EcoStruxure IT Advisor security

If you want to make the ITA web client or Tenant Portal available to your colleagues or customers directly from the Internet, make sure you have a proxy configuration in the DMZ. Note: The DMZ setup protecting ITA against direct Internet access is entirely your own responsibility! Here are some recommendations on how to set up the proxy server. This is not a complete guide. You should already have a working knowledge of scripting, web proxy, and DMZ configuration, or find it easy to acquire this knowledge. About DMZ proxy and firewall port configuration The ITA server should be on a protected network behind a firewall and not exposed directly on the Internet. The only incoming traffic allowed through the firewall to the ITA server should be on ports 80/443. Note: It is required that you set up a proxy server in the DMZ, only supporting incoming https on port 443 and proxying requests to the ITA server on port 80/443 to the path: /web/ only. You may want to use Nginx, Apache, AH Proxy, or some other proxy tools. Examples here will be referring to an Nginx setup. You should only use secure https protocols, not e.g. SSL v2. For an Nginx setup, the default protocols: TLSv1, TLS1.1, TLSv1.2 are supported. Configuring a proxy for the Tenant Portal Proxy specific commands are explained in this section. For more information, refer to the complete Nginx configuration guide. Ensure the Nginx server only handles https. If an http request is made, it will be forwarded to https. # Redirect browsers from http to https server {        listen 80;       rewrite ^(.*) https://$host$1 permanent; } Set up the actual ssl connection pointing to the certificates.  # Set up the proxy to ITA server {        listen 443 ssl;        server_name $NGINX_ADDRESS;        ssl_certificate     $PATH_TO_CERTIFICATE_FILE;        ssl_certificate_key $PATH_TO_PRIVATE_KEY_FILE; } Proxy to the Tenant Portal # First handle requests to the actual application path /web   location /web/ {     proxy_pass http://$ITA_ADDRESS; } Proxy root requests to the same location. This is an additional option to proxy root requests to the same location, allowing the user to exclude /web in the URL when accessing the Tenant Portal. NOTE: The order matters! The location /web must be specified before location /.  # Handle root requests and forward to /web location / {     proxy_pass http://$ITA_ADDRESS/web/; }  

IT Advisor on-premise is a client/server configuration. The on-premise server can be configured to run with a data recovery node. The client runs on a standard PC. ITA system requirements for on-premise installations   Default user account for client When setting up a server, a default apc user account is created for logging on to the client. The default credentials should be changed. See Managing ITA users and user rights.   Firewall  It is recommended that the firewall is enabled. The firewall will reduce the number of open ports to the required minimum. It will also protect internal services, such as the database, against external attacks. The firewall will allow all outgoing traffic and incoming traffic according to these details.   Software vulnerability, scans and certifications Read the Schneider Electric Vulnerability Management Policy   Three different software scanning tools are run against IT Advisor: Retina, Nessus and Acunetix. Some of these scans might also be part of official certifications like e.g. DOD RMF IT (Former DIACAP) or FIPS140.   Antivirus IT Advisor does not include antivirus in the installation. From a functionality point of view, it is fine to install an antivirus program on the server. We do have experience that antivirus will affect client performance and that performance loss can potential lead to errors depending on configuration.   Logging The ITA product has several log files capturing kernel, cron job, etc. based on standard Linux capabilities. Furthermore, ITA logs all user account changes, logins and logouts to the Audit Trail log (available with change module license). The logs do not contain confidential information but might include some of the data entered when building the model.   Server log files are stored on the server and are accessible to system administrators via the server configuration interface, Webmin. Go to ITA > Download Log Files.   Client log files are stored in the user folder, for example,  Windows: C:\Users\[Username]\.isxo\[Version]\Operations\application.log or Mac: ~/.isxo.   Asset Management Records: Asset additions, changes, moves, and removals are tracked and can be found in Audit Trail report in the Reports section.    User Account Records: User additions, changes, and removals can be configured in User Rights and Authentication. These are tracked and can be found in the Audit Trail report in the Analytics >Reports section.   Database architecture Currently the database and server make up one unit and cannot be separated. The database and operating system are running on the same partition on the server by default. The database technology is postgreSQL and cannot be exchanged with any other database type or technology. The database is protected using RSA 2048 bits certificate password encryption.   ETL is open to other database types and technologies. You can find more information about ETL here.  

