SECURITY FAQs Vunetrix Network Monitor Hosted Service. ver Revision: 1.2 Updated: April P a g e

Transcription

1 SECURITY FAQs Vunetrix Network Monitor Hosted Service ver Revision: 1.2 Updated: April P a g e

2 Introduction Welcome to Vunetrix Network Monitor (VNM), a world-class monitoring tool designed specifically for the security industry. The VNM software is completely scalable and can be used to monitor a single NVR with a handful of surveillance cameras or a large IP network with thousands of devices. The VNM software solution is installed on a physical or virtual Vunetrix appliance. It is able to scale because of a small piece of software known as a Vunetrix Remote Probe which runs as a lightweight service process in the background of a Windows server or workstation. The Remote Probe performs the polling and collection of data from security devices throughout the network and sends data to the VNM Core for storage, analysis and generation of alerts and notifications. Remote Probes are unobtrusive and can be colocated with other software programs, making additional IT resources unnecessary. The Security Challenge The Physical Security Industry has seen incredible transformations lately, especially with software being readily available as a service (i.e., SaaS). Hosted services, no matter how convenient or cost effective, can bring increased risks to system and data integrity. In this new paradigm, security integrators who provide solutions and services must insure that the products they recommend are as secure as possible. The purpose of this document is to present questions we get asked regularly concerning the security of the Vunetrix Hosted service, and to provide assurance that we take security of our solution very seriously. While we keep the document as current as possible, there may be questions that we haven t answered. Please contact your Vunetrix representative (sales@vunetrix.com) or Vunetrix Technical Support (support@vunetrix.com) and we will get back to you as quickly as possible. 1 P a g e

3 Security Frequently Asked Questions Vunetrix Hosted Services Q: How secure is Vunetrix Hosted data? A: Vunetrix takes numerous precautions to ensure data integrity and security: 2048-bit encryption is used to encrypt the initial public-private key exchange when users sign onto the hosted site and begin data transmission. AES 256-bit SSL encryption is used to encrypt data streams between remote probes and servers. This is the same strength as required by the United States Department of Defense for encryption of TOP SECRET level documents. Data is stored in a proprietary database format to protect against well-known SQL attacks and data hacks. Web access is allowed via HTTPS to ensure the entire communication stream is encrypted end-to-end. Q: How secure are the Vunetrix Hosted facilities? A: Hosted servers are located in access controlled, Tier 3+ data centers that utilize appropriate physical access control and video surveillance to track access and egress and protect their premises. For example: Visitors must present photo identification or use biometric access. Visitors are escorted within the center to prevent unauthorized tampering. Individual server racks in the data center are secured under lock and key. Vunetrix does not employ any foreign services or follow-the-sun support scheme. The company operates two separate private hosted sites within North America. United States and Canadian data are stored separately, ensuring data does not cross the border (unless specifically requested by the client.) Canadian data resides only in Canadian data centers to be exempt from the United States Patriot Act. Q: How long is data retained on the Vunetrix Hosted service? A: By default, all device health and performance data is retained for 365 days on the Vunetrix Hosted service. Longer or shorter retention times are available. If interested, please speak to your Vunetrix representative for more information. 2 P a g e

4 Q: Who has access to the data collected by the Vunetrix Remote Probe? A: Access is granted to users and groups through group-based permissions, much like a corporate Active Directory server grants access to network resources. Typically, the support team from the partner of record (most often the security integrator or VAR) will retain access to view end-user data. If an integrator has multiple clients on Vunetrix Hosted service, each end-user is limited to viewing data only for their organization. Not all end-users will have access granted to view data. Access for end-user accounts is arranged by the partner/integrator/var. The Vunetrix Technical Support team has access to all sensor data for support purposes. Q: Is any personal data captured on the Vunetrix Hosted service? A: No. For access control systems, Vunetrix simply monitors the health and performance of the physical hardware and the state of logical software but does not access records or collect cardholder information. For video surveillance systems, no video data is captured, analyzed or transferred to our Core Service. Vunetrix monitors the state of video services and hardware, as well as the health and performance metrics of NVRs, servers, switches and edge devices such as cameras, encoders and panels,. Vunetrix Network Monitor is generally compliant with legislation that provides privacy and personal identification protection. If more detail is needed, please speak to your Vunetrix representative directly. Q: How does the Vunetrix Remote Probe communicate with the hosted service? A: The Vunetrix Remote Probe software initiates a connection to the Vunetrix Hosted Core Service from inside the client s firewall. In most cases, modern firewalls allow traffic originating inside a client s firewall to connect automatically to any destination IP, so usually there is no need for a security integrator to be concerned about this connection. In addition, Vunetrix Remote Probes encrypt all communications to and from the Vunetrix Hosted Core Service with strong AES 256-bit SSL encryption. 3 P a g e

5 Q: If the Remote Probe software is not automatically allowed out through the client s firewall, which ports do I need open on my firewall to communicate with the Vunetrix Hosted Core Service? A: Simply ask the team responsible for the firewall to open TCP port bi-directionally which will then allow secure communications from the Remote Probe to the Hosted Core. This connection can be tested prior to installation of the Remote Probe software. See the document Getting Started with VNM Hosted Services on the Vunetrix website for details or contact Vunetrix Technical Support. Q: Does opening a port on the firewall create a vulnerability? A: Technically, yes. However, all modern firewall products have multiple methods with which to combat vulnerabilities such as this. The simplest is to create an ACL (Access Control List) for port traffic to only send destination traffic to and accept source traffic from a specific web address. This locks down traffic to a single source/destination and drops traffic originating from other outside sources. We also rely on port not being wellknown (i.e., use of the security-through-obscurity concept). 4 P a g e