2.1. The philosophy of PSM

PSM is a device that examines network traffic at the application level, that is, Layer 7 or the application layer of the OSI model. All communication must conform to the standards of the respective protocol. PSM examines Secure Shell (SSH, including forwarded X11 traffic), Secure Copy (SCP), SSH File Transfer Protocol (SFTP), Remote Desktop (RDP), HTTP, Independent Computing Architecture (Citrix ICA), Telnet, VMware Horizon View, and VNC connections, ignoring and simply forwarding all other types of traffic. PSM uses man-in-the-middle techniques to decrypt and terminate (when necessary) the inspected connections. It separates the connections into two parts (client — PSM, PSM — server) and inspects all traffic, so that no data can be directly transferred between the server and the client.

Figure 2.1. Inspecting SSH traffic with PSM

Inspecting SSH traffic with PSM

PSM has full control over the initial negotiation phase of the connection, when the client and the server decide the parameters of the encryption to be used in the communication. PSM can restrict the use of the various algorithms, forbidding the use of weak ones — an effective shield against downgrade attacks.

Since PSM isolates the client-server connection into two separate connections, the permitted algorithms can be different on the client and the server side.

PSM controls the connections right from the beginning — including user authentication. That way it is easy to mandate strong authentication for protocols where user information is available (for example, SSH), because PSM can limit the allowed authentication methods and also the users permitted to access the servers.

PSM uses various policies to restrict who, when, and how can access a connection or a specific channel of the protocol. These policies (based on username, authentication method used, and so on) can be applied to connections between particular clients and servers, or also to specific channels of a connection (for example, only to terminal-sessions in SSH, or desktop-sharing in RDP).

Figure 2.2. Controlling protocol channels

Controlling protocol channels

PSM is configured by an administrator or auditor using a web browser.