Recommendations for the Network Layer

Prognosis can be deployed on multiple machines in order to form a managing/monitoring topology. In this setup, the servers typically communicate with each other via TCP/IP. The following sections outline the security options that are available within the Network Layer.

The Network Layer consists of the following features.

Summary of Recommendations

Data Encryption Between Servers
In all environments, the following approach is recommended:
  • Upgrade all servers to version 11.9 to ensure the highest level of encryption is available.

  • Leave the default encryption enabled on all servers unless there are specific needs in the environment. For example, if there are old versions on some Monitoring Servers, or there is a very high data throughput.

In high-security environments, the following additional actions are recommended:

  • If required, consider enabling FIPS mode encryption where the entire deployment consists of MS Windows servers.

Key Management Service
In all environments, the following approach is recommended:
  • No action necessary.

In high-security environments, the following additional actions are recommended:

  • In a purely MS Windows environment, use a KMIP compatible KMS service to ensure that KMS encryption keys are regularly changed.

Limit TCP/IP Connections
In all environments, the following is recommended:
  • Management Servers are explicitly ‘whitelisted’ in the NETWORK Configuration on all servers.

Ports and Firewalls
In all environments, the following approach is recommended:
  • Lockdown access to any ports that are not required for remote connections.

In high-security environments, the following additional actions are recommended:

  • Lockdown remote access to any ports that are not required for remote communications.

Securing the Local PostgreSQL Database
In all environments, the following approach is recommended:
  • Change the passwords for both the 'prognosis' and 'postgres' users on all servers to prevent unauthorized access to the security settings.

SNMP Security
In all environments, the following approach is recommended:
  • Use SNMP v3 where it is made available by the device being monitored.

SSL/TLS Versions
In all environments, the following approach is recommended:
  • Disable all SSL protocols.

In high-security environments, the following approach is recommended:

  • Disable all protocols, except TLS 1.2.

Provide feedback on this article