Security Manager provides a robust toolkit to help empower users to improve security operations and improve security outcomes by reducing risk, managing change, and enforcing compliance. But with Security in the name, what kind of security is in place in Security Manager and what can you, the empowered user, do to harden the security of the system further?
Default Security in Security Manager
- Access Controls are fully configurable from the web interface, creating granularity in allowing or denying access on a per-user or per-group basis. Users can only access and interact with what they are permitted to.
- No root access provided. Sensitive files and data cannot be accessed, modified, or deleted from the operating system.
- No package management software is installed, thus preventing malicious software from being installed and existing software from being removed or replaced.
- The most up-to-date versions of core operating system components available at the time of release are included in each version of Security Manager.
- LUKS AES 512 encryption is implemented to protect data-at-rest, while TLS v1.2 and TLS v1.3 protect data-in-transit.
- Passwords utilize a SHA512 hashing algorithm and are created with more than enough hashing rounds, keeping your password safe from unintended decryption or cracking.
Further Harden Security Manager’s Existing Security
Aside from the default security, there are additional configurations within the modules to further harden Security Manager.
From the Administration Module
Email encryption for system reports. This feature leverages digital signing certificates and encryption certificate lookup servers to ensure reports being emailed have not been tampered with or intercepted by another party prior to being received by the appropriate recipients.
- In the Administration module, navigate to System > Email Encryption.
Set stricter Failed Password Attempts, Password Reset Timeout, and Session Timeout configurations. These features help maintain account security by creating an even smaller attack surface for attacks such as brute force and dictionary attacks against passwords and session hijacking attacks against session tokens and cookies.
- In the Administration module, navigate to Settings > Security Manager > Security section.
From the FMOS Control Panel [hostname:55555]
Set Console auto-lock timeout to automatically lock idle sessions after a period of inactivity. Setting this feature will cause command line sessions to adhere to an inactivity timeout, terminating the session after the indicated length of time. This feature is great for keeping command-line sessions even more secure and safe.
- In the FMOS Control Panel, navigate to OS > Console auto-lock timeout, and set the timeout value in minutes.
Set ‘Notify Recipients’ to configure email addresses to receive system notifications. Configure this setting to enable system notification emails that could contain valuable system information to be sent to administrators.
- In the FMOS Control Panel, navigate to OS > Notify Recipients and enter the email addresses of recipients.
Configure Password Policy to include stricter settings for Password Complexity, Password History, Lockout Threshold and Duration, Minimum and Maximum Password Age, as well as Minimum Password Length. Establishing a more hardened security posture for these password policy settings will make your passwords exceedingly more difficult to guess, crack, or brute force.
- In the FMOS Control Panel, navigate to OS > Authentication > Password Policy to configure the various password-related settings.
Configure the System Crypto Policy. This will change the core cryptographic subsystems such as TLS, IKE, IPsec, DNSSEC, and Kerberos protocols to use the strictest cryptographic configurations available on the system.
Selecting FUTURE for System Crypto Policy will allow for the use of only a select number of incredibly secure TLS 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2 protocols.
- In the FMOS Control Panel, navigate to OS > Crypto > System Crypto Policy and select FUTURE from the list.
Generate custom Diffie-Hellman parameters for key exchange. This will use the custom-generated parameters as opposed to the built-in parameters wherever possible. Custom-generated Diffie-Hellman parameters will further assist in keeping your key exchange safe and secure by only accepting RSA keys and Diffie-Hellman parameters if they are at least 3072 bits long.
- In the FMOS Control Panel, navigate to OS > Crypto > Use Custom Diffie-Hellman Parameters and set the value to true.
Note: This setting is enforced to true when the System Crypto Policy is set to FUTURE.
Configuring Remote Syslog Configuration to enable the offloading of generated system logs. This will allow for the availability and integrity of logs for future review or investigation.
- In the FMOS Control Panel, navigate to OS > Syslog > +and provide the data needed to configure a remote Syslog server.
Configure Remote Syslog Configuration to use TLS. This will ensure the confidentiality of log data between the system and the remote Syslog server by encrypting the channels in which that data is transmitted.
- In the FMOS Control Panel, navigate to OS > Syslog > Use TLS
With the above additional hardening in place, you will further the rigid security posture of Security Manager as you, the empowered user, sees fit. Improve security operations and improve security outcomes.