Home
The intent of this page is to provide a security handbook covering relevant best practices and information for Data Center Expert (DCE).
DCE is a software solution consisting of both a server and client. The server is supported by a proprietary version of Rocky Linux and shipped as a locked down appliance. Users do not have access to the underlying operating system. The client runs on a standard Linux or Windows operating system. See system requirements for more information.
Note: This page is targeted at the latest release of DCE, however applicable to older versions.
Security Hardening
This topic outlines how to harden and secure an instance of DCE. To maintain security throughout the deployment lifecycle, Schneider Electric recommends reviewing the following considerations for:
- Network Security
- Physical Security
- Appliance Security
- Client Security
- Device Integration Security
NOTE: Different deployments may require different security considerations.
This document provides general security guidance to help you decide on an appropriate secure deployment based on your specific security requirements.
Network Security
Insufficient restrictions on system access over the network increases exposure to attacks from viruses, worms, and spyware, and may also facilitate undesired access to resources. Not having a rule in place that denies incoming traffic unnecessarily exposes a system to compromise. Schneider Electric strongly recommends that the below key configuration changes are made.
Firewalls
Schneider Electric strongly recommends that network traffic to DCE is behind a firewall. A firewall will reduce the likelihood of compromise but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack. Enable logs; retain at least 30 days of data; and collect at least source and destination IP
Please see the Network Protocols and Ports section of this document for a breakdown of all ports used by DCE.
Deploy a Network Layer Firewall
Schneider Electric strongly recommends that the device is not exposed to the public Internet and is deployed behind an appropriate Stateful Packet Inspection (SPI) firewall.
Appliance Firewall
The Data Center Expert server comes with a firewall included. The server is not configurable and therefore the firewall cannot be changed.
Network Segmentation
Schneider Electric strongly recommends that network traffic to DCE’s public and private interfaces are both separated, either physically or logically, from normal network traffic. A flat network architecture makes it easier for malicious actors to move around within the network; whereas with network segmentation, organizations can enhance network security by controlling access to sensitive data in the form of enabling or denying network access. A strong security policy entails segmenting the network into multiple zones, with varying security requirements, and rigorously enforcing the policy on what is allowed to move from zone to zone.
Connected Network Directories
Schneider Electric recommends that all connected network directories, for example, directories for backups, be secured and only accessible to DCE and DCE administrators. This minimizes any risk associated with a malicious actor tampering with a backup that may potentially be restored into DCE.
Other Security Detection and Monitoring Tools
Schneider Electric recommends that the environment is protected and monitored by appropriate physical, technical and administrative tools for network intrusion and monitoring such as IDS/IPS and appropriate SIEM solutions.
Physical Security
Attackers with physical access to covered equipment can access the device without authorization. Schneider Electric recommends that physical security must be in place to control the physical access to restricted areas and facilities containing instances of DCE and other hardware.
Deploy Equipment in a Secure Location
Custodians should secure equipment from unauthorized physical access
- Access should be restricted to those who require access to maintain the equipment.
- Restricted areas should be clearly marked for authorized personnel only.
- Restricted areas should be secured by locked doors.
- Access to the restricted areas should produce a physical or electronic, regularly reviewed, audit trail.
Secure access to the device front panel and rear ports
Deploy the physical appliance in a rack or cage that can be locked with a suitable key, or other physical methods. Any of these methods should be tested regularly. This will prevent access to the physical ports of the device.
Appliance Security
Privileged Accounts
Privileged and super-user accounts (Administrator and root) must not be used for non-administrator activities. Network services must run under accounts assigned the minimum necessary privileges. Also minimize the number of local accounts
Certificates
Replace the Default SSL/TLS Certificate Default SSL/TLS certificates are created during the initial configuration of the device. These certificates are not intended for use in production deployments and should be replaced. Schneider Electric recommends that customers configure the device to use certificates either from a reputable Certificate Authority (CA) or appropriate certificates from your enterprise CA.
Logging
Schneider Electric recommends that customers regularly monitor DCE logging. DCE has readily available capture logs (based on standard Linux capabilities). Logs are stored on the server and are accessible to system administrator.
Upgrades
Schneider Electric recommends that, prior to performing an update, an administrator validates the downloaded artifact checksum against the SHA1 checksum provided on the download page. This minimizes any risk associated with a malicious actor tampering with an upgrade file after it has been downloaded from the secure Schneider Electric website.
Client Security
Antivirus
Schneider Electric recommends that customers install and maintain the latest antivirus software on client machines.
Device Integration Security
Schneider Electric recommends that customers harden any NMC-based devices by using the latest available firmware updates and recommended configuration changes. For more information, see the security handbooks for NMC2 and NMC3 devices.
