Privileged Access Management system
Secret Manager - a tool to manage passwords on the privileged accounts.
Privileged Session Monitoring - privileged session management and monitoring.
Efficiency Analyzer - a comprehensive productivity analysis tool.
Application to Application Password Manager - in cooperation with Secret Manager which serves passwords applications.
Main Wheel Fudo PAM (Privileged Access Management system) features:
- Managing privileged accounts' password policies. Secret Manager is a complete solution for managing passwords, which are stored securely and not disclosed to users. Its advantage is the ability to define a password's validity and complexity. Secret Manager stores a password's history to regain access to managed accounts in emergency situations. The security of stored passwords is ensured by the password verification mechanism, which checks whether or not the password has been changed in an unauthorized way.
- User portal ensures intuitive access to target hosts through a centralized list of accessible resources. Thanks to this, users no longer have to memorize numerous hostnames, logins and passwords.
- Detailed recording and analysis make Wheel Fudo PAM a perfect tool for quick forensic analysis.
- Live session streaming. Live sessions can be streamed seamlessly, without any delays or loss in quality.
- Session joining – the ability for the super administrator to work with the remote user in the same session.
- Quick session sharing allows for sharing recorded session material and live session stream with third parties.
- Proactive monitoring and sessions termination. Enables a security policy, which will automatically terminate suspicious connections.
- Managing and transferring passwords to application without human interaction using the AAPM module. A password which is stored inside an application and used for authentication purposes, can enable facilitating an attack on the system that the application connects to. The AAPM module greatly increases the level of security.
- Business intelligence tools (Efficiency Analyzer module) measure users and organizations productivity, providing detailed information on their activity and idle times.
- Modern and intuitive administration interface greatly reduces initial system configuration and daily maintenance efforts.
Secret Manager – password management
- active management of privileged accounts passwords
- password changers for MS Windows and Unix systems; MySQL databases and Cisco devices
- custom password changers support
- customizable passwords complexity
- command line protocols: SSH, Telnet, Telnet 3270
- graphic protocols: RDP, VNC, X11
- database protocols: Oracle, MySQL, TDS implementation for MS SQL
- web protocols: HTTP, HTTPS
- production infrastructure protocols: Modbus
- ongoing sessions supervision in a web browser
- one click launches an internal player without the need to install additional software
- command line session material is fully interactive which enables copying content to the clipboard
Quick session blocking
- in case of any unauthorized activities, Wheel Fudo PAM enables pausing or the termination of a session along with revoking access rights
- co-sharing session enables the system administrator to join a given connection and work along the remote user
Uniform and independent environment
- Wheel Fudo PAM does not require the installation of additional software or agents, which enables rapid deployment and integration with existing IT infrastructures
- recorded material is encrypted and can also be timestamped
Easy to use administration interface
- an intuitive and ergonomic administration panel ensures convenient and effective management
- Wheel Fudo PAM enables sharing a session with third parties in the form of a URL link
Detailed session information
- Wheel Fudo PAM stores all of a session's data and metadata, which includes transferred files, keystrokes and cursor movement. The session player allows for skipping inactivity intervals, fast-forwarding as well as seeking to a specific time within the recorded content. Additionally, RDP and VNC sessions can be OCR processed. Recorded sessions can be exported to video format. Sessions can be commented and tagged while full-text search and advanced filtering options enable finding desired content quickly
Live session supervision and proactive monitoring
- Wheel Fudo PAM enables live session supervision by designated personnel as well as automated actions upon detecting unauthorized user actions specified as patterns
Directory services support
- Wheel Fudo PAM supports LDAP and Active Directory services which allows a user's definitions to be imported as well as verifying the user's login credentials
- Wheel Fudo PAM authenticates users using the following mechanisms: locally stored passwords, Cerb, Radius, and SSH keys
Runtime login and password substitution
Wheel Fudo PAM can, after successful authentication, substitute credentials provided by the user with credentials configured in Wheel Fudo PAM or fetched from a third party Password Vault solution. With the substitution feature in use, the actual login credentials to target hosts do not have to be disclosed to end-users
- Wheel Fudo PAM supports a multi-master cluster configuration ensuring high availability and performance scaling
- monitoring anonymous connections, i.e. without authenticating users by Wheel Fudo PAM
- stored session data is encrypted with AES-XTS 256
cryptographic data integrity verification
- the user's productivity is represented in the form of comprehensible charts enabling work efficiency analysis
App to App Password Manager
- automated passwords retrieval from the vault
- secure password transfer to the application
- alternative access to FUDO’s data structures
- enables integration with third-party solutions (e.g. ticketing systems)
- centralized list of monitored resources
- convenient access to target hosts – a single click opens a corresponding client application with connection parameters already filled in
- increased security of critical systems – privileged accounts login information is not disclosed to the end user
Wheel Cerb AS is a multi-factor user authentication solution. Designed for secure and convenient login to a variety of services and environments. It enables centralized user management and complete access control using modern authentication methods, including smartphones and hardware tokens.
