Netreo uses a security-in-depth, multi-layer approach to hardening and securing OmniCenter appliances.
The OmniCenter appliance is hardened and secured in many ways.
- The OS runs a hardened version of the Linux kernel.
- All console and serial access to the server is password (or public/private key) protected, and user accounts are strictly limited to only those required for functionality.
- Customer access to the OS shell is never permitted.
- To secure the operating system from network attack, all unnecessary network services have been removed from the operating system completely, so the only listening (open) TCP or UDP ports on the server are the services in use:
- HTTP (can be disabled)
- SSH (can be disabled)
- Logging (syslog, SNMP traps)
- Flow collection (NetFlow, sFlow, IPFIX)
- Encrypted MySQL networking (in some high-availability, cluster, and multi-server configurations)
- Listening services are configured wherever possible to not reveal version numbers or software information to make reconnaissance more difficult.
- Network access to any other ports from any interface is forbidden.
- Reverse-path verification is used to insure that inbound packets cannot spoof the IP addresses of the OmniCenter server to bypass IP-level security.
- TCP SYN-Cookies are used to prevent TCP SYN floods from being used to create Denial-of-Service (DoS) attacks.
- Evasive HTTP techniques with automatic blacklists are used to further mitigate DoS attacks and prevent brute-force password scanning.
Network-enabled services are also internally resource-limited to help prevent DoS flooding of available services – for example, sending a flood of HTTP requests to attempt to crash the web server. Remote SSH access is also strictly controlled and limited to specific administrative users, and login is done primarily using public-key cryptography instead of passwords. Only SSH version 2 is supported, and SSH access can be disabled entirely if desired.
All OmniCenter software development uses a security-focused programming model and is done primarily in development languages that incorporate security checks to prevent common security flaws (such as buffer overflows). Netreo’s software quality assurance (QA) process insures that all code is tested for security flaws and undergoes periodic code auditing to limit potential security issues. Patches (available monthly or as required) can be scheduled to be applied automatically or on demand. Patching is designed to not disrupt the production use of the system.
OmniCenter uses a secure VPN system for software updates. All VPN communications are sent outbound. Depending on version and configuration, this usually uses UDP port 1194, but may optionally use TCP port 443 or TCP port 5000 instead.
VPN communications are initiated from the OmniCenter server to Netreo’s VPN concentrator, and are authenticated and encrypted with 128 or 256-bit AES encryption using 1024- or 2048-bit HMAC authentication. This insures the highest possible level of data security. VPN tunnels can be administratively activated or deactivated by the customer to further restrict access.
The VPN tunnels terminate in an isolated secured network with strictly regulated access. Each end of the tunnel uses separate packet-level filters, application-level firewalls and packet analysis, and stateful inspection to limit the type, origin, and destination of the traffic, and access is controlled through multiple separate password and public/private key authentications. OmniCenter is configured to never forward traffic between interfaces, to prevent any leaking of data between networks.
OmniCenter web users can be authenticated locally, or using SAML or LDAP. When using LDAP/Active Directory or SAML, user passwords are never stored or cached on the server. When locally authenticated, user passwords are encrypted using one-way hash functions with a minimum complexity of 256 bits and randomly generated salts. Web users can be forced to change their password at an administrator-defined interval.
All of Netreo’s technical personnel undergo extensive background checks prior to employment and are trained to maintain high standards of security awareness.
Independent auditing of the OmniCenter appliance was conducted by Spirent, including penetration testing using a known administrative password, and the system was found to be extremely resistant to intrusion. Periodic vulnerability scans are conducted against new versions of the software, and any vulnerabilities found are remediated before release.
Because of inherent limitations in application dependencies, error, fraud, or dependencies to supporting systems such as networks and operating systems no controls can provide one hundred percent assurance of system security. However, we believe that the comprehensive security assessment and development processes used by Netreo Inc provide reasonable assurances to our customers. Customers are welcome to perform any security assessments or evaluations they desire on the OmniCenter product as deployed, provided such assessments are limited to the normal methods used to access and operate the software (i.e., Netreo provides no assurance against penetration techniques involving destructive methods, hardware stress, or bypass techniques not commonly employed against in-place software over the network).
None of the assertions or statements in this document are intended to modify, supplement, or supersede the warranty statements provided in the Netreo Software License Agreement, or any of the open-source license agreements applicable to the Netreo OmniCenter product as sold or deployed.