User manual LOGMEIN RESCUE ARCHITECTURE

[. . . ] LogMeIn Rescue Architecture: An Overview 2 LogMeIn Rescue Architecture: An Overview Table of Contents Introduction DataConfidentiality Authentication KeyAgreement MessageExchange AuthenticationandAuthorization AuditingandLogging DataCenterArchitecture Conclusion LogMeInRescueHIPAAConsiderations AnoverviewoftheLogMeInRescueGatewayHand-offprocess 3 3 4 4 5 5 7 8 8 9 10 Author MártonAnka, CTOofLogMeIn, Inc. , istheprimaryauthorofthispaper. Abstract ThispaperprovidesanoverviewofthearchitecturebehindLogMeInRescue. Topicsdiscussedincludedataconfidentiality, authenticationandauthorization, auditingandlogging, andhostinghighlights. ProductInformation: SalesInquiries: Press: Address: info@LogMeIn. com sales@LogMeIn. com (800)993-1790 press@LogMeIn. com 500UnicornParkDrive, Woburn, MA01801 www. LogMeIn. com ©2009 LogMeIn Inc. 3 LogMeIn Rescue Architecture: An Overview Introduction Scalability, security, reliability and ease of use. Thesefourcharacteristics, innoparticularorder, arewhatdescribea greatremotesupportsolution. They, however, donotalwaysgohand-in-hand. It'seasytofindaremotesupportsolution thatprovidestwoormaybethreeoftheabovecriteria, butasolutionthatdeliversonallfourfrontsisrare. LogMeIn, Inc. [. . . ] AdministratorscanalsospecifytoallowtechnicianstorunanActiveXapplet. Thisisparticularlybeneficialinlocked-down environments, whereunapproved. exefilesarenorpermittedtoberun. It is up to the technician to determine who the user is, either via chat or a telephoneconversation. TheRescuesystemdoesprovideauthentication-likemechanismssuchasuniquePINcodes, but theseareusedforroutingthesupportsessiontothecorrectprivateorsharedqueue, andshouldnotbeconstruedasan authenticationsystem. Key Agreement Whenasupportsessionstartsandaconnectionisestablishedbetweenthesupporteduserandthetechnician, theircomputers mustagreeonanencryptionalgorithmandacorrespondingkeytobeusedforthedurationofthesession. Theimportance ofthisstepisoftenoverlooked, andthisissomewhatunderstandable:itseemslikeamundanetaskthatshouldbesimple andstraightforward. Itis, however, everythingbutsimple:tocounterso-calledman-in-the-middleattacks(wherecomputer CwouldpositionitselfbetweencomputerAandBandimpersonatetheotherpartytobothAandB)again, certificatesmust beemployed. SinceneitherthetechniciannortheenduserhaveserversoftwareandanSSLcertificateinstalledontheir computers, theybothturntooneoftheLogMeInRescueserversandperformtheinitialphaseofthekeyagreementwiththis computer. VerificationofthecertificatebyboththeTechnicianConsoleandtheenduserappletensuresthatonlyaRescue servercanmediatetheprocess. ©2009 LogMeIn Inc. 5 LogMeIn Rescue Architecture: An Overview Message Exchange SSLallowsforawiderangeofciphersuitestobeusedandthecommunicatingpartiescanagreeonanencryptionscheme they both support. This has two primary purposes: first, the protocol can be extended with new cipher suites without breakingbackwardscompatibility, andsecond, newerimplementationscandropsupportforsuitesthatareknowntocontain cryptographicalweaknesses. SinceallthreecomponentsoftheLogMeInRescuecommunicationssystemareunderLogMeIn'scontrol, theciphersuiteused bythesecomponentsisalwaysthesame:AES256-SHAincipher-blockchainingmodewithRSAkeyagreement. Thismeans thefollowing: · · · · TheencryptionkeysareexchangedusingRSAprivate/publickeypairs, asdescribedintheprevioussection AES, shortforAdvancedEncryptionStandard, isusedastheencryption/decryptionalgorithm Theencryptionkeyis256bitslong SHA-1isusedasthebasisofmessageauthenticationcodes(MACs). AMACisashortpieceofinformationusedto authenticateamessage. TheMACvalueprotectsbothamessage'sintegrityaswellasitsauthenticity, byallowing thecommunicatingpartiestodetectanychangestothemessage. · Cipher-blockchaining(CBC)modeensuresthateachciphertextblockisdependentontheplaintextblocksupto