- web-based management interface
- SDK for seamless integration with existing banking systems
- mobile application generating tokens independent of the GSM network
- active Directory support enabling importing users definitions from different AD domains
- SMS broker support for sending one-time passwords in text messages
- Yubikey, ActivIdentity and RSA hardware tokens, TAN cards and static password support
- RADIUS protocol implementation enabling seamless integration with solutions from IT vendors such as Juniper, CISCO, Checkpoint, Fortinet or Nokia
- self-registration service for faster provisioning and lower maintanance efforts
- PUSH notifications support
Wheel Cerb AS allows for using a number of different authorization methods making it a complete system which can be deployed in practically any environment.
It’s an easy to use application installed on a mobile phone, which generates one-time passwords for logging-in. CERBToken operates fully off-line as it does not communicate with CERB. Passwords are generated using cryptographical methods and are verified upon loggingin. CERBToken supports multiple profiles allowing for using the single app for accessing different environments, e.g. a bank, the corporate network, or an internet banking service. CERBToken can generate one-time passwords using time (a password is generated for a given moment), counter (passwords are generated one after another upon explicit request). The CERBToken application is available for the following platforms: iOS, Windows Phone, Android, BlackBerry.
Enables sending passwords in text messages. A user enters his login on the website and receives a password valid only for a defined time period and only for this particular authentication request. The SMSToken also offers a password ondemand function – the user sends a text message to a specific number and in response receives a list of passwords (e.g. 5 passwords) which can be used for logging in to the corporate network, a portal, etc. within a specified time interval (e.g. For a period of 8 hrs after receiving the message).
Third party hardware tokens
Wheel Cerb AS supports a variety of third party hardware tokens, small devices generating one-time passwords.
TAN cards, passwords list, and emails
Wheel Cerb AS also enables distributing passwords using more traditional methods such as TAN cards (scratch cards) or password lists. Wheel Cerb AS integrates with printing and enveloping systems and all volume and time validity parameters are fully configurable. One-time passwords can be also sent in emails along with the information regarding their validity.
Wheel Cerb AS also supports static passwords. Users who cannot use the CERBToken application can authenticate using a static password.
Wheel Lynx SSL Inspector enables transparent SSL/TLS traffic decryption for further analysis by DLP/IDS/IPS systems.
The appliance works in transparent bridge mode intercepting selected network traffic. SSL sessions pass through Wheel Lynx SSL Inspector transparently so the client software thinks it connects directly to the target server as it uses the original address of the target host. The decrypted network traffic is forwarded to the dedicated DLP/IDS/IPS device for evaluation. Wheel Lynx SSL Inspectorencrypts data again and sends it over to the target server. The DLP/IDS/IPS systems can order Wheel Lynx SSL Inspector to terminate the connection. Unencrypted traffic, which can also pass through Wheel Lynx SSL Inspector, is forwarded to the IDS/IPS without being modified.
- signed and self-signed certificates handling
- Server Name Indication (SNI)
- OCSP support
- decrypt once feed many
- selective whitelisting based on categories
- network bypass
- whitelisting source and target hosts
- whitelist subscription service
- supports connections initialized as encrypted (such as HTTPS) as well as protocols, which can begin encrypted transmission by executing the STARTTLS command (e.g. SMTP)
- TLS SNI (Server Name Indication) extension support
- SSL 2.0
- SSL 3.0
- TLS 1.0
- TLS 1.1
- TLS 1.2