Data Center Expert Security Handbook

The intent of this document is to provide a security handbook covering relevant best practices and information for Data Center Expert (DCE). 

 

DCE is a software solution consisting of both a server and client. The server is supported by a proprietary version of Rocky Linux and shipped as a locked down appliance. Users do not have access to the underlying operating system. The client runs on a standard Windows operating system. See system requirements for more information.

Note: This page is targeted at the latest release of DCE, however applicable to older versions.

 

Security Hardening

 

This topic outlines how to harden and secure an instance of DCE. To maintain security throughout the deployment lifecycle, Schneider Electric recommends reviewing the following considerations for:

 

• Network Security
• Physical Security
• Appliance Security
• Client Security
• Device Integration Security

NOTE: Different deployments may require different security considerations.

 

This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.

 

Network Security

 

Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, and spyware, and may also facilitate undesired access to resources.

Not having a rule in place that denies incoming traffic unnecessarily exposes a system to compromise. Schneider Electric strongly recommends that the below key configuration changes are made.

 

Firewalls

 

Schneider Electric strongly recommends that network traffic to DCE is behind a firewall. 

 

A firewall will reduce the likelihood of compromise but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack.

 

Enable logs; retain at least 30 days of data; and collect at least source and destination IP

Please see the Network Protocols and Ports section of this document for a breakdown of all ports used by DCE.

 

Deploy a Network Layer Firewall

Schneider Electric strongly recommends that the device is not exposed to the public Internet and is deployed behind an appropriate Stateful Packet Inspection (SPI) firewall. 

 

Appliance Firewall

The Data Center Expert server comes with a firewall included. The server is not configurable and therefore the firewall cannot be changed.

 

Network Segmentation

 

Schneider Electric strongly recommends that network traffic to DCE’s public and private interfaces are both separated, either physically or logically, from normal network traffic.

 

A flat network architecture makes it easier for malicious actors to move around within the network; whereas with network segmentation, organizations can enhance network security by controlling access to sensitive data in the form of enabling or denying network access.

 

A strong security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.

 

Connected Network Directories

 

Schneider Electric recommends that all connected network directories, for example, directories for backups, be secured and only accessible to DCE and DCE administrators.

This minimizes any risk associated with a malicious actor tampering with a backup that may potentially be restored into DCE.

 

Other Security Detection and Monitoring Tools

 

Schneider Electric recommends that the environment is protected and monitored by appropriate physical, technical and administrative tools for network intrusion and monitoring such as IDS/IPS and appropriate SIEM solutions.

 

Physical Security

 

Attackers with physical access to covered equipment can access the device without authorization.  Schneider Electric recommends that physical security must be in place to control the physical access to restricted areas and facilities containing instances of DCE and other hardware.

 

Deploy Equipment in a Secure Location

 

Custodians should secure equipment from unauthorized physical access.

 

• Access should be restricted to those who require access to maintain the equipment.
• Restricted areas should be clearly marked for authorized personnel only.
• Restricted areas should be secured by locked doors.
• Access to the restricted areas should produce a physical or electronic, regularly reviewed, audit trail.

 

Secure access to the device front panel and rear ports

 

Deploy the physical appliance in a rack or cage that can be locked with a suitable key, or other physical methods. Any of these methods should be tested regularly. This will prevent access to the physical ports of the device and restrict console access.

 

Appliance Security

 

Privileged Accounts

 

Privileged and super-user accounts (Administrator and root) must not be used for non-administrator activities. Network services must run under accounts assigned the minimum necessary privileges. Also minimize the number of local accounts

 

Certificates

 

Replace the Default SSL/TLS Certificate Default SSL/TLS certificates are created during the initial configuration of the device. These certificates are not intended for use in production deployments and should be replaced.

 

Schneider Electric recommends that customers configure the device to use certificates either from a reputable Certificate Authority (CA) or appropriate certificates from your enterprise CA.

 

SSH

 

SSH is disabled on the DCE appliance by default and should remain disabled unless needed for support troubleshooting sessions. If it is enabled, it should be disabled when no longer needed.

 

Logging

 

Schneider Electric recommends that customers regularly monitor DCE logging. 

 

DCE has readily available capture logs (based on standard Linux capabilities). Logs are stored on the server and are accessible to system administrator.

 

Upgrades

 

Schneider Electric recommends that, prior to performing an update, an administrator validates the downloaded artifact checksum against the SHA1 checksum provided on the download page.

 

This minimizes any risk associated with a malicious actor tampering with an upgrade file after it has been downloaded from the secure Schneider Electric website.

 

Validate security settings

 

It is considered a best practice to validate configured security settings to ensure they work as intended. Schneider Electric strongly recommends making this practice mandatory whenever security configurations are modified. For example:

 

• Verify the configured firewall rules. Attempt to make a connection that is configured to be denied and verify it is denied.
• Verify the configured security policies. Verify that monitored devices are online in the Data Center Expert.
• Verify an HTTP to HTTPS redirect occurs when HSTS is enabled.
• Verify SSL certificate changes are applied correctly by viewing the certificate in a web browser.
• Attempt to log in with an invalid user name or password and validate that the unsuccessful login attempt is logged in the event log.
• Attempt to access the DCE server via an insecure protocol, for example, HTTP. Verify the server is inaccessible when HTTP is not enabled.

 

Client Security

 

Physical Security

 

Customers are responsible for the physical security of their client machines. This may include logging off or locking the client machine when away from it, avoiding leaving it unattended in public areas, and keeping it in a secure location when not in use.

