Difference between revisions of "Security"

From Tranzman Documentation
Jump to: navigation, search
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
Tranzman is loaded with multiple security features.
+
__TOC__
 +
<br>
 +
<br>
 +
<div style="background-color:#fde9e9; padding: 1.5rem; text-align:center; border-radius:8px; max-width:80%; margin: 0 auto; margin-bottom:2rem; ">
 +
  <h1 style="border-bottom:none; font-size:2.5em; font-weight:bold;">Tranzman Security Features</h1>
 +
  <p style="font-size:1.2em; text-align:left;">
 +
    Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.<br>
 +
    Security is enforced at the operating system, network, authentication, and application levels.
 +
  </p>
 +
</div>
  
 +
<div style="max-width:80%; margin: 0 auto;">
  
=== Operating system ===
+
  <div style="background-color:#edf7ff; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
* Tranzman Appliance (OVA/ISO deployment) is based on RHEL 8.6 source.
+
    <h2 style="border-bottom:2px solid #bbdefb; padding-bottom:0.5rem; font-size:1.5em;">Operating System Security</h2>
 +
    <ul>
 +
      <li>Tranzman Appliance (OVA/ISO deployment) is built on <b>RHEL 8.6</b> sources.</li>
 +
      <li>CLISH access is restricted to:
 +
        <ul>
 +
          <li><span style="color:blue;"><b>admin</b></span> / <span style="color:blue;"><b>P@ssw0rd</b></span> (initial network setup)</li>
 +
          <li><span style="color:blue;"><b>srladmin</b></span> / <span style="color:blue;"><b>SRLP@ssw0rd</b></span> (support & troubleshooting)</li>
 +
        </ul>
 +
      </li>
 +
      <li>SHELL access is exclusive to Stone Ram support.</li>
 +
      <li>System disk encryption prevents unauthorized access and modification.</li>
 +
      <li>Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.</li>
 +
    </ul>
 +
  </div>
  
* CLISH can only be accessed through either of these accounts: <font style="color: blue"> '''admin'''</font> / <font style="color: blue">'''P@ssw0rd''' </font> or  <font style="color:blue"> '''srladmin'''</font> / <font style="color: blue">''' SRLP@ssw0rd''' </font>
+
  <div style="background-color:#fef3f7; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #f8bbd0; padding-bottom:0.5rem; font-size:1.5em;">Networking Security</h2>
 +
    <ul>
 +
      <li>Single NIC connects to both ORIGIN and DESTINATION servers.</li>
 +
      <li>Secure communication via SSL on port <b>55560</b>; legacy (obfuscated FTP) uses ports <b>55501-55555</b>.</li>
 +
      <li>Administration:
 +
        <ul>
 +
          <li>WebUI over HTTPS (<b>443</b>)</li>
 +
          <li>CLISH via SSH (<b>22</b>)</li>
 +
          <li>NTP sync (UDP <b>123</b>, bidirectional)</li>
 +
          <li>DNS (UDP/TCP <b>53</b>)</li>
 +
          <li>NFS/CIFS shares for cross-vendor/recovery (<b>139, 445, 137, 138</b>)</li>
 +
        </ul>
 +
      </li>
 +
    </ul>
 +
  </div>
  
::'''admin''' user is for initial network setup.
+
  <div style="background-color:#eff8f0; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #c8e6c9; padding-bottom:0.5rem; font-size:1.5em;">Authentication Security</h2>
 +
    <ul>
 +
      <li><b>Tranzman Agent (TZMTD):</b> Uses client certificates for authentication, packaged within the agent installer. Operates under the <b>Agent</b> user role.</li>
 +
      <li><b>WebUI (HTTPS):</b> Uses <b>Admin</b> user role with username/password authentication, secured by mangled MD5 password hashing.</li>
 +
    </ul>
 +
  </div>
  
::'''srladmin''' user is for support and troubleshoot.
+
  <div style="background-color:#fffbf4; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #ffe0b2; padding-bottom:0.5rem; font-size:1.5em;">Web Application Security</h2>
 +
    <ul style="padding-left:0; list-style:none;">
 +
      <li style="margin-bottom:1rem;"><b>Broken Authentication:</b> Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.</li>
 +
      <li style="margin-bottom:1rem;"><b>Sensitive Data Exposure:</b> Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.</li>
 +
      <li style="margin-bottom:1rem;"><b>XML External Entities:</b> Only REST API is used; XML content type rejected.</li>
 +
      <li style="margin-bottom:1rem;"><b>Broken Access Control:</b> Agents validated via certificate CN; each agent accesses only its designated data.</li>
 +
      <li style="margin-bottom:1rem;"><b>Security Misconfiguration:</b> Security measures are built-in, minimizing user misconfiguration risks.</li>
 +
      <li style="margin-bottom:1rem;"><b>Known Vulnerabilities:</b> Periodic vulnerability scans using Qualys.</li>
 +
      <li style="margin-bottom:1rem;"><b>Cross-Site Request Forgery (CSRF):</b> Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.</li>
 +
    </ul>
 +
  </div>
  
