EcoStruxure IT Gateway security considerations

Security hardening

• The EcoStruxure IT Gateway is intended to be accessed from within a secure network, and not over the internet.  Therefore, do not make the web UI accessible via the internet.

• Regularly apply available operating system patches and security updates to the Gateway server.

• Follow the recommended hardening guidelines for the operating system. Refer to Gateway default ports when configuring the firewall.

• Do not allow local operating system login access to the Gateway server, except for IT administrators.  

• Use SNMPv3 instead of SNMPv1 and enable encryption and authentication whenever possible.  Use HTTPS instead of HTTP for NetBotz devices. Use SCP instead of FTP for firmware updates and device configuration. Even when these devices are on a private network, using a secure protocol as part of a defense-in-depth strategy is recommended.

• By default, none of the protocols for communicating with the end devices are active. They are enabled by adding new device credentials.  The only external ports enabled are

  • 443 for the web application, both inbound for the Gateway web UI, and outbound to communicate with the EcoStruxure IT web application.  This can be changed at install to use another port if desired.

  • 1062 for SNMP traps.

Password policy

There is no default password for the EcoStruxure IT Gateway.  Upon first launching system, the user is required to set the admin password.

The EcoStruxure IT Gateway password policy now requires:

• At least 10 characters in length
• At least 3 of the following 4 types of characters:
  • Lower case letters (a-z)
  • Upper case letters (A-Z)
  • Numbers (0-9)
  • Special characters (Example: !@#$%^&*)
• No more than 2 identical characters in a row (Example: aaa is not allowed)

Strong passwords are enforced when you first create your password and when you change your password. You are not required to change your existing password after updating your Gateway.

Permissions

Application

• There is only one permission level on the Gateway. The Gateway UI is intended for application administrators only. This user has the ability to:
  • Create, delete, and change passwords for users, but cannot change usernames
  • Configure device discoveries
  • View sensor and alarm information from discovered devices
• Starting in Gateway version 1.9, strict password enforcement is in place. It is recommended to update your password after upgrading and to update your password periodically since passwords do not automatically expire.

IT administration

• A local administrator account on the operating system of the Gateway server is required in order to install the software, perform the other security hardening activities, and to retrieve log files if necessary.

• The Linux installer creates a local service account under which the applications runs. This service also performs database backups.  On Windows, the service runs as the Local System account.

• Software updates can be done three ways:

  • Auto update - When this option is selected in the EcoStruxure IT web application, software updates are automatically pushed to the Gateway.  No additional user accounts or interaction is required.

  • Cloud initiated - Software updates are initiated by a user logged into the EcoStruxure IT application.  No additional user accounts or interaction is required.

  • Local, manual - A local operating system administrator may also download the software update to the Gateway server and manually run the installer.  

Decommissioning

• To decommission a Gateway server, it is recommended that you re-image the machine. This will erase all data and set all operating system settings back to their defaults.

• If re-imaging is not possible, first run the uninstaller, then make sure the data is removed from the install location using a secure erase utility. This will remove the application, data, and certificate.

• Log in to the organization's EcoStruxure IT account and remove the association with the Gateway from the account.