Difference between revisions of "Security"

From Tranzman Documentation
Jump to: navigation, search
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
Tranzman is loaded with multiple security features.
+
__TOC__
 +
<br>
 +
<br>
 +
<div style="background-color:#fde9e9; padding: 1.5rem; text-align:center; border-radius:8px; max-width:80%; margin: 0 auto; margin-bottom:2rem; ">
 +
  <h1 style="border-bottom:none; font-size:2.5em; font-weight:bold;">Tranzman Security Features</h1>
 +
  <p style="font-size:1.2em; text-align:left;">
 +
    Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.<br>
 +
    Security is enforced at the operating system, network, authentication, and application levels.
 +
  </p>
 +
</div>
  
 +
<div style="max-width:80%; margin: 0 auto;">
  
=== Operating system ===
+
  <div style="background-color:#edf7ff; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
* Tranzman Appliance (OVA/ISO deployment) is based on RHEL 8.6 source.
+
    <h2 style="border-bottom:2px solid #bbdefb; padding-bottom:0.5rem; font-size:1.5em;">Operating System Security</h2>
 +
    <ul>
 +
      <li>Tranzman Appliance (OVA/ISO deployment) is built on <b>RHEL 8.6</b> sources.</li>
 +
      <li>CLISH access is restricted to:
 +
        <ul>
 +
          <li><span style="color:blue;"><b>admin</b></span> / <span style="color:blue;"><b>P@ssw0rd</b></span> (initial network setup)</li>
 +
          <li><span style="color:blue;"><b>srladmin</b></span> / <span style="color:blue;"><b>SRLP@ssw0rd</b></span> (support & troubleshooting)</li>
 +
        </ul>
 +
      </li>
 +
      <li>SHELL access is exclusive to Stone Ram support.</li>
 +
      <li>System disk encryption prevents unauthorized access and modification.</li>
 +
      <li>Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.</li>
 +
    </ul>
 +
  </div>
  
* CLISH can only be accessed through either of these accounts: <font style="color: blue"> '''admin'''</font> / <font style="color: blue">'''P@ssw0rd''' </font> or  <font style="color:blue"> '''srladmin'''</font> / <font style="color: blue">''' SRLP@ssw0rd''' </font>
+
  <div style="background-color:#fef3f7; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #f8bbd0; padding-bottom:0.5rem; font-size:1.5em;">Networking Security</h2>
 +
    <ul>
 +
      <li>Single NIC connects to both ORIGIN and DESTINATION servers.</li>
 +
      <li>Secure communication via SSL on port <b>55560</b>; legacy (obfuscated FTP) uses ports <b>55501-55555</b>.</li>
 +
      <li>Administration:
 +
        <ul>
 +
          <li>WebUI over HTTPS (<b>443</b>)</li>
 +
          <li>CLISH via SSH (<b>22</b>)</li>
 +
          <li>NTP sync (UDP <b>123</b>, bidirectional)</li>
 +
          <li>DNS (UDP/TCP <b>53</b>)</li>
 +
          <li>NFS/CIFS shares for cross-vendor/recovery (<b>139, 445, 137, 138</b>)</li>
 +
        </ul>
 +
      </li>
 +
    </ul>
 +
  </div>
  
::'''admin''' user is for initial network setup.
+
  <div style="background-color:#eff8f0; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #c8e6c9; padding-bottom:0.5rem; font-size:1.5em;">Authentication Security</h2>
 +
    <ul>
 +
      <li><b>Tranzman Agent (TZMTD):</b> Uses client certificates for authentication, packaged within the agent installer. Operates under the <b>Agent</b> user role.</li>
 +
      <li><b>WebUI (HTTPS):</b> Uses <b>Admin</b> user role with username/password authentication, secured by mangled MD5 password hashing.</li>
 +
    </ul>
 +
  </div>
  
::'''srladmin''' user is for support and troubleshoot.
+
  <div style="background-color:#fffbf4; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #ffe0b2; padding-bottom:0.5rem; font-size:1.5em;">Web Application Security</h2>
 +
    <ul style="padding-left:0; list-style:none;">
 +
      <li style="margin-bottom:1rem;"><b>Broken Authentication:</b> Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.</li>
 +
      <li style="margin-bottom:1rem;"><b>Sensitive Data Exposure:</b> Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.</li>
 +
      <li style="margin-bottom:1rem;"><b>XML External Entities:</b> Only REST API is used; XML content type rejected.</li>
 +
      <li style="margin-bottom:1rem;"><b>Broken Access Control:</b> Agents validated via certificate CN; each agent accesses only its designated data.</li>
 +
      <li style="margin-bottom:1rem;"><b>Security Misconfiguration:</b> Security measures are built-in, minimizing user misconfiguration risks.</li>
 +
      <li style="margin-bottom:1rem;"><b>Known Vulnerabilities:</b> Periodic vulnerability scans using Qualys.</li>
 +
      <li style="margin-bottom:1rem;"><b>Cross-Site Request Forgery (CSRF):</b> Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.</li>
 +
    </ul>
 +
  </div>
  