 

Digital Security

 

Customers should protect their client machines from cyberattacks and data breaches. Protections may include:

 

• Setting strong passwords
• Using different authentication methods
• Encrypting hard drives
• Backing up data regularly
• Installing antivirus software and keeping it up to date
• Enabling firewall protection
• Keeping software and operating systems up to date
• Installing and maintaining the latest antivirus software on client machines.
• Enabling Data Execution Prevention (DEP) for the EcoStruxure IT Data Center Expert desktop client

 

Device Integration Security

 

Schneider Electric recommends that customers harden any NMC-based devices by using the latest available firmware updates and recommended configuration changes.

For more information, see the security handbooks for NMC2 and NMC3 devices.

 

Secure Disposal and Decommissioning

 

This topic outlines how to reset an instance of DCE to its default settings and erase all user information and configurations

 

Delete Device Contents

 

For information on how to delete the device contents, please consult the Restoring a Data Center Expert Physical Appliance or Restoring a Data Center Expert Physical Appliance sections of https://www.apc.com/us/en/faqs/FA321728/

 

Dispose of Physical Device

 

For information on how to physically dispose of or recycle the DCE appliance, please consult our hardware supplier’s documentation.

 

Network Protocol and Ports

 

This section contains all ports utilized by DCE. Schneider Electric recommends that secure protocols are used wherever possible. The DCE will only attempt to communicate over the ports and protocols in External Integrations and Device Communication sections if they have been configured.

 

Web Server

 

Protocol	Transfer Protocol	Port	Direction	Description
HTTP(S)	TCP(SSL)	80(443)1	Inbound	Used for client communication and 3rd party integrations

 

External Integrations

 

Protocol	Transfer Protocol	Port	Direction	Description
SMTP	TCP	251	Outbound	Communication with email server
NFS	TCP/UDP	111	Outbound	NFS mounted external drive
		2049	Outbound	NAS/SAN
NTP	UDP	123	Outbound	Remote NTP server time communication
SMB	TCP	139, 445	Outbound	NAS/SAN
	UDP	137, 138	Outbound	NAS/SAN
DNS	TCP/UDP	53	Outbound	DNS Server
LDAP	TCP	3891	Outbound	Active Directory/LDAP
LDAPS (with SSL)	TCP(SSL)	636	Outbound	Active Directory/LDAP

 

Device Communication

 

Protocol	Transfer Protocol	Port	Direction	Description
FTP	TCP	211	Outbound	Used to transfer configurations, firmware binaries and logs
SCP	TCP	221	Outbound	Used to transfer configurations, firmware binaries and logs
SNMPv3	UDP	1611	Outbound	SNMP device polling and discovery
		1621	Inbound	SNMP traps
HTTP(S)	TCP	80(443)	Inbound	NetBotz device polling and discovery
			Outbound	NetBotz traps
Modbus TCP	TCP	5021	Outbound	Modbus TCP device polling and discovery
APC Proprietary Communication	TCP	6000	Outbound	AP76xx outlet strips and gen1 PDU device polling and discovery

 

Local System Only

 

Protocol	Transfer Protocol	Port	Direction	Description
PostgresSQL	TCP	5432	Inbound	Local System ONLY – Used by the DCE server to communicate with its database

 

¹ Port can be changed from its default value.  Please consult with DCE documentation for more information.

 

Data Center Expert REST API

 

Data Center Expert supports a REST API and utilizes OAuth2 for authorization. Handling OAuth2 access tokens and refresh tokens securely is critical to ensure the integrity and confidentiality of data.

 

Integrators should take care where they store these tokens and should treat them as sensitive data. Keeping OAuth2 tokens secure is crucial because they serve as the keys to accessing device data and resources, and any compromise could lead to unauthorized access, data breaches, and potential misuse of sensitive information.

 

Software Vulnerability, Scan(s) and Certifications

 

Vulnerability scans are regularly run against Data Center Expert. Schneider Electric is committed to remediating and patching any items identified.

For more information on major vulnerabilities, see Schneider Electric Security Notifications.

 

Schneider Electric IT Corporation Legal Disclaimer

 

The information presented in this manual is not warranted by the Schneider Electric IT Corporation to be authoritative, error free, or complete. This publication is not meant to be a substitute for a detailed operational and site specific development plan. Therefore, Schneider Electric IT Corporation assumes no liability for damages, violations of codes, improper installation, system failures, or any other problems that could arise based on the use of this Publication. The information contained in this Publication is provided as is and has been prepared solely for the purpose of evaluating data center design and construction. This Publication has been compiled in good faith by Schneider Electric IT Corporation. However, no representation is made or warranty given, either express or implied, as to the completeness or accuracy of the information this Publication contains. IN NO EVENT SHALL SCHNEIDER ELECTRIC IT CORPORATION, OR ANY PARENT, AFFILIATE OR SUBSIDIARY COMPANY OF SCHNEIDER ELECTRIC IT CORPORATION OR THEIR RESPECTIVE OFFICERS, DIRECTORS, OR EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, CONTRACT, REVENUE, DATA, INFORMATION, OR BUSINESS INTERRUPTION) RESULTING FROM, ARISING OUT, OR IN CONNECTION WITH THE USE OF, OR INABILITY TO USE THIS PUBLICATION OR THE CONTENT, EVEN IF SCHNEIDER ELECTRIC IT CORPORATION HAS BEEN EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC IT CORPORATION RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES WITH RESPECT TO OR IN THE CONTENT OF THE PUBLICATION OR THE FORMAT THEREOF AT ANY TIME WITHOUT NOTICE. Copyright, intellectual, and all other proprietary rights in the content (including but not limited to software, audio, video, text, and photographs) rests with Schneider Electric IT Corporation or its licensors. All rights in the content not expressly granted herein are reserved. No rights of any kind are licensed or assigned or shall otherwise pass to persons accessing this information. This Publication shall not be for resale in whole or in part.