Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84422members
353607posts

IT Security for Netbotz and other APC Datacenter Equipment

EcoStruxure IT forum

A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.

DCIM_Support
Picard
Picard
0 Likes
4
186

IT Security for Netbotz and other APC Datacenter Equipment

This question was originally posted on DCIM Support by Cleopas Chisambiro on 2019-05-13


Our customer has Netbotz 200 at a remote datacenter connected to DCE at main datacenter over corporate network . After their IT security audit it was raised the the Netbotz 200 has open ftp ports and the password is week. The netbotz is connected to Data Center Expert. How best can we guarantee the security of the APC equipment and DCE on the network.

 

They are concerned about preventing from malicious code upload or from other people who are ware of the password from accessing the netbotz via ftp (or other protocols  over the corporate network) and make harmful changes. Is netbotz ftp read-only, or is there a way to make it read only without affecting the connection with DCE.

 

Can I have a separate user for connecting to DCE and onother for http or https.

 

What are the best IT security measures we can implement for all APC and Schneider Electric (UPSes, Inrows, PDUs etc) as they support network critical systems

 

I saw these commands are available in ftp 

rename, delete, mdelete

(CID:143757615)

4 Replies 4
DCIM_Support
Picard
Picard
0 Likes
2
186

Re: IT Security for Netbotz and other APC Datacenter Equipment

This answer was originally posted on DCIM Support by Steven Marchetti on 2019-05-13


Hi Cleopas,

 

If your customer feels that their password is weak, they should change their password. The FTP password is the admin password on those NetBotz 200 devices. If they do not like FTP, they can also disable FTP and use SCP. 

The same passwords for administrators can also be used for ftp, you can't change that. My suggestion would be to limit access to the NetBotz appliance , UPS, etc by only allowing them read only access. 

 

Thanks,

Steve

(CID:143757660)

DCIM_Support
Picard
Picard
0 Likes
0
186

Re: IT Security for Netbotz and other APC Datacenter Equipment

This comment was originally posted on DCIM Support by Cleopas Chisambiro on 2019-05-14


How do make the units read-only, I would like to maintain a connection with the DCE at main datacenter.

 

Can admin make harmful changes like delete using FTP?

 

Is FTP required by DCE? If not I may need to disable it.

(CID:143757926)

DCIM_Support
Picard
Picard
0 Likes
0
186

Re: IT Security for Netbotz and other APC Datacenter Equipment

This comment was originally posted on DCIM Support by Steven Marchetti on 2019-05-15


Hi Cleopas,

When you discover a device, DCE needs FTP (or scp) to pull an alert definition file from the device. When configuring a device through DCE, the same protocol(s) are used to pull / push the configuration file. Finally, the same protocol is used to push a firmware upgrade. These must be enabled (either FTP or SCP) for full compatibility with DCE.

 

What are you worried about deleting? You can't delete the firmware but you can delete the event log for instance. This would be similar access as if you had admin access to the web page.

For security purposes, you can configure 3 levels of users on the device itself. Here's the old firmware on a NetBotz 200:

Here's what it looks like on the newer cards:

 

If you do not want someone to have the user name and password to be allowed to FTP to the card directly, provide them with the read only user name and password.

If you're using DCE, You can also give people granular access to device groups:

You can specify device launch settings for each device so that when they double click a device in DCE, they only get the type of access provided by the user name and password used:

 

 

If you do not have the proper access to DCE, you will also not have access to see the device file transfer settings which is where the FTP or SCP settings are held for the purposes that I mentioned in the beginning:

So an admin will be able to see these settings:

so if I were to give you view and control access over devices:

You wouldn't even have the "device" menu required to access these user names and passwords:

 

Steve

 

 

(CID:143758723)

DCIM_Support
Picard
Picard
0 Likes
0
186

🔒 Closed

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.