The intent of this document is to provide a security handbook covering relevant best practices and information for Data Center Expert (DCE).
DCE is a software solution consisting of both a server and client. The server is supported by a proprietary version of Rocky Linux and shipped as a locked down appliance. Users do not have access to the underlying operating system. The client runs on a standard Windows operating system. See system requirements for more information.
Note: This page is targeted at the latest release of DCE, however applicable to older versions.
Security Hardening
This topic outlines how to harden and secure an instance of DCE. To maintain security throughout the deployment lifecycle, Schneider Electric recommends reviewing the following considerations for:
Network Security
Physical Security
Appliance Security
Client Security
Device Integration Security
NOTE: Different deployments may require different security considerations.
This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.
Network Security
Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, and spyware, and may also facilitate undesired access to resources.
Not having a rule in place that denies incoming traffic unnecessarily exposes a system to compromise. Schneider Electric strongly recommends that the below key configuration changes are made.
Firewalls
Schneider Electric strongly recommends that network traffic to DCE is behind a firewall.
A firewall will reduce the likelihood of compromise but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack.
Enable logs; retain at least 30 days of data; and collect at least source and destination IP
Please see the Network Protocols and Ports section of this document for a breakdown of all ports used by DCE.
Deploy a Network Layer Firewall
Schneider Electric strongly recommends that the device is not exposed to the public Internet and is deployed behind an appropriate Stateful Packet Inspection (SPI) firewall.
Appliance Firewall
The Data Center Expert server comes with a firewall included. The server is not configurable and therefore the firewall cannot be changed.
Network Segmentation
Schneider Electric strongly recommends that network traffic to DCE’s public and private interfaces are both separated, either physically or logically, from normal network traffic.
A flat network architecture makes it easier for malicious actors to move around within the network; whereas with network segmentation, organizations can enhance network security by controlling access to sensitive data in the form of enabling or denying network access.
A strong security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.
If monitored devices cannot utilize secure protocols, it is recommended that they be placed on the private network, separate from the public network.
Connected Network Directories
Schneider Electric recommends that all connected network directories, for example, directories for backups, be secured and only accessible to DCE and DCE administrators.
This minimizes any risk associated with a malicious actor tampering with a backup that may potentially be restored into DCE.
Other Security Detection and Monitoring Tools
Schneider Electric recommends that the environment is protected and monitored by appropriate physical, technical and administrative tools for network intrusion and monitoring such as IDS/IPS and appropriate SIEM solutions.
Physical Security
Attackers with physical access to covered equipment can access the device without authorization. Schneider Electric recommends that physical security must be in place to control the physical access to restricted areas and facilities containing instances of DCE and other hardware.
Deploy Equipment in a Secure Location
Custodians should secure equipment from unauthorized physical access.
Access should be restricted to those who require access to maintain the equipment.
Restricted areas should be clearly marked for authorized personnel only.
Restricted areas should be secured by locked doors.
Access to the restricted areas should produce a physical or electronic, regularly reviewed, audit trail.
Secure access to the device front panel and rear ports
Deploy the physical appliance in a rack or cage that can be locked with a suitable key, or other physical methods. Any of these methods should be tested regularly. This will prevent access to the physical ports of the device and restrict console access.
Appliance Security
Privileged Accounts
Privileged and super-user accounts (Administrator and root) must not be used for non-administrator activities. Network services must run under accounts assigned the minimum necessary privileges. Also minimize the number of local accounts
Certificates
Replace the Default SSL/TLS Certificate Default SSL/TLS certificates are created during the initial configuration of the device. These certificates are not intended for use in production deployments and should be replaced.
Schneider Electric recommends that customers configure the device to use certificates either from a reputable Certificate Authority (CA) or appropriate certificates from your enterprise CA.
SSH
SSH is disabled on the DCE appliance by default and should remain disabled unless needed for support troubleshooting sessions. If it is enabled, it should be disabled when no longer needed.
Logging
Schneider Electric recommends that customers regularly monitor DCE logging.
DCE has readily available capture logs (based on standard Linux capabilities). Logs are stored on the server and are accessible to system administrator.
Upgrades
Schneider Electric recommends that, prior to performing an update, an administrator validates the downloaded artifact checksum against the SHA1 checksum provided on the download page.
This minimizes any risk associated with a malicious actor tampering with an upgrade file after it has been downloaded from the secure Schneider Electric website.
Validate security settings
It is considered a best practice to validate configured security settings to ensure they work as intended. Schneider Electric strongly recommends making this practice mandatory whenever security configurations are modified. For example:
Verify the configured firewall rules. Attempt to make a connection that is configured to be denied and verify it is denied.
Verify the configured security policies. Verify that monitored devices are online in the Data Center Expert.
Verify an HTTP to HTTPS redirect occurs when HSTS is enabled.
Verify SSL certificate changes are applied correctly by viewing the certificate in a web browser.
Attempt to log in with an invalid user name or password and validate that the unsuccessful login attempt is logged in the event log.
Attempt to access the DCE server via an insecure protocol, for example, HTTP. Verify the server is inaccessible when HTTP is not enabled.
Client Security
Physical Security
Customers are responsible for the physical security of their client machines. This may include logging off or locking the client machine when away from it, avoiding leaving it unattended in public areas, and keeping it in a secure location when not in use.
Digital Security
Customers should protect their client machines from cyberattacks and data breaches. Protections may include:
Setting strong passwords; not reusing passwords
Never sharing your passwords with others
Using different authentication methods
Encrypting hard drives
Backing up data regularly
Installing antivirus software and keeping it up to date
Enabling firewall protection
Keeping software and operating systems up to date
Installing and maintaining the latest antivirus software on client machines.
