Part 7: Security

Security and System

Database Structure

Indeni stores its information locally on the hard drive on which it is installed. The database contains different types of information with two general classifications: highly confidential and confidential. The highly confidential information is stored within an encrypted file (using two types of encryption employing industry standards and best practices). The confidential information is sorted in non-encrypted files.

The database files are not accessible via the web interface and can only be retrieved by logging into the system via SSH and downloading them using standard protocols (SCP, SFTP, etc.). The SSH service is the standard sshd application, which has a long track record of being safe so long as the passwords selected by the user are strong ones. Refer to your organization’s password policies for more information on choosing a strong password.

Underlying Operating System

The operating system supplied with the system is Ubuntu 14.04 Server. By default, the set of services accessible via the network has been reduced to the absolute minimum required, further hardening the operating system. These services are:

  • SSH
  • HTTP and HTTPS (the Indeni server’s web interface, hosted inside Jetty)
  • TCP Ports 9009, 9912 used by Indeni’s Server component

Device Access Credentials Storage

The credentials used to access devices, such as the SSH Username and Password, are stored within the database described above. The username is stored in the confidential store, while the password is stored in the highly confidential store (and is encrypted). By protecting the database files, an organization is protecting this information from being compromised.

Password Security of Users Defined in the System

All users defined in the system (allowed to access the system itself via the web interface) are required to use strong passwords as defined by PCI DSS requirements 8.5.10, 8.5.12, 8.5.13, and 8.5.14. Passwords are stored as salted hashes within the encrypted database. This protects the original passwords from being recovered.

Protecting Analyzed Devices

The commands executed on analyzed devices (routers, firewalls, load balancers, management servers, etc.) are defined by the internal logic of the product and cannot be modified by a user. This is to limit the commands that can be executed by Indeni on analyzed devices to those which have been tested and approved by Indeni.

Indeni’s Failsafe Mechanism

Some critical devices could be sensitive to too much data collection, which can lead to performance problems. Although every effort has been made to minimize the device resource usage, the fail-safe mechanism is designed to provide additional protection and to prevent overwhelming a device under abnormal conditions.

As part of Indeni’s data collection capabilities, Indeni will regularly track the CPU and memory utilization to identify if the device is being stressed at the monitored interval. We leverage this information to inform Indeni’s task scheduling mechanism to avoid overwhelming a device. When Indeni detects that the device CPU becomes too busy, or memory becomes an issue, Indeni will significantly throttle data collection and temporarily suspend data collection until it resumes normal conditions. Indeni will continue to collect CPU and memory metrics periodically in order to resume data collection.

Indeni relies on a key-value pair in its JSON-based Knowledge scripts. A full example can be found here.

name: panos-show-system-resources
description: fetch resource utilization
type: monitoring
monitoring_interval: 1 minute
includes_resource_data: true

This is used by our Collector service, which schedules each of our scripts and executes them. When the value includes_resource_data is set to true, it informs the Collector that the script should be executed even when the analyzed device has reached critical thresholds for CPU and Memory. For scripts that should be disabled under high stress, the key-value pair is simply nonexistent. That is because the Collector service determines that the key includes_resource_data is set to false by default.

During clearly identified high stress intervals, Indeni will simply observe the CPU and memory. This allows us to analyze fundamental system resources such as CPU and Memory in order to identify when it is safe and healthy to execute the rest of the scripts again.

No Change Policy

Indeni has a very strict no change policy, meaning no changes will be made on the devices Indeni analyzes. The only writing actions Indeni executes is to write temporary files to /tmp and to initiate an additional instance of SSHD when needed.