Netreo Appliance Security

Netreo uses a security-in-depth, multi-layer approach to hardening and securing appliances.

Because of inherent limitations in application dependencies, error, fraud or dependencies to supporting systems such as networks and operating systems, no controls can provide one hundred percent assurance of system security. However, Netreo believes that the comprehensive security assessment and development processes used in our products provide reasonable assurances to our customers. Customers are welcome to perform any security assessments or evaluations they desire on the Netreo product as deployed, provided such assessments are limited to the normal methods used to access and operate the software (i.e., Netreo provides no assurance against penetration techniques involving destructive methods, hardware stress or bypass techniques not commonly employed against in-place software over the network).

Product Security

• All Netreo software development uses a security-focused programming model and is done primarily in development languages that incorporate security checks to prevent common security flaws (such as buffer overflows). Netreo’s software quality assurance process ensures that all code is tested for security flaws and undergoes periodic code auditing to limit potential security issues. Patches may be scheduled to be applied automatically or on demand. Patching is designed to not disrupt the production use of the system.
• Software updates for Netreo are delivered via a secure VPN system.
  • All VPN communications are sent outbound. Depending on version and configuration this usually uses UDP port 1194 but may optionally use TCP port 443 or TCP port 5000 instead.
  • VPN communications are initiated from the Netreo server to Netreo’s VPN concentrator and are authenticated and encrypted with 128- or 256-bit AES encryption using 1024- or 2048-bit HMAC authentication. This ensures the highest possible level of data security. VPN tunnels may be administratively activated or deactivated by the customer to further restrict access.
  • VPN tunnels terminate in an isolated secured network with strictly regulated access. Each end of the tunnel uses separate packet-level filters, application-level firewalls and packet analysis, and stateful inspection to limit the type, origin and destination of the traffic. Access is controlled through multiple separate password and public/private key authentications. Netreo is configured to never forward traffic between interfaces to prevent any leaking of data between networks.
• TCP SYN-Cookies are used to prevent TCP SYN floods from being used to create Denial-of-Service (DoS) attacks.
• Evasive HTTP techniques with automatic block lists are used to further mitigate DoS attacks and prevent brute-force password scanning.
• Listening services are configured wherever possible to not reveal version numbers or software information in order to make reconnaissance more difficult.
• Customer access to the OS shell is never permitted.

Platform Security

• The OS runs a hardened version of the Linux kernel.
• All of Netreo’s technical personnel undergo extensive background checks prior to employment and are trained to maintain high standards of security awareness.
• Independent auditing of the Netreo appliance has been conducted by Spirent (including penetration testing using a known administrative password) and the system found to be extremely resistant to intrusion. Vulnerability scans are periodically conducted against new versions of the software and any vulnerabilities found are remediated before release.
• To secure the operating system from network attack all unnecessary network services have been removed from the operating system completely, so that the only listening (open) TCP or UDP ports on the server are the services in use.
  • HTTP (may be disabled by customer)
  • HTTPS
  • SSH (may be disabled by customer)
  • Log collection (for syslog and SNMP traps)
  • Flow collection (for NetFlow, sFlow and IPFIX)
  • Network access to any other ports from any interface is forbidden.
• Network-enabled services are internally resource-limited to help prevent DoS flooding of available services – for example, sending a flood of HTTP requests to attempt to crash the web server.
• Remote SSH access is strictly controlled and limited to specific administrative users and SSH login is done primarily using public-key cryptography instead of passwords.
  • Only SSH version 2 is supported.
  • SSH access may be disabled entirely if desired.
• Reverse-path verification is used to ensure that inbound packets cannot spoof the IP addresses of the Netreo server to bypass IP-level security.

Data Security

• All console and serial access to the server is password (or public/private key) protected and user accounts are strictly limited to only those required for functionality.
• Netreo web users may be authenticated locally or use LDAP or SAML 2.0. When locally authenticated, user passwords are encrypted using one-way hash functions with a minimum complexity of 256 bits and randomly generated salts. When using LDAP/Active Directory or SAML 2.0, user passwords are never stored or cached on the server. Web users may be forced to change their password at an administrator-defined interval.
• Encrypted MySQL networking (available in some high-availability, cluster and multi-server configurations).