Enabling Data Execution Prevention (DEP) for the EcoStruxure IT Data Center Expert desktop client
Device Integration Security
Schneider Electric recommends that customers harden any NMC-based devices by using the latest available firmware updates and recommended configuration changes.
For more information, see the security handbooks for NMC2 and NMC3 devices.
Secure Disposal and Decommissioning
This topic outlines how to reset an instance of DCE to its default settings and erase all user information and configurations
Delete Device Contents
For information on how to delete the device contents, please consult the Restoring a Data Center Expert Physical Appliance or Restoring a Data Center Expert Physical Appliance sections of https://www.apc.com/us/en/faqs/FA321728/
Dispose of Physical Device
For information on how to physically dispose of or recycle the DCE appliance, please consult our hardware supplier’s documentation.
Network Protocol and Ports
This section contains all ports utilized by DCE. Schneider Electric recommends that secure protocols are used wherever possible. The DCE will only attempt to communicate over the ports and protocols in External Integrations and Device Communication sections if they have been configured.
Web Server
Protocol
Transfer Protocol
Port
Direction
Description
HTTP(S)
TCP(SSL)
80(443) 1
Inbound
Used for client communication and 3 rd party integrations
External Integrations
Protocol
Transfer Protocol
Port
Direction
Description
SMTP
TCP
25 1
Outbound
Communication with email server
NFS
TCP/UDP
111
Outbound
NFS mounted external drive
2049
Outbound
NAS/SAN
NTP
UDP
123
Outbound
Remote NTP server time communication
SMB
TCP
139, 445
Outbound
NAS/SAN
UDP
137, 138
Outbound
NAS/SAN
DNS
TCP/UDP
53
Outbound
DNS Server
LDAP
TCP
389 1
Outbound
Active Directory/LDAP
LDAPS (with SSL)
TCP(SSL)
636
Outbound
Active Directory/LDAP
Device Communication
Protocol
Transfer Protocol
Port
Direction
Description
FTP
TCP
21 1
Outbound
Used to transfer configurations, firmware binaries and logs
SCP
TCP
22 1
Outbound
Used to transfer configurations, firmware binaries and logs
SNMPv3
UDP
161 1
Outbound
SNMP device polling and discovery
162 1
Inbound
SNMP traps
HTTP(S)
TCP
80(443)
Inbound
NetBotz device polling and discovery
Outbound
NetBotz traps
Modbus TCP
TCP
502 1
Outbound
Modbus TCP device polling and discovery
APC Proprietary Communication
TCP
6000
Outbound
AP76xx outlet strips and gen1 PDU device polling and discovery
Local System Only
Protocol
Transfer Protocol
Port
Direction
Description
PostgresSQL
TCP
5432
Inbound
Local System ONLY – Used by the DCE server to communicate with its database
1 Port can be changed from its default value. Please consult with DCE documentation for more information.
Data Center Expert REST API
Data Center Expert supports a REST API and utilizes OAuth2 for authorization. Handling OAuth2 access tokens and refresh tokens securely is critical to ensure the integrity and confidentiality of data.
Integrators should take care where they store these tokens and should treat them as sensitive data. Keeping OAuth2 tokens secure is crucial because they serve as the keys to accessing device data and resources, and any compromise could lead to unauthorized access, data breaches, and potential misuse of sensitive information.
Software Vulnerability, Scan(s) and Certifications
Vulnerability scans are regularly run against Data Center Expert. Schneider Electric is committed to remediating and patching any items identified.
For more information on major vulnerabilities, see Schneider Electric Security Notifications.
Schneider Electric IT Corporation Legal Disclaimer
The information presented in this manual is not warranted by the Schneider Electric IT Corporation to be authoritative, error free, or complete. This publication is not meant to be a substitute for a detailed operational and site specific development plan. Therefore, Schneider Electric IT Corporation assumes no liability for damages, violations of codes, improper installation, system failures, or any other problems that could arise based on the use of this Publication. The information contained in this Publication is provided as is and has been prepared solely for the purpose of evaluating data center design and construction. This Publication has been compiled in good faith by Schneider Electric IT Corporation. However, no representation is made or warranty given, either express or implied, as to the completeness or accuracy of the information this Publication contains. IN NO EVENT SHALL SCHNEIDER ELECTRIC IT CORPORATION, OR ANY PARENT, AFFILIATE OR SUBSIDIARY COMPANY OF SCHNEIDER ELECTRIC IT CORPORATION OR THEIR RESPECTIVE OFFICERS, DIRECTORS, OR EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, CONTRACT, REVENUE, DATA, INFORMATION, OR BUSINESS INTERRUPTION) RESULTING FROM, ARISING OUT, OR IN CONNECTION WITH THE USE OF, OR INABILITY TO USE THIS PUBLICATION OR THE CONTENT, EVEN IF SCHNEIDER ELECTRIC IT CORPORATION HAS BEEN EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC IT CORPORATION RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES WITH RESPECT TO OR IN THE CONTENT OF THE PUBLICATION OR THE FORMAT THEREOF AT ANY TIME WITHOUT NOTICE. Copyright, intellectual, and all other proprietary rights in the content (including but not limited to software, audio, video, text, and photographs) rests with Schneider Electric IT Corporation or its licensors. All rights in the content not expressly granted herein are reserved. No rights of any kind are licensed or assigned or shall otherwise pass to persons accessing this information. This Publication shall not be for resale in whole or in part.
View full article