* Access to SHELL is restricted to Stone Ram support.
+
  <div style="background-color:#edf7ff; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #bbdefb; padding-bottom:0.5rem; font-size:1.5em;">Authentication Flow</h2>
 +
    <ul>
 +
      <li><b>Agent / TZMTD – Tranzman Transfer Daemon:</b><br>
 +
        TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted.
 +
      </li>
 +
      <li><b>Web Browser User Interface / HTTPS:</b><br>
 +
        Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent with <code>Auth</code> header → access granted.<br>
 +
        Token expired → reissue token provided → new token issued (30 min) → requests sent with <code>Auth</code> header → access granted.
 +
      </li>
 +
    </ul>
 +
  </div>
  
* System disk is encrypted for unauthorized access and modification.
+
  <div style="background-color:#fef3f7; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;">
 +
    <h2 style="border-bottom:2px solid #f8bbd0; padding-bottom:0.5rem; font-size:1.5em;">WebUI Certificate</h2>
 +
    <ul>
 +
      <li>Tranzman employs a self-signed certificate for authentication.</li>
 +
    </ul>
 +
  </div>
  
* Additional Enhanced security enforcement prevents access to root disk other than normal booting process and so tampering or modifying the boot process will result in system start up failure.
+
</div>
  
 
+
<div style="display:flex; justify-content:space-between; margin-top:2rem; padding:1rem; background-color:#ffffff; max-width:90%; margin: 2rem auto 0;">
=== Networking ===
+
  <div style="text-align:left;">
* Tranzman use a single NIC to connect to both the ORIGIN and DESTINATION servers.
+
    [[File:prev_icon.jpg|30px|link=Architecture]] [[Architecture|Previous]]
 
+
  </div>
* By default, it uses the Secure communication (SSL) on port '''55560''' and uses port range from '''55501''' to '''55555''' for Legacy communication (obfuscated FTP)
+
  <div style="text-align:right;">
 
+
    [[Planning|Next]] [[File:next_icon.jpg|30px|link=Planning]]
* For administration of the Tranzman server:
+
  </div>
 
 
::* WebUI uses HTTPS (port '''443''') for all communications.
 
 
 
::* CLISH is accessible over SSH (port '''22''').
 
 
 
::* For NTP, port '''123''' (UDP) should be bidirectional.
 
 
 
::* Port '''53''' (UDP and TCP) needs to be opened for DNS service.
 
 
 
::* For Cross Vendor or Recovery Without Vendor with NFS or CIFS shares for sharing backup image data, ports '''139, 445, 137''' and '''138''' is used between the server with the storage and the Tranzman sever, or between the Tranzman server and the destination server or a recovery client.
 
 
 
 
 
=== Authentication security ===
 
 
 
; Tranzman Agent (TZMTD)
 
: It uses client certificate for authentication. Certificate is protected by packaging it within the agent installer binary. It uses ''Agent'' as user role.
 
 
 
; WebUI (HTTPS)
 
: This uses ''Admin'' as user role with a simple User/Password combination for Authentication. However, the credential is secured by mangled MD5 password hash.
 
 
 
 
 
=== Web application security ===
 
Web security is always a concern with increasing vulnerabilities. Tranzman has addressed majority of those issues and the below list has the Risk and the mitigations.
 
;Risk - ''Broken Authentication''
 
;Mitigation -
 
:AGENT or client authentication is a part of TLS protocol. CA never leaves TZM appliance.
 
:Request from Trusted Agent (IP addresses) alone are allowed to connect to the appliance. GUI/User interface uses connections on port 443.
 
 
 
;Risk - ''Sensitive Data Exposure''
 
;Mitigation -
 
:TZM keeps the metadata of the NBU catalog (hostnames, policies, backup size, storage configuration, tape encryption keys, encrypted storage passwords) and some client (hostname, IP, NBU version) data in its internal database.
 
