDP-specific settings

5.3.1. Supported RDP channel types

5.3.2. Protocol-level RDP settings

5.3.3. Joining SCB into a domain

5.3.4. Using SSL-encrypted RDP connections

5.3.5. Verifying the certificate of the RDP server in encrypted connections

5.4. Telnet-specific settings

5.4.1. Protocol-level Telnet settings

5.5. VNC-specific settings

5.5.1. Protocol-level VNC settings

6. Browsing log messages and SCB reports

6.1. Using the search interface

6.2. Changelogs of SCB

6.3. SCB reports

6.4. The SCB connection database

6.4.1. Connection metadata

6.4.2. Creating predefined filters

6.5. Configuring custom reports

6.6. Monitoring the status of AP indexing services

6.7. Full-text indexing of audit trails

7. Viewing session information and replaying audit trails

7.1. Installing the Audit Player application

7.2. Replaying audit trails

7.3. Using AP

7.3.1. Finding specific audit trails

7.3.2. Using projects

7.3.3. Replaying and processing encrypted audit trails

7.3.4. Searching in graphical streams

7.4. Troubleshooting the Audit Player

7.4.1. Logging with the Audit Player

7.4.2. Keys and certificates

8. Advanced authentication and authorization techniques

8.1. Usermapping policies

8.2. Configuring gateway authentication

8.3. Configuring 4-eyes authorization

9. Best practices and configuration examples

9.1. Configuring public-key authentication on SCB

9.2. Bastion mode considerations

9.3. Organizing connections in Bastion mode

9.3.1. Accessing the SCB host in Bastion mode using SSH

9.4. Using nontransparent Bastion mode

9.5. RDP connections in Nontransparent mode

9.6. How to restore a backup

9.7. Solving the "double-assign" problem in RDP

9.7.1. Background

9.7.2. Solution

Appendix 1. About the Secure Shell protocol in a nutshell

1.1. The basic operation of SSH

1.2. Configuring encryption parameters

Appendix 2. Package contents inventory

Appendix 3. BalaBit Shell Control Box Hardware Installation Guide

3.1. Installing the SCB hardware

3.2. Installing two SCB units in HA mode

Appendix 4. BalaBit Shell Control Box Software Installation Guide

Appendix 5. BalaBit Shell Control Box End User License Agreement

5.1. 1. SUBJECT OF THE LICENSE CONTRACT

5.2. 2. DEFINITIONS

5.3. 3. LICENSE GRANTS AND RESTRICTIONS

5.4. 4. SUBSIDIARIES

5.5. 5. INTELLECTUAL PROPERTY RIGHTS

5.6. 6. TRADE MARKS

5.7. 7. NEGLIGENT INFRINGEMENT

5.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION

5.9. 9. LICENSE FEE

5.10. 10. WARRANTIES

5.11. 11. DISCLAIMER OF WARRANTIES

5.12. 12. LIMITATION OF LIABILITY

5.13. 13. DURATION AND TERMINATION

5.14. 14. AMENDMENTS

5.15. 15. WAIVER

5.16. 16. SEVERABILITY

5.17. 17. NOTICES

5.18. 18. MISCELLANEOUS

Appendix 6. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

Glossary

Index