thatpoint. Theaboveensuresthatdatatravelingbetweenthesupportedenduserandthetechnicianareencryptedend-to-end, andonly therespectivepartieshaveaccesstotheinformationcontainedwithinthemessagestream. Authentication and Authorization AuthenticationandauthorizationinLogMeInRescueservestwodistinctpurposes. Thefirstone, authentication, ensuresthat thetechnicianoradministratorloggingintotheRescuesystemisinfactwhoheclaimstobe. Authenticationishandledinaverystraightforwardmanner:techniciansareassignedloginIDs(usuallymatchingtheiremail addresses)andcorrespondingpasswordsbytheiradministrators. ThesecredentialsareenteredintotheLoginformonthe LogMeInRescuewebsiteatthestartofatechnicianworkday. ©2009 LogMeIn Inc. 6 LogMeIn Rescue Architecture: An Overview LogMeInRescuealsoofferssignificantsecuritybenefitswithAdministratorshavinganumberofoptionsforpasswordpolicy. Theseinclude: · · · · Requiringaminimumpasswordstrengthtobeimplemented. Abuilt-inmetershowsAdministratorsandtechnicians thestrengthofthechosenpasswordandhelpsthemtochooseapasswordoftherequiredstrength. ForcingtechnicianstochangetheirRescuepasswordonthenextoccasiontheylogin. Specifyingamaximumpasswordage LogMeIn Rescue also allows Administrators to implement a Single Sign-On (SSO) policy. The Security Assertion Markup Language (SAML) is employed and is an XML standard for exchanging authentication and authorization data between security domains, that is, between anidentity provider and a service provider. Technicians then have access only to predefinedapplicationsandasingleSSOIDtologintothoseapplications. Attheflickofaswitch, atechnician'sSSOIDcanbe disabled. Authorization, ontheotherhand, happensveryfrequently­atleastonceduringeveryremotesupportsession. Thesupportedenduser, afterdownloadingandrunningthesupportapplet, willbecontactedbyatechnician. Thetechnician canchatwiththeenduserviatheapplet, butanyfurtheraction, suchassendingafileorviewingtheenduser'sdesktop, requiresexpresspermissionfromtheuser. AdministratorscanalsoimposeIPaddressrestrictionsontheirtechnicians. Whenselected, theIPaddressesavailablecanbe restrictedtoaverynarrowlist. TechniciansassignedtoaparticulartaskcanthenonlyaccessRescuefrompre-approvedIP addressesforthattask. [. . . ] TherecordingsarestoreddirecttoAVIorinanintermediateLogMeInproprietaryformatthatcanbeconvertedtostandardAVI filesbythe"RescueAVIConverter"applicationdownloadablefromtheSupportsectionoftheLogMeInRescuewebsite. The LogMeInproprietaryformat, calledRCREC, cancutrecordingsizebyabout10%. ©2009 LogMeIn Inc. 8 LogMeIn Rescue Architecture: An Overview Data Center Architecture LogMeInRescueishostedinstate-of-the-art, securedatacentersthatfeature: · · · · Multi-layersecuritycontrolprocedures, biometricentrysystems, and24/7closed-circuitvideoandalarmmonitoring UninterruptibleredundantACandDCpower, onsitebackuppowergenerators HVACredundantdesignwithairdistributionunderraisedflooringformaximumtemperaturecontrol Smokedetectionsystemaboveandbelowraisedfloor;double-interlock, pre-action, dry-pipefiresuppression TheLogMeInRescueinfrastructureitselfishighlysecureandreliable: · · · · · · · · Redundancyontheservercomponentlevel:redundantpowersuppliesandfans, RAID-1mirroredharddisks Redundancyontheserverlevel:dependingonrole, active/passiveoractive/activeclusters Redundancyonthedatacenterlevel:threedatacenters(USWestCoast, USEastCoastandLondon, UK)withnearinstantfailovercapabilities Dualredundantfirewallswithonlyports80and443open Active/passivedatabaseclusters RedundantloadbalancersincludingSSL Load-balancedandredundantwebandapplicationserverclusters Load-balancedandredundantgatewayserverclusters Conclusion Choosingaremotesupportsolutionisoftenadecisionbasedonfeaturesandpricing. Ifyouarereadingthisdocument, then it is likely that LogMeIn Rescue has met your needs in these categories. TheSessionAuthenticationGUIDisa128-bit, cryptographically-randomintegervalue. ©2009 LogMeIn Inc. [. . . ]