Appliance Hardening

Contents

Appliance Hardening

Overview

Starting from 6.17, Nexthink Appliances are better protected against unauthorized accesses and malicious attacks by default. To comply with eventual security audits, the measures described in the Security Hardening Guide are now automatically applied on every fresh installation of the Appliance. By their very nature, two of the steps in the Security Hardening Guide cannot be automated and still demand manual intervention:

The Appliance requires additional communication ports to be open depending on the Nexthink server component (if any) that is is installed along with the system packages. The automatic hardening procedure opens the ports needed by the Portal, the Engine or both when they are installed on top of the Nexthink Appliance.

In the last sections of this article, learn how to open additional ports in the Appliance that you may need for your specific setup and how to enforce security hardening in existing Appliances. Because the hardening procedure is only automatic for fresh installations of the Appliance, you may find these sections useful if you are upgrading your Nexthink Appliances to V6.17 or higher.

Hardening measures

ISO hardening

The following measures are applied to every new installation of the Appliance:

  • Disable ICMP redirection (kernel parameter).
  • Enable the strongest SSH and TLS ciphers only.
  • Disable HTTP communication and allow secure HTTP (HTTPS) only.
  • By default, the only open ports for listening are TCP 99 and TCP 22.
  • Umask configuration is less permissive (umask is set to 0027 for all users).
  • Ensure that the partitions mountpoints cannot be mis-used.

Portal

In addition to TCP ports 99 and 22, the following ports are open by default when installing the Portal on the Appliance:

  • TCP 443 and 80.

After federation, these additional communication channels with the Engine are open as well, but they are only accessible to the host names or IPs of the federated Engines:

  • TCP 7000, 7001, 7002 and 7003.

Therefore, federation is mandatory in hardened Appliances to enable the real-time communication between the Portal and the Engines. Because of this same reason, it is not possible to work in compatibility mode.

Engine

In addition to TCP ports 99 and 22, the following ports are open by default when installing the Engine on the Appliance:

  • TCP 99, 22, 999, 8443 and 1671.
  • UDP 999.

Enabling additional ports

The automatic hardening only enables the default ports or, for those Engine ports that are configurable, it enables the ports for which you have changed the default number.

Third-party applications other than Nexthink that you install in the Appliance may require additional communication ports. To enable additional ports in the Engine or the Portal Appliances, even when hardening is turned on:

  1. Log in to the Web Console of either the Portal or the Engine Appliance.
  2. Select the APPLIANCE tab at the top of the Web Console.
  3. Click Security on the left-hand side menu.
  4. Under Custom ports:
    • Type in the additional UDP ports required inside the UDP ports box. Separate each port number by a new line.
    • Type in the additional TCP ports required inside the TCP ports box. Separate each port number by a new line.
    CustomPortsWebConsole.png
  5. Click SAVE.

Enforce hardening from the Web Console

Only fresh installations of a V6.17 or higher Appliance are hardened. Starting from V6.18, you can protect upgraded Appliances with the same security settings of a fresh V6.17 or higher Appliance from the Web Console. Keep in mind that the Appliances must be federated before enforcing their hardening.

To harden your upgraded Appliances from the Web Console:

  1. Log in to the Web Console of either the Portal or the Engine Appliance.
  2. Select the APPLIANCE tab at the top of the Web Console.
  3. Click Security on the left-hand side menu.
  4. Under Security hardening, tick the option Keep appliance secure.
    SecurityHardeningWebConsole.png
  5. Click SAVE.