This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Appliance Hardening

The Protegrity Appliance provides the framework for its appliance-based products. The base Operating System (OS) used for Protegrity Appliances is Linux, which provides the platform for Protegrity products. This platform includes the required OS low-level components as well as higher-level components for enhanced security management. Linux is widely accepted as the preferred base OS for many customized solutions, such as in firewalls and embedded systems, among others.

Linux was selected for the following reasons:

  • Open Source: Linux is an Open Source solution.
  • Stable: The OS is a stable platform due to its R&D and QA cycles.
  • Customizable: The OS can be customized up to a high level.
  • Proven system: The OS has already been proven in many production environments and systems.

For a list of installed components, refer to the Contractual.htm document available in the Web UI under Settings > System > Files pane.

Protegrity takes several measures to harden this Linux-based system and make it more secure. For example, many non-essential packages and components are removed. If you want to install external packages on the appliances, the packages must be certified by Protegrity.

For more information about installing external packages, contact Protegrity Support.

The following additional hardening measures are described in this section:

  • Linux Kernel
  • Restricted Logins
  • Enhances Logging
  • Open Listening TCP Ports
  • Packages and Services

Several major components, services, or packages are disabled or removed for appliance hardening. The following table lists the removed packages.

Removed ObjectExamples
Network Services (except SSH/Apache)telnet client/server client/server
Package Managersapt
Additional PackagesMan Pages Documents

Appliance Hardening

The appliance kernels are optimized for hardening. The Protegrity appliances are currently equipped with a modular patched Linux Kernel version 4.9.38. These kernel are patched to enhance some capabilities as well as optimize it for server-side usage. Standard server-side features such as scheduler and TCP settings are available.

Logging in

Restricted Log in

Every Protegrity Appliance is equipped with an internal LDAP directory service, OpenLDAP. Appliances may use this internal LDAP for authentication, or an external one.

The ESA Server provides directory services to all the other appliances. However, to avoid single point of failure you can use multiple directory services.

Four users are predefined and available after the appliance is installed. Unlike in standard Linux, the root user is blocked and cannot access the system without permission from the admin user. The admin user cannot access the Linux Shell Console without permission from the root user. This design provides extra security to ensure that in order to perform any OS-related or security-related operations, both root and admin users must cooperate. The operations include upgrade, and patches. The same design applies to SSH connectivity.

The main characteristics of the four users are described here.

root user

  • Local OS user.
  • By default, can only access machine’s console.
  • All other access requires additional admin user login to ensure isolation of duties.
  • If required, then login using SSH can be allowed, which is blocked by default.
  • No Web UI access.

admin user

  • LDAP directory management user.
  • Usually this user is the Chief Security Officer.
  • Can access and manage Web UI or CLI menu using machine’s console or SSH.
  • Can create additional users.
  • If required, then root user login for OS related activities can be allowed.

viewer user

  • LDAP directory user.
  • By default, has read-only access to Appliance features.
  • Can access Web UI and CLI menu using machine’s console or SSH but cannot modify settings/server.

local_admin user

  • Local OS user.
  • Emergency or maintenance user with limited admin user permission.
  • Handles cases where the directory server is not accessible.
  • By default, has SSH and Web UI blocked, and only machine’s console is accessible.

The appliance login design facilitates appliance hardening. The following two OS users are defined:

  • root: The standard system administrator user.
  • local_admin: Administrative OS user for maintenance, in case the LDAP is not accessible.

By default, has SSH and Web UI blocked, and only machine’s console is accessible

These are the basic login rules:

  • The root user will never be able to login directly.
  • The admin user can connect to the CLI Manager, locally or through SSH.
  • A root shell can be accessed from within the admin CLI Manager.

Enhanced Log in

The logging capabilities are enhanced for appliance hardening. In addition to the standard OS logs or syslogs that are available by default, many other operations are logged as well.

Logs that are considered important are sent to the Protegrity ESA logging facility, which can be local or remote. This means that in addition to the standard syslog repository, Protegrity provides a secured repository for important system logs.

