Difference between revisions of "Security"
From Tranzman Documentation
(Created page with "Tranzman is loaded with multiple security features. === Operating system === * Tranzman Appliance (OVA/ISO deployment) is based on RHEL 8.6 source. * CLISH can only be acces...") |
|||
| (23 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | Tranzman is | + | __TOC__ |
| + | <br> | ||
| + | <br> | ||
| + | <div style="background-color:#fde9e9; padding: 1.5rem; text-align:center; border-radius:8px; max-width:80%; margin: 0 auto; margin-bottom:2rem; "> | ||
| + | <h1 style="border-bottom:none; font-size:2.5em; font-weight:bold;">Tranzman Security Features</h1> | ||
| + | <p style="font-size:1.2em; text-align:left;"> | ||
| + | Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.<br> | ||
| + | Security is enforced at the operating system, network, authentication, and application levels. | ||
| + | </p> | ||
| + | </div> | ||
| + | <div style="max-width:80%; margin: 0 auto;"> | ||
| − | == | + | <div style="background-color:#edf7ff; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;"> |
| − | + | <h2 style="border-bottom:2px solid #bbdefb; padding-bottom:0.5rem; font-size:1.5em;">Operating System Security</h2> | |
| − | + | <ul> | |
| − | + | <li>Tranzman Appliance (OVA/ISO deployment) is built on <b>RHEL 8.6</b> sources.</li> | |
| − | srladmin/SRLP@ssw0rd ( | + | <li>CLISH access is restricted to: |
| − | + | <ul> | |
| − | System disk | + | <li><span style="color:blue;"><b>admin</b></span> / <span style="color:blue;"><b>P@ssw0rd</b></span> (initial network setup)</li> |
| − | Enhanced security enforcement | + | <li><span style="color:blue;"><b>srladmin</b></span> / <span style="color:blue;"><b>SRLP@ssw0rd</b></span> (support & troubleshooting)</li> |
| + | </ul> | ||
| + | </li> | ||
| + | <li>SHELL access is exclusive to Stone Ram support.</li> | ||
| + | <li>System disk encryption prevents unauthorized access and modification.</li> | ||
| + | <li>Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.</li> | ||
| + | </ul> | ||
| + | </div> | ||
| + | |||
| + | <div style="background-color:#fef3f7; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;"> | ||
| + | <h2 style="border-bottom:2px solid #f8bbd0; padding-bottom:0.5rem; font-size:1.5em;">Networking Security</h2> | ||
| + | <ul> | ||
| + | <li>Single NIC connects to both ORIGIN and DESTINATION servers.</li> | ||
| + | <li>Secure communication via SSL on port <b>55560</b>; legacy (obfuscated FTP) uses ports <b>55501-55555</b>.</li> | ||
| + | <li>Administration: | ||
| + | <ul> | ||
| + | <li>WebUI over HTTPS (<b>443</b>)</li> | ||
| + | <li>CLISH via SSH (<b>22</b>)</li> | ||
| + | <li>NTP sync (UDP <b>123</b>, bidirectional)</li> | ||
| + | <li>DNS (UDP/TCP <b>53</b>)</li> | ||
| + | <li>NFS/CIFS shares for cross-vendor/recovery (<b>139, 445, 137, 138</b>)</li> | ||
| + | </ul> | ||
| + | </li> | ||
| + | </ul> | ||
| + | </div> | ||
| + | |||
| + | <div style="background-color:#eff8f0; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;"> | ||
| + | <h2 style="border-bottom:2px solid #c8e6c9; padding-bottom:0.5rem; font-size:1.5em;">Authentication Security</h2> | ||
| + | <ul> | ||
| + | <li><b>Tranzman Agent (TZMTD):</b> Uses client certificates for authentication, packaged within the agent installer. Operates under the <b>Agent</b> user role.</li> | ||
| + | <li><b>WebUI (HTTPS):</b> Uses <b>Admin</b> user role with username/password authentication, secured by mangled MD5 password hashing.</li> | ||
| + | </ul> | ||
| + | </div> | ||
| + | |||
| + | <div style="background-color:#fffbf4; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;"> | ||
| + | <h2 style="border-bottom:2px solid #ffe0b2; padding-bottom:0.5rem; font-size:1.5em;">Web Application Security</h2> | ||
| + | <ul style="padding-left:0; list-style:none;"> | ||
| + | <li style="margin-bottom:1rem;"><b>Broken Authentication:</b> Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.</li> | ||
| + | <li style="margin-bottom:1rem;"><b>Sensitive Data Exposure:</b> Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.</li> | ||
| + | <li style="margin-bottom:1rem;"><b>XML External Entities:</b> Only REST API is used; XML content type rejected.</li> | ||
| + | <li style="margin-bottom:1rem;"><b>Broken Access Control:</b> Agents validated via certificate CN; each agent accesses only its designated data.</li> | ||
| + | <li style="margin-bottom:1rem;"><b>Security Misconfiguration:</b> Security measures are built-in, minimizing user misconfiguration risks.</li> | ||
| + | <li style="margin-bottom:1rem;"><b>Known Vulnerabilities:</b> Periodic vulnerability scans using Qualys.</li> | ||