:Access to Encryption keys and encrypted passwords is not accessible from the web interface.  It is accessible through agent only during migration for the destination agent.
 
 
 
;Risk - ''XML External Entities''
 
;Mitigation -
 
:Uses REST and any XML content type is rejected.
 
 
 
;Risk - ''Broken Access Control''
 
;Mitigation -
 
:Agent name is referred in CN of the certificate and without that, client is not allowed to perform any task. Agents can only access data exposed for them but not the other agents.
 
 
 
;Risk - ''Security Misconfiguration''
 
;Mitigation -
 
:Security comes out of the box with no additional user configuration and so avoids the risk of misconfiguration.
 
 
 
;Risk - ''Using components with known Vulnerabilities''
 
;Mitigation -
 
:Undergoes periodic scans on appliance with the Qualys.
 
 
 
;Risk - Cross Site Request Forgery (CSRF)
 
;Mitigation -
 
:This is not applicable for Agent. Client is CURL.
 
GUI has no dedicated CSRF protection. Tranzman appliance is not a public internet page. It only exists for the duration of migration and decommissioned post migration.
 
 
 
 
 
=== Authentication flow ===
 
'''Agent / TZMTD – Tranzman Transfer Daemon '''
 
* TZMCURL Agent -> TLS connection established (client certificate authorizes) -> client certificate CN authenticated by the TZMTD server-> access allowed
 
 
 
''' WEB Browser User Interface / HTTPS'''
 
* Browser -> TLS connection established -> user/password provided -> Auth tokens (reissue and active with 30 minutes TTL) issued -> New request send with `Auth` header -> access allowed
 
* Browser -> TLS connection established -> Active token TTL expired -> Reissue token provided -> Active auth token with 30 minutes TTL issued -> New request send with `Auth` header -> access allowed
 
 
 
 
 
=== WebUI certificate ===
 
Tranzman uses self-signed certificate for authentication.
 
 
 
 
 
 
 
{| class="wikitable"  style="margin:auto;width:100%;color:blue;text-align:center;borderstyle=ridge;"
 
|-
 
| Goto [[ Next| Planning ]]
 
|| Return to [[ Previous|Architecture]]
 
|}
 

Latest revision as of 09:45, 11 September 2025



Tranzman Security Features

Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.
Security is enforced at the operating system, network, authentication, and application levels.

Operating System Security

  • Tranzman Appliance (OVA/ISO deployment) is built on RHEL 8.6 sources.
  • CLISH access is restricted to:
    • admin / P@ssw0rd (initial network setup)
    • srladmin / SRLP@ssw0rd (support & troubleshooting)
  • SHELL access is exclusive to Stone Ram support.
  • System disk encryption prevents unauthorized access and modification.
  • Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.

Networking Security

  • Single NIC connects to both ORIGIN and DESTINATION servers.
  • Secure communication via SSL on port 55560; legacy (obfuscated FTP) uses ports 55501-55555.
  • Administration:
    • WebUI over HTTPS (443)
    • CLISH via SSH (22)
    • NTP sync (UDP 123, bidirectional)
    • DNS (UDP/TCP 53)
    • NFS/CIFS shares for cross-vendor/recovery (139, 445, 137, 138)

Authentication Security

  • Tranzman Agent (TZMTD): Uses client certificates for authentication, packaged within the agent installer. Operates under the Agent user role.
  • WebUI (HTTPS): Uses Admin user role with username/password authentication, secured by mangled MD5 password hashing.

Web Application Security

  • Broken Authentication: Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.
  • Sensitive Data Exposure: Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.
  • XML External Entities: Only REST API is used; XML content type rejected.
  • Broken Access Control: Agents validated via certificate CN; each agent accesses only its designated data.
  • Security Misconfiguration: Security measures are built-in, minimizing user misconfiguration risks.
  • Known Vulnerabilities: Periodic vulnerability scans using Qualys.
  • Cross-Site Request Forgery (CSRF): Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.

Authentication Flow

  • Agent / TZMTD – Tranzman Transfer Daemon:
    TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted.
  • Web Browser User Interface / HTTPS:
    Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent with Auth header → access granted.
    Token expired → reissue token provided → new token issued (30 min) → requests sent with Auth header → access granted.

WebUI Certificate

  • Tranzman employs a self-signed certificate for authentication.
   Prev icon.jpg Previous

   Next Next icon.jpg
Retrieved from "https://docs.stoneram.com/index.php?title=Security&oldid=3448"