Secure Disposal and Decommissioning
This topic outlines how to reset an instance of DCE to its default settings and erase all user information and configurations
Delete Device Contents
For information on how to delete the device contents, please consult the Restoring a Data Center Expert Physical Appliance or Restoring a Data Center Expert Physical Appliance sections of https://www.apc.com/us/en/faqs/FA321728/
Dispose of Physical Device
For information on how to physically dispose of or recycle the DCE appliance, please consult our hardware supplier’s documentation.
Network Protocol and Ports
This section contains all ports utilized by DCE. Schneider Electric recommends that secure protocols are used wherever possible. The DCE will only attempt to communicate over the ports and protocols in External Integrations and Device Communication sections if they have been configured.
Web Server
|
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
|
HTTP(S) |
TCP(SSL) |
80(443)1 |
Inbound |
Used for client communication and 3rd party integrations |
External Integrations
|
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
|
SMTP |
TCP |
251 |
Outbound |
Communication with email server |
|
NFS |
TCP/UDP |
111 |
Outbound |
NFS mounted external drive |
|
|
|
2049 |
Outbound |
NAS/SAN |
|
NTP |
UDP |
123 |
Outbound |
Remote NTP server time communication |
|
SMB |
TCP |
139, 445 |
Outbound |
NAS/SAN |
|
|
UDP |
137, 138 |
Outbound |
NAS/SAN |
|
DNS |
TCP/UDP |
53 |
Outbound |
DNS Server |
|
LDAP |
TCP |
3891 |
Outbound |
Active Directory/LDAP |
|
LDAPS (with SSL) |
TCP(SSL) |
636 |
Outbound |
Active Directory/LDAP |
Device Communication
|
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
|
FTP |
TCP |
211 |
Outbound |
Used to transfer configurations, firmware binaries and logs |
|
SCP |
TCP |
221 |
Outbound |
Used to transfer configurations, firmware binaries and logs |
|
SNMPv3 |
UDP |
1611 |
Outbound |
SNMP device polling and discovery |
|
|
|
1621 |
Inbound |
SNMP traps |
|
HTTP(S) |
TCP |
80(443) |
Inbound |
NetBotz device polling and discovery |
|
|
|
|
Outbound |
NetBotz traps |
|
Modbus TCP |
TCP |
5021 |
Outbound |
Modbus TCP device polling and discovery |
|
APC Proprietary Communication |
TCP |
6000 |
Outbound |
AP76xx outlet strips and gen1 PDU device polling and discovery |
Local System Only
|
Protocol |
Transfer Protocol |
Port |
Direction |
Description |
|
PostgresSQL |
TCP |
5432 |
Inbound |
Local System ONLY – Used by the DCE server to communicate with its database |
1 Port can be changed from its default value. Please consult with DCE documentation for more information.
Software Vulnerability, Scan(s) and Certifications
Vulnerability scans are regularly run against Data Center Expert. Schneider Electric is committed to remediating and patching any items identified. For more information on major vulnerabilities, see Schneider Electric Security Notifications.
Schneider Electric IT Corporation Legal Disclaimer
The information presented in this manual is not warranted by the Schneider Electric IT Corporation to be authoritative, error free, or complete. This publication is not meant to be a substitute for a detailed operational and site specific development plan. Therefore, Schneider Electric IT Corporation assumes no liability for damages, violations of codes, improper installation, system failures, or any other problems that could arise based on the use of this Publication. The information contained in this Publication is provided as is and has been prepared solely for the purpose of evaluating data center design and construction. This Publication has been compiled in good faith by Schneider Electric IT Corporation. However, no representation is made or warranty given, either express or implied, as to the completeness or accuracy of the information this Publication contains. IN NO EVENT SHALL SCHNEIDER ELECTRIC IT CORPORATION, OR ANY PARENT, AFFILIATE OR SUBSIDIARY COMPANY OF SCHNEIDER ELECTRIC IT CORPORATION OR THEIR RESPECTIVE OFFICERS, DIRECTORS, OR EMPLOYEES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL, OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, CONTRACT, REVENUE, DATA, INFORMATION, OR BUSINESS INTERRUPTION) RESULTING FROM, ARISING OUT, OR IN CONNECTION WITH THE USE OF, OR INABILITY TO USE THIS PUBLICATION OR THE CONTENT, EVEN IF SCHNEIDER ELECTRIC IT CORPORATION HAS BEEN EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SCHNEIDER ELECTRIC IT CORPORATION RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES WITH RESPECT TO OR IN THE CONTENT OF THE PUBLICATION OR THE FORMAT THEREOF AT ANY TIME WITHOUT NOTICE. Copyright, intellectual, and all other proprietary rights in the content (including but not limited to software, audio, video, text, and photographs) rests with Schneider Electric IT Corporation or its licensors. All rights in the content not expressly granted herein are reserved. No rights of any kind are licensed or assigned or shall otherwise pass to persons accessing this information. This Publication shall not be for resale in whole or in part.
0 comments
Please sign in to leave a comment.