Network protocol and ports (incoming ports allowed by the firewall) The firewall provides basic protection. If protection against sophisticated attacks is required, using a dedicated firewall product is recommended. Communication across a NAT firewall is not supported. The following protocols and ports are used by IT Advisor: Protocol Transfer protocol Port(s) Network Credentials/Access Encryption Comments HTTP / HTTPS TCP 80 / 443 Latency less than 200 ms, bandwidth minimum 1 Mbps. Bandwidth usage between client and server heavily depends on size of solution, number of users and the type of operations done to the solution. Manually created user and password (default apc/apc) Authentication server integration support There is no option to reset client user password Password policy is not implemented in ITA but can be enforced using Authentication servers. Password can be ASCII format and numbers Only using HTTPS TLSv1.2 Communication between server and clients. HTTP can be disabled or redirected to HTTPS for improved security. SNMP UDP 161 Basic system information and status of the Operation service will be exposed. More information can be found here The SNMP server can be disabled using the Server Configuration interface SNMP community string is default "public" For added security from v7.3.6, disable SNMPv1 and configure SNMPv3. More...   PostgreSQL TCP 5432 Depending on system integration the bandwidth requirements should be specified accordingly. As specified in external system ETL configuration Default MD5 authentication Otherwise depending on database integration created ETL communication between database and server Webmin TCP 10000 Very limited bandwidth requirements in normal operation. Downloading/uploading backups will increase the bandwidth requirements significantly. Manually created user and password during installation User password reset instructions Yes Server configuration interface at https://<server ip>:10000 Ping ICMP   Will reply to ping requests       External systems related protocols (outgoing, default (can be edited)) HTTP TCP (SSL/TLS) 80 (443) Depending on system integration being used. For Data Center Expert it is estimated that every alarm will be around 2000 characters in size. Sensor data has approximately the same size but is transferred more often (depending on the integration configuration). The alarm and sensor data are bidirectional communicated with the majority of data going to ITA. A catch-up job is run on a hourly basis (configurable) this job will poll number of active alarms * 2000 chars. As specified in external system configuration Depending on system integration VMware, SCOM, Cisco UCS SMTP TCP 25 Email traffic from the ITA is limited and "user generated" via e.g. work order execution, some system configuration etc. As specified in external system configuration Not supported communication with e-mail server DNS TCP/UDP 53 Very limited traffic and bandwidth requirement As specified in external system configuration Not supported DNS server communication NFS TCP/UDP 111 Depending on system integration As specified in external system configuration Not supported by protocol NFS mounted external drive NTP UDP 123 Very limited traffic and bandwidth requirement As specified in external system configuration Depending on system integration NTP server communication SMB TCP/UDP 139 Depending on system integration As specified in external system configuration Depending on system integration SMB communication to NAS/SAN CIFS TCP 445 Depending on system integration As specified in external system configuration Depending on system integration CIFS communication to NAS/SAN NFS TCP/UDP 2049 Depending on system integration As specified in external system configuration Not supported by protocol NFS communication to NAS/SAN

  The ITA server is installed with self-signed security certificate. When connecting to the server from a web browser, you may receive warnings about the security certificate. It is recommended, after the installation of ITA is complete, to purchase and install a security certificate issued by a trusted certificate authority.   For you to be able to change to your SSL certificate on the ITA server, it needs to be an Apache 2.x/PEM format certificate consisting of two files (*.key, *.crt). It is best practice to disable access to the web clients before starting to update any certificates to ensure no client is connected with a false certificate. If your setup includes a disaster recovery node and you need a certificate on it, upload certificates to the DR server in the same way as for a standalone server. Preparing a certificate for upload Password A password protected key is not supported. Strip the password from the key before uploading it.  Intermediate or certificate bundle If your certificate chain requires an intermediate certificate, append it to the .cert file. When appending, ensure you include everything, including the lines: " -----BEGIN CERTIFICATE----- " & " -----END CERTIFICATE----- " as there may be several lines for this intermediate certificate. No users in the system during upload The Apache HTTPD server will be reloaded during this process, so ensure no users are using the system during the upload. Uploading a certificate Open the Webmin web interface by selecting Administration > Webmin in the IT Advisor web client. Alternatively, type the address of your IT Advisor server in a web browser followed by :10000,  <https://>:10000  .   Log into Webmin using the user credentials created during the installation and in the left menu, select EcoStruxure IT Advisor. In the submenu, select Certificates. Follow the instructions on the page. Verify everything is working correctly by launching a web client and checking there's a green padlock icon in the address line.   ITA_webmin_certificates_360012049037.jpg