Netreo Appliance Security

Netreo uses a security-in-depth, multi-layer approach to hardening and securing appliances.

Because of inherent limitations in application dependencies, error, fraud, or dependencies to supporting systems such as networks and operating systems, no controls can provide one hundred percent assurance of system security. However, Netreo believes that the comprehensive security assessment and development processes used in our products provide reasonable assurances to our customers. Customers are welcome to perform any security assessments or evaluations they want on the Netreo product as deployed, provided such assessments are limited to the normal methods used to access and operate the software (i.e., Netreo provides no assurance against penetration techniques involving destructive methods, hardware stress or bypass techniques not commonly employed against in-place software over the network).

Product Security

• All Netreo software development uses a security-focused programming model and is done primarily in development languages that incorporate security checks to prevent common security flaws (such as buffer overflows). Netreo’s software quality assurance process ensures that all code is tested for security flaws and undergoes periodic code auditing to limit potential security issues. Patches can be scheduled to be applied automatically or on demand. Patching is designed not to disrupt the system's production use.
• Software updates for Netreo are delivered via a secure VPN system.
  • All VPN communications are sent outbound. Depending on version and configuration, this usually uses UDP port 1194 but can optionally use TCP port 443 or TCP port 5000 instead.
  • VPN communications are initiated from the Netreo server to Netreo’s VPN concentrator and are authenticated and encrypted with 128- or 256-bit AES encryption using 1024- or 2048-bit HMAC authentication. This ensures the highest possible level of data security. VPN tunnels may be administratively activated or deactivated by the customer to further restrict access.
  • VPN tunnels terminate in an isolated, secure network with strictly regulated access. Each end of the tunnel uses separate packet-level filters, application-level firewalls and, packet analysis, and stateful inspection to limit the type, origin, and destination of the traffic. Access is controlled through multiple separate passwords and public/private key authentications. Netreo is configured to never forward traffic between interfaces to prevent data leakage between networks.
• TCP SYN cookies are used to prevent TCP SYN floods from being used to create Denial-of-Service (DoS) attacks.
• Evasive HTTP techniques with automatic block lists are used to further mitigate DoS attacks and prevent brute-force password scanning.
• Listening services are configured not to reveal version numbers or software information wherever possible to make reconnaissance more difficult.
• Customer access to the OS shell is never permitted.

Platform Security

• The OS runs a hardened version of the Linux kernel.
• All of Netreo’s technical personnel undergo extensive background checks before employment and are trained to maintain high standards of security awareness.
• Spirent has conducted an independent audit of the Netreo appliance (including penetration testing using a known administrative password), and the system has been found to be extremely resistant to intrusion. Vulnerability scans are periodically conducted against new versions of the software, and any vulnerabilities found are remediated before release.
• To secure the operating system from network attack, all unnecessary network services have been removed from the operating system completely, so that the only listening (open) TCP or UDP ports on the server are the services in use.
  • HTTP (may be configured by the customer to redirect to HTTPS)
  • HTTPS
  • SSH (may be disabled by the customer)
  • Log collection (for syslog and SNMP traps)
  • Flow collection (for NetFlow, sFlow, and IPFIX)
  • Network access to any other ports from any interface is forbidden.
• Network-enabled services are internally resource-limited to help prevent DoS flooding of available services – for example, sending a flood of HTTP requests to attempt to crash the web server.
• Remote SSH access is strictly controlled and limited to specific administrative users. and SSH login is primarily done using public-key cryptography instead of passwords.
  • Only SSH version 2 is supported.
  • SSH access may be disabled entirely if desired.
• Reverse-path verification is used to ensure that inbound packets cannot spoof the IP addresses of the Netreo server to bypass IP-level security.

Data Security

• All console and serial access to the server is password (or public/private key) protected, and user accounts are strictly limited to only those required for functionality.
• Netreo web users may be authenticated locally or use LDAP or SAML 2.0. When locally authenticated, user passwords are encrypted using one-way hash functions with a minimum complexity of 256 bits and randomly generated salts. When using LDAP/Active Directory or SAML 2.0, user passwords are never stored or cached on the server. Web users may be forced to change their passwords at an administrator-defined interval.
• Encrypted MySQL networking (available in some high-availability, cluster, and multi-server configurations).