You can find these events from within the logs that are escalated to the ESA logging facility:

  • System startup logs
  • Protegrity product or service is started or stopped
  • System backup and restore operations
  • High Availability events
  • User logins
  • Configuration changes

Configuring user limits

In Linux, a user utilizes the system resources to perform different operations. When a user with minimal privileges runs operations that use most system resources, it can result in the unavailability of resources for other users. This introduces a Denial-of-Service (DoS) attack on the system. To mitigate this attack, you can restrict users or groups utilizing the system resources. For Protegrity appliances, using the ulimit functionality, you can limit the number of processes that a user can create. The ulimit functionality cannot be applied on usernames that contain the space character.

While using protectors below version 10.x, if the number of protectors are more than 300, then the ulimit must be increased.

Warning: Increasing the ulimit might have negative consequences on the environment. In such cases, it must be handled with the load balancers.

Increasing the ulimit

Perform the following steps to increase the ulimit:

  1. Log in to the ESA CLI Manager.

  2. Navigate to Administration > OS Console.

  3. Enter root password.

  4. Navigate to /etc/security/limits.conf file.
    The following content appears.

    #*               soft    core            0
#root            hard    core            100000
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4

# End of file
*       hard    core    0
#PTY-39608 - ulimit open files needs to be increased for apache process in appliances
*         -       nofile          16384
root soft nofile 65536
root hard nofile 65536

  5. Navigate to the following line to change the ulimit for all users.

     *         -       nofile          16384

  6. Change the ulimit value from 16384 to 65536.

  7. Save the file and exit.

    To verify the updated ulimit ensure to disconnect the current session and perform the steps to verify the ulimit using a new session.

Verifying the ulimit

Perform the following steps to verify the ulimit:

  1. Log in to the ESA CLI Manager.
  2. Navigate to Administration > OS Console.
  3. Enter root password.
  4. Verify the ulimit using the following command.
    ulimit -a
  5. Verify the value of the following parameter.
    open files                          (-n) 65536
    The updated ulimit appears.

1 - Open listening ports

Network ports serve as communication channels that allow information to flow from one system to another. This section provides a list of ports that must be configured in your environment to access the features and services on Protegrity appliances.

For more information about Protegrity products and various components, refer Glossary.

Ports for accessing ESA

The following is the list of ports that must configured for the system users to access ESA.

Port NumberProtocolSourceDestinationNICDescription
22TCPSystem UserESAManagement NIC (ethMNG)Access to CLI Manager
443TCPSystem UserESAManagement NIC (ethMNG)Access to Web UI for Security Officer or ESA administrator
443TCPDevOps UserESAManagement NIC (ethMNG)Initiating Protegrity REST API requests.
For example,
  • Initiating the Policy Management APIs.
  • Downloading the the Policy package using the Export API.

Ports for accessing Protectors

The following is the list of ports that must be configured between the ESA and the non-appliance based protectors such as, Big Data Protector (BDP), Application Protector (AP), and so on.

Port Number
Protocol
Source
Destination
NIC
Description
8443
TCP
All Protectors
Service Dispatcher in ESA
Management NIC (ethMNG)
  • Downloading certificates from the ESA.
  • Downloading policies from the ESA. This is applicable to protectors earlier than version 10.0.x.
25400
TCP
Version 10.0.x dynamic protectors
Resilient Package Proxy (RPP) in the ESA
Management NIC (ethMNG)
Downloading certificates and packages from the ESA via the RPP service in the ESA.
9200TCPLog Forwarder service on the machineInsight in ESAManagement NIC (ethMNG) of ESATo send audit logs received from the Log Server and forward it to Insight in the ESA.

Ports for ESA on TAC

The following is the list of ports that must be configured for the ESA appliances in a Trusted Appliances Cluster (TAC).

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
22
TCP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Communication in TAC
 
22
TCP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Communication in TAC
 
443
TCP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Communication in TAC
 
443
TCP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Communication in TAC
 
10100
UDP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.
10100
UDP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.
8300
TCP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Used by servers to handle incoming request.
This port allows internal communication between Consul server nodes.
8300
TCP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Handle incoming requests
This is used by servers to handle incoming requests from other consul agents.
8301
TCP and UDP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all consul agents.
8301
TCP and UDP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Gossip on LAN.
This is used to handle gossip in the LAN. Required by all consul agents.
8302
TCP and UDP
Primary ESA
Secondary ESA
Management NIC (ethMNG)
Gossip on WAN.
This is used by consul servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
8302
TCP and UDP
Secondary ESA
Primary ESA
Management NIC (ethMNG)
Gossip on WAN.
This is used by consul servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
8600
TCP and UDPESADSGManagement NIC (ethMNG)
Listens to the DNS server port.
Used to resolve DNS queries.
8600
TCP and UDPDSGESAManagement NIC (ethMNG)
Listens to the DNS server port.
Used to resolve DNS queries.