| + | <li style="margin-bottom:1rem;"><b>Cross-Site Request Forgery (CSRF):</b> Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.</li> | ||
| + | </ul> | ||
| + | </div> | ||
| + | |||
| + | <div style="background-color:#edf7ff; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;"> | ||
| + | <h2 style="border-bottom:2px solid #bbdefb; padding-bottom:0.5rem; font-size:1.5em;">Authentication Flow</h2> | ||
| + | <ul> | ||
| + | <li><b>Agent / TZMTD – Tranzman Transfer Daemon:</b><br> | ||
| + | TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted. | ||
| + | </li> | ||
| + | <li><b>Web Browser User Interface / HTTPS:</b><br> | ||
| + | Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent with <code>Auth</code> header → access granted.<br> | ||
| + | Token expired → reissue token provided → new token issued (30 min) → requests sent with <code>Auth</code> header → access granted. | ||
| + | </li> | ||
| + | </ul> | ||
| + | </div> | ||
| + | |||
| + | <div style="background-color:#fef3f7; padding:1.5rem; border-radius:8px; box-shadow:0 2px 4px rgba(0,0,0,0.06); margin-bottom:2rem;"> | ||
| + | <h2 style="border-bottom:2px solid #f8bbd0; padding-bottom:0.5rem; font-size:1.5em;">WebUI Certificate</h2> | ||
| + | <ul> | ||
| + | <li>Tranzman employs a self-signed certificate for authentication.</li> | ||
| + | </ul> | ||
| + | </div> | ||
| + | |||
| + | </div> | ||
| + | |||
| + | <div style="display:flex; justify-content:space-between; margin-top:2rem; padding:1rem; background-color:#ffffff; max-width:90%; margin: 2rem auto 0;"> | ||
| + | <div style="text-align:left;"> | ||
| + | [[File:prev_icon.jpg|30px|link=Architecture]] [[Architecture|Previous]] | ||
| + | </div> | ||
| + | <div style="text-align:right;"> | ||
| + | [[Planning|Next]] [[File:next_icon.jpg|30px|link=Planning]] | ||
| + | </div> | ||
Latest revision as of 09:45, 11 September 2025
Contents
Tranzman Security Features
Tranzman is equipped with multiple security features to ensure data integrity and system protection across all migration scenarios.
Security is enforced at the operating system, network, authentication, and application levels.
Operating System Security
- Tranzman Appliance (OVA/ISO deployment) is built on RHEL 8.6 sources.
- CLISH access is restricted to:
- admin / P@ssw0rd (initial network setup)
- srladmin / SRLP@ssw0rd (support & troubleshooting)
- SHELL access is exclusive to Stone Ram support.
- System disk encryption prevents unauthorized access and modification.
- Enhanced security enforcement blocks root disk access outside normal booting; tampering with the boot process causes startup failure.
Networking Security
- Single NIC connects to both ORIGIN and DESTINATION servers.
- Secure communication via SSL on port 55560; legacy (obfuscated FTP) uses ports 55501-55555.
- Administration:
- WebUI over HTTPS (443)
- CLISH via SSH (22)
- NTP sync (UDP 123, bidirectional)
- DNS (UDP/TCP 53)
- NFS/CIFS shares for cross-vendor/recovery (139, 445, 137, 138)
Authentication Security
- Tranzman Agent (TZMTD): Uses client certificates for authentication, packaged within the agent installer. Operates under the Agent user role.
- WebUI (HTTPS): Uses Admin user role with username/password authentication, secured by mangled MD5 password hashing.
Web Application Security
- Broken Authentication: Agent/client authentication integrated into TLS; CA never leaves appliance. Trusted Agents only; GUI restricted to port 443.
- Sensitive Data Exposure: Metadata (hostnames, policies, backup size, storage configs, encrypted credentials) stored securely. Encryption keys/credentials not accessible via web interface.
- XML External Entities: Only REST API is used; XML content type rejected.
- Broken Access Control: Agents validated via certificate CN; each agent accesses only its designated data.
- Security Misconfiguration: Security measures are built-in, minimizing user misconfiguration risks.
- Known Vulnerabilities: Periodic vulnerability scans using Qualys.
- Cross-Site Request Forgery (CSRF): Not required for agent (uses CURL); GUI not publicly accessible and decommissioned after migration.
Authentication Flow
- Agent / TZMTD – Tranzman Transfer Daemon:
TZMCURL Agent → TLS connection (client certificate authorization) → CN authentication → access granted. - Web Browser User Interface / HTTPS:
Browser → TLS connection → user/password authentication → Auth tokens issued (30 min) → requests sent withAuthheader → access granted.
Token expired → reissue token provided → new token issued (30 min) → requests sent withAuthheader → access granted.
WebUI Certificate
- Tranzman employs a self-signed certificate for authentication.
