Security compliance
The Administration > Appliance Security > Security Compliance page controls security features that are used to comply with various contractual and regulatory requirements. It has four sections:
-
Operational modes – control the security posture of the appliance by automatically enabling sets of security features and disabling certain types of access to the appliance.
-
Cryptography – controls the minimum TLS version used by the appliance.
-
Accounts – controls shell access and system account passwords.
-
Access – controls remote access to the appliance.
Changes made to the settings in these sections are not applied to the appliance configuration until you click Configure Now at the bottom of the page.
Operational modes
The security posture of the appliance is determined by its operational mode. There are four operational modes that control the security features:
These operational modes are independent of the shell access selection.
Cryptography
The Cryptography section lets you specify a minimum TLS version for connections to the NetProfiler Supported TLS versions are 1.1, 1.2, and 1.3. By default, the minimum TLS version is set to TLS 1.2 on new appliances.
Note: Be careful when setting the Minimum TLS setting to Version 1.3 since it will allow connections using TLS version 1.3 only. NetProfiler can integrate with several products and services that do not yet support TLS version 1.3; to work, these integrations require that the minimum TLS version is 1.1 or 1.2.
Accounts
The Accounts section enables you to specify a shell access mode and to change the passwords of system accounts. The User Accounts list displays only system accounts. It does not include user accounts for the web user interface.
- Shell Access – When the Shell Access mode is set to Shell Enabled, you can enable or disable logins individually for each system account. When you switch to a different Shell Access mode, access is restricted.
There are three Shell Access modes: Shell Enabled, Challenge Mode, Shell Disabled
Note: Switching to the Shell Disabled mode is a reversible process as of release 10.20. In prior releases this was irreversible and the only way to regain access to the shell after it has been disabled was by reloading the software and starting over from a fresh installation.
- Enable shell remote authentication (Radius/TACACS+) – When selected, remote authentication from Radius and TACACS+ is supported in the command line interface. Shell access must not be set to Shell Disabled. Shell remote authentication uses the configuration settings specified on the Administration > Remote Authentication page; if these settings change while shell remote authentication is enabled, be sure to restart the appliance for the new changes to take effect.
Access
This section of the Security Compliance page allows you to restrict access to the appliance and its database by web browsers and SSH connections:
-
Enable unauthenticated resource sharing ("shared links") – Selecting this option allows users to create links to dashboards, which can be shared with external users (that is, users that have not been authenticated on the NetProfiler appliance). Selecting this option does not create any links, but new links can be created on a per-dashboard basis. Disabling this option will make any previously created dashboard links invalid.
-
Disable HTTP Redirect to HTTPS – Selecting this option Disable HTTP Redirect to HTTPS blocks external devices from being redirected from port 80 to port 443 and from accessing the appliance on port 80.
-
Enable ODBC Access – Selecting this option allows other systems to access the database of the appliance if they have been set up as database users on the Administration > Account Management > ODBC DB Access page. Deselect this option to prevent ODBC access to the appliance database and to hide the Administration > Account Management > ODBC DB Access page.