Additional Ports

Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.

Port NumberProtocol
Source
Destination
NIC
Description
Notes (If any)
25TCP
ESA
SMTP Server
Management NIC (ethMNG) of ESA
To configure the email server.
Default port for SMTP server.
123UDP
ESA
Time servers
Management NIC (ethMNG) of ESA
NTP Time Sync Port
This port can be configured based on the enterprise network policies or according to your use case.
389TCP
ESA
Active Directory server
Management NIC (ethMNG) of ESA
  • Authentication for External AD and synchronization with External Groups.
  • Synchronization with External AD Groups for policy users.
This port can be configured based on the enterprise network policies or according to your use case.
636TCPESAActive Directory serverManagement NIC (ethMNG) of ESA
  • Authentication for External AD and synchronization with External Groups.
  • Synchronization with External AD Groups for policy users.
This port is for LDAPS. It can be configured based on the enterprise network policies or according to your use case.
1812TCP
ESA
RADIUS server
Management NIC (ethMNG) of ESA
Authentication with RADIUS server.
This port can be configured based on the enterprise network policies or according to your use case.
514UDP
ESA
Syslog servers
Management NIC (ethMNG) of ESA
Storing logs
This port can be configured based on the enterprise network policies or according to your use case.
15780TCPAIX ProtectorMachine where Log Forwarder is installed.ManagementNIC (ethMNG)Forwarding logs from the AIX Protector to the Log Forwarder.
FutureX (9111)TCP
ESA
HSM server
Management NIC (ethMNG) of ESA
HSM communication
This port can be configured based on the enterprise network policies or according to your use case.
Safenet (1792)TCP
ESA
HSM server
Management NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
nCipher non-privileged port (8000)TCPESAHSM severManagement NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
nCipher privileged port (8001)TCPESAHSM serverManagement NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
Utimaco (288)TCPESAHSM serverManagement NIC (ethMNG) of ESAHSM communicationThis port must be opened and configured based on the enterprise network policies or according to your use case.
443TCPESA
  • AWS Key Management Service
  • Google Cloud Key Management Service
  • Azure Key Vault
Management NIC (ethMNG) of ESAKey Management Service (KMS) IntegrationThis port must be opened and configured based on the enterprise network policies or according to your use case.

Ports for DSG

If you are utilizing the DSG appliance, the following ports must be configured in your environment.

Port Number
Protocol
Source
Destination
NIC
Description
22
TCP
System User
DSG
Management NIC (ethMNG)
Access to CLI Manager.
443
TCP
System User
DSG
Management NIC (ethMNG)
Access to Web UI.

Ports for communication between DSG and ESA

The following is the list of ports that must be configured for communication between DSG and ESA.

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
22
TCP
ESA
DSG
Management NIC (ethMNG)
  • Deploying the Rulesets from ESA to DSG
  • DSG Patching from ESA
 
443
TCP
ESA
DSG
Management NIC (ethMNG)
Communication in TAC
 
443
TCP
ESA
DSG
Management NIC (ethMNG)
Synchronize SSL certificates with ESA's certificates during ESA communication
 
8443
TCP
DSG
ESA
Management NIC (ethMNG)
  • Establishing secure communication between PEP server and the ESA to download the certificates
  • Retrieving policy from ESA
 
9200
TCP
DSG
ESA
Management NIC (ethMNG)
To send audit logs received from the Log Server and forward it to Insight in the ESA.
 