* Access to SHELL is restricted to Stone Ram support.
+
  <div style="background-color:#edf7ff; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #bbdefb; padding-bottom:0.5rem; font-size:1.5em;">Authentication Flow</h2>
 +
    <ul>
 +
      <li><b>Agent / TZMTD – Tranzman Transfer Daemon:</b><br>
 +
        TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted.
 +
      </li>
 +
      <li><b>Web Browser User Interface / HTTPS:</b><br>
 +
        Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent with <code>Auth</code> header → access granted.<br>
 +
        Token expired → reissue token provided → new token issued (30 min) → requests sent with <code>Auth</code> header → access granted.
 +
      </li>
 +
    </ul>
 +
  </div>
  
* System disk is encrypted for unauthorized access and modification.
+
  <div style="background-color:#fef3f7; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #f8bbd0; padding-bottom:0.5rem; font-size:1.5em;">WebUI Certificate</h2>
 +
    <ul>
 +
      <li>Tranzman employs a self-signed certificate for authentication.</li>
 +
    </ul>
 +
  </div>
  
* Additional Enhanced security enforcement prevents access to root disk other than normal booting process and so tampering or modifying the boot process will result in system start up failure.
+
</div>
  
 
+
<div style="display:flex; justify-content:space-between; margin-top:2rem; padding:1rem; background-color:#ffffff; max-width:90%; margin: 2rem auto 0;">
=== Networking ===
+
  <div style="text-align:left;">
* Tranzman use a single NIC to connect to both the ORIGIN and DESTINATION servers.
+
    [[File:prev_icon.jpg|30px|link=Architecture]] [[Architecture|Previous]]
 
+
  </div>
* By default, it uses the Secure communication (SSL) on port '''55560''' and uses port range from '''55501''' to '''55555''' for Legacy communication (obfuscated FTP)
+
  <div style="text-align:right;">
 
+
    [[Planning|Next]] [[File:next_icon.jpg|30px|link=Planning]]
* For administration of the Tranzman server:
+
  </div>
 
 
::* WebUI uses HTTPS (port '''443''') for all communications.
 
 
 
::* CLISH is accessible over SSH (port '''22''').
 
 
 
::* For NTP, port '''123''' (UDP) should be bidirectional.
 
 
 
::* Port '''53''' (UDP and TCP) needs to be opened for DNS service.
 
 
 
::* For Cross Vendor or Recovery Without Vendor with NFS or CIFS shares for sharing backup image data, ports '''139, 445, 137''' and '''138''' is used between the server with the storage and the Tranzman sever, or between the Tranzman server and the destination server or a recovery client.
 
 
 
 
 
=== Authentication security ===
 
 
 
; Tranzman Agent (TZMTD)
 
: It uses client certificate for authentication. Certificate is protected by packaging it within the agent installer binary. It uses ''Agent'' as user role.
 
 
 
; WebUI (HTTPS)
 
: This uses ''Admin'' as user role with a simple User/Password combination for Authentication. However, the credential is secured by mangled MD5 password hash.
 
 
 
 
 
=== Web application security ===
 

Latest revision as of 09:45, 11 September 2025



Tranzman Security Features

Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.
Security is enforced at the operating system, network, authentication, and application levels.

Operating System Security

  • Tranzman Appliance (OVA/ISO deployment) is built on RHEL 8.6 sources.
  • CLISH access is restricted to:
    • admin / P@ssw0rd (initial network setup)
    • srladmin / SRLP@ssw0rd (support & troubleshooting)
  • SHELL access is exclusive to Stone Ram support.
  • System disk encryption prevents unauthorized access and modification.
  • Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.

Networking Security

  • Single NIC connects to both ORIGIN and DESTINATION servers.
  • Secure communication via SSL on port 55560; legacy (obfuscated FTP) uses ports 55501-55555.
  • Administration:
    • WebUI over HTTPS (443)
    • CLISH via SSH (22)
    • NTP sync (UDP 123, bidirectional)
    • DNS (UDP/TCP 53)
    • NFS/CIFS shares for cross-vendor/recovery (139, 445, 137, 138)

Authentication Security

  • Tranzman Agent (TZMTD): Uses client certificates for authentication, packaged within the agent installer. Operates under the Agent user role.
  • WebUI (HTTPS): Uses Admin user role with username/password authentication, secured by mangled MD5 password hashing.

Web Application Security

  • Broken Authentication: Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.
  • Sensitive Data Exposure: Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.
  • XML External Entities: Only REST API is used; XML content type rejected.
  • Broken Access Control: Agents validated via certificate CN; each agent accesses only its designated data.
  • Security Misconfiguration: Security measures are built-in, minimizing user misconfiguration risks.
  • Known Vulnerabilities: Periodic vulnerability scans using Qualys.
  • Cross-Site Request Forgery (CSRF): Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.

Authentication Flow

  • Agent / TZMTD – Tranzman Transfer Daemon:
    TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted.
  • Web Browser User Interface / HTTPS:
    Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent with Auth header → access granted.
    Token expired → reissue token provided → new token issued (30 min) → requests sent with Auth header → access granted.

WebUI Certificate

  • Tranzman employs a self-signed certificate for authentication.
   Prev icon.jpg Previous

   Next Next icon.jpg
Retrieved from "https://docs.stoneram.com/index.php?title=Security&oldid=3448"