ASMS system security

AlgoSec products are released after a careful hardening procedure, which is also updated periodically as needed per industry standards.

We use standard vulnerability scanners, customer feedback, as well as our own security expertise to create, run, and make updates to this hardening procedure.

To ensure maximum security, make sure to routinely install any security patches released by AlgoSec. These security patches may include updates for AlgoSec Firewall Analyzer, FireFlow, AppViz, as well as appliance package updates.

Additional hardening procedures

You may wish to do additional hardening by doing the following:

  • Place the AFA server in a special zone behind one of your devices.

  • Write very restricted policy rules to control access to the AFA server.

  • Install valid certificates properly signed by a certificate authority, replacing the pre-installed, self-signed certificates that are provided by default on AlgoSec web servers.

    For more details, see How to Install and Generate an SSL key and Certificate Signing Request (CSR) KB article on AlgoPedia.

When configuring external firewalls for your ASMS system, see the following sections:

Warning: If you want to perform additional hardening on your AlgoSec system, contact AlgoSec professional services.

Performing hardening procedures on your own may render your AlgoSec system inoperable and void your support contract.

Connecting securely to the AFA server

We recommend limiting inbound connectivity from other computers to the AFA server. Your team's computers must be able to browse the AFA reports via the internal Apache Web server, which is configured to serve pages using SSL (HTTPS) and listen on port TCP/443.

The TCP/80 port can be closed.

Connecting securely from the AFA server

Part of hardening a Linux server involves filtering network traffic to and from the server. When doing so, you must ensure that the communication ports used by AFA remain open.

AFA sends the following outgoing requests, which require no open, listening ports:

Outbound HTTPS requests

AFA issues output, HTTPS requests (TCP/443) only to activate licenses.

These requests are sent to https://portal.algosec.com/en/support/support_home.

Ensure that this traffic is not blocked, and that your outbound Web proxies do not manipulate or sanitize it.

DNS queries

AFA may need to issue DNS queries to the local DNS server (UDP/53).

SMTP communication

AFA sends email notifications if configured to do so.

When configured, AFA must be able to communicate with your local mail server via SMTP (TCP/25).

POP mail retrieval Email retrieval via "fetchmail" over POP3 must be accessible, if configured (TCP/110).
SSH device communication

If you want to enable remote access to the AFA server, we recommend using SSH. Ensure that port