Security (basics)
NetAcquire systems offer a variety of security options that we’ll examine here. In addition, we offer several other options that will be covered in future articles,
- Security hardening option (targeted to DISA-STIG model)
- Pre-Deployment hardening
- Data-at-rest encryption
Authentication and Encryption
The Security Manager page presents this option at the top of the General tab.
Note: NetAcquire strongly recommends enabling all three options together. Version 9 does not offer individual configuration of these settings, instead making them atomic.
Authentication
This option enforces authentication when accessing the system. Users must provide their credentials and log in. A client certificate authentication option can be chosen for end users preferring use of a certificate.
Important: A root Linux user exists on your system. NetAcquire assigns and provides to you a random password, but it is critical that you change this password yourself. The root user must be changed via SSH.
Note: Accessing the system via SSH always requires authentication, regardless of the settings here.
Authentication Type
Users can choose from Password or Certificate authentication. This setting can be combined with Central Authentication (separate tab) to authenticate through your domain server. Enabling Certificate authentication requires further configuration on the Certificates tab.
Encrypt API
This option encrypts non-HTTP[S] traffic.
- Streaming data (NetAcquire I/O, aka NAIO), including publish/subscribe (NAPS)
- CORBA API communications
HTTPS
This option encrypts all web traffic and is required to enable certificate authentication. By default, the system will generate a self-signed, but insecure server certificate.
Note: To configure the server with your own secure certificate (strongly recommended), please refer to the Certificates tab and the server manual’s instructions.
Other Settings
A variety of settings can be configured using the Security Manager. A brief summary:
- SSH – communications reliant upon SSH
- Local Passwords – security controlling passwords such as strength, expiration, etc.
- FTP – Enables non-secure FTP, SFTP can be found in the SSH section
- HTTP – Apache logging
- Server Discovery – enable/disable mDNS/DNS-SD
- Command Line Sessions – security and messages for SSH
- Security Markings – enable/disable and set security display banners