Administrator accounts

Using accounts assigned to users by name

Being able to trace all operations performed on the SNS firewall and SMC server is particularly important (see the chapter Logging for recommendations on logging) to guarantee that they were performed by a legitimate and authorized administrator.

R1 | SNS-SMC | Use accounts assigned to users by name
Regardless of their privileges, administrators are advised to use their personalized accounts when they connect to the web interface, the NSRPC server or via SSH.

Some exceptional operations can be performed with a personalized account from the web interface, local console or via SSH, such as the manual modification of configuration files.

The SNS firewall includes a local non-nominative local administrator (admin) and can also perform these actions. However, only this account can modify the privileges granted to administrators.

Some advanced or maintenance operations on the SMC server can only be performed in command line (via SSH or in console mode).

R2 | SNS-SMC | Protect the local administrator account
The administrator account found on the SNS firewall must be protected by a strong password (refer to the guide Relating to multifactor authentication and passwords (in French) and must only be used to access personalized accounts. Its password must be kept in a vault, and when it is used, it must be monitored and restricted to a set group of persons.

R3 | SNS | Restrict administration via SSH
The SSH service must be restricted to only administrator accounts and must only be enabled for exceptional reasons from Configuration > System > Configuration > Firewall administration.

R4 | SNS | Use SSH key-based authentication
When SSH access is enabled for exceptional reasons, users are advised to authenticate with an SSH key, in line with Recommendations on the secure use of (Open)SSH.

Local authentication

SNS firewalls make it possible to create an internal directory (Configuration > Users > Directory configuration) to allow local authentication. Once authenticated, users can then connect to web, NSRPC and SSH servers. In this case, SNS firewalls will store passwords or their derivatives, if any. If an SNS firewall is compromised, these secrets will also be compromised. In addition, users can also authenticate with certificates on the web administration interface. When certificates are used, only public data will be stored on the SNS firewall. The recommendations regarding the use of certificates on SNS firewalls can be found in the chapter Certificates and PKI. However, access to the NSRPC server only allows password authentication.

R5 | SNS | Authenticate locally using certificates
In local authentication, users are advised to use their personalized certificates to authenticate on the web interface of an SNS firewall.

Certification authorities must have been added in advance in Configuration > Objects > Certificates and PKI. SSL certificate must have been configured as the authentication method in Configuration > Users > Authentication > Available methods with the desired authorities.

R6 | SNS | Define an appropriate password policy
If an administrator requires access to the NSRPC server, their password must comply with a policy that meets the criteria in the guide Recommendations relating to multifactor authentication and passwords (in French) and has to be configured in Configuration > System > Configuration > General configuration.

Centralized authentication

This feature was not part of the security target.

SNS and SMC support the use of a centralized authentication solution with which users can be managed on a remote SNS firewall. Using such a solution aims to restrict the amount of sensitive data stored locally and simplify administration processes. For external directories, the SNS firewall configuration is described in the chapter Using an external directory.

R7 | SNS | Dedicate an external directory to administrators
In line with the Recommendations on the secure administration of information systems (in French), an external directory dedicated to administration is recommended for the authentication of administrators.

R8 | SNS | Use a restricted-access and secure account
The account that the SNS firewall uses to access the centralized authentication solution must be restricted to this function, dedicated to the SNS firewall and very carefully configured. The account in particular must have only read privileges to prevent any changes to the directory’s data from the SNS firewall.

Access privileges

An SNS firewall provides many features – filtering, tunnels, VPN, etc. An administrator dedicated to a specific task must have only one restricted area of responsibility, so that risks can be contained if the account is compromised, and accidental changes to the configuration can be prevented. Ideally, to lower the risk of compromising an administration account or an SNS appliance, each function should be managed by a dedicated SNS appliance and its associated administration account.

If an SNS appliance must be shared, administration accounts must then be created for each feature in line with the recommendations in the Recommendations on the secure administration of information systems (in French).

R9 | SNS | Adjust administration privileges to strictly what is required
Only the privileges that the various administrators strictly require for their tasks should be granted in Configuration > System > Administrators > Administrators.

Values of directory attributes cannot be used to distinguish different privilege profiles (full administrators, administrators dedicated to a function, supervisors, etc.). However, user groups can be declared in the directory and a set of privileges on the SNS firewall can be assigned to them. Each group must correspond to a functional requirement and hold the appropriate privileges on the SNS firewall. The privileges assigned to administrators therefore depend on the groups to which they belong. Administrators’ groups can be defined centrally in the directory.

R10 | SNS-SMC | Use groups to manage privileges
To manage privileges for access to SNS firewalls, the use of groups is recommended.

Only the non-nominative administrator account can modify the privileges granted to users and user groups. This must remain an exceptional operation in line with chapter Using accounts assigned to users by name.