389
TCP
DSG
ESA
Management NIC (ethMNG)
Authentication and authorization by ESA
 
5671TCPDSGESAManagement NIC (ethMNG)Notifications sent from DSG to ESA
Notifications related to OS backup.
Notifications from cron jobs are sent to the ESA dashboard.
10100UDPDSGESAManagement NIC (ethMNG)
  • Establishing communication with ESA
  • Communication in TAC
This port is optional. If the appliance heartbeat services are stopped, this port can be disabled.

DSG Ports for Communication in TAC

The following is the list of ports that must also be configured when DSG is configured in a TAC.

Port Number
Protocol
Source
Destination
NIC
Description
Notes (If any)
22
TCP
DSG
ESA
Management NIC (ethMNG)
Communication in TAC
 
8585
TCP
ESA
DSG
Management NIC (ethMNG)
Retrieving Cloud Gateway cluster information
 
443
TCP
ESA
DSG
Management NIC (ethMNG)
Communication in TAC
 
10100
UDP
ESA
DSG
Management NIC (ethMNG)
Communication in TAC
This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled.
10100
UDP
DSG
ESA
Management NIC (ethMNG)
  • Establishing communication with ESA
  • Communication in TAC
This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled.
10100
UDP
DSG
DSG
Management NIC (ethMNG)
Communication in TAC
This port is optional.

Additional Ports for DSG

In DSG, service NICs are not assigned a specific port number. You can configure a port number as per your requirements.

Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.

Port NumberProtocol
Source
Destination
NIC
Description
Notes (If any)
123UDP
DSG
Time servers
Management NIC (ethMNG) of ESA
NTP Time Sync Port
This port can be configured based on the enterprise network policies or according to your use case.
514UDP
DSG
Syslog servers
Management NIC (ethMNG) of ESA
Forwarding logs
This port can be configured based on the enterprise network policies or according to your use case.
514TCP
DSG
Syslog servers
Management NIC (ethMNG) of ESA
Forwarding logs
This port can be configured based on the enterprise network policies or according to your use case.
Application PortsTCP
DSG
Applications
Service NIC (ethSRV) of DSG
Enabling communication for DSG with different applications in the organization.
This port can be configured based on the enterprise network policies or according to your use case.
Tunnel PortsTCP
Applications
DSG
Service NIC (ethSRV) of DSG
Enabling communication for DSG with different applications in the organization.
This port can be configured based on the enterprise network policies or according to your use case.

Ports for the Internet

The following ports must be configured on ESA for communication with the Internet.

If the FIPS mode is enabled, then the Antivirus is disabled on the appliance. If the FIPS mode is enabled, this port can be disabled. For more information about Antivirus, refer Working with Antivirus.

Port NumberProtocol
Source
Destination
NIC
Description
80TCP
ESA
ClamAV Database
Management NIC (ethMNG) of ESA
Updating the Antivirus database on ESA.

Additional Ports for Strengthening Firewall Rules

The following ports are recommended for strengthening the firewall configurations.

Port NumberProtocol
Source
Destination
NIC
Description
67UDP
Appliance/System
DHCP server
Management NIC (ethMNG)
Allows to broadcast a DHCP request from client to DHCP server.
68UDP
DHCP server
Appliance/System
Management NIC (ethMNG)
Allows to listen for DHCP responses from the server.
161UDP
ESA/DSG
SNMP
Management NIC (ethMNG)
Allows SNMP requests.
162UDP
ESA/DSG
SNMPTrap
Management NIC (ethMNG)
Allows SNMPTrap requests.
10161TCP and UDP
ESA/DSG
SNMP
Management NIC (ethMNG)
Allows SNMP requests over DTLS.

Insight in ESA Ports

The following ports must be configured for communication for Insight in ESA.

Port NumberProtocol
Source
Destination
NIC
Description
Notes (If any)
9200TCPESA node in Audit Store clusterESA node in the same Audit Store clusterManagement NIC (ethMNG) of Insight in ESAAudit Store REST communication.This port can be configured based on the enterprise network policies or according to your use case.
9300TCPESA node in Audit Store clusterESA node in the same Audit Store clusterManagement NIC (ethMNG) of Insight in ESAInternode communication between the Audit Store nodes.This port can be configured based on the enterprise network policies or according to your use case.
24284TCPProtectorESAManagement NIC (ethMNG) of Insight in ESACommunication between protector and td-agent.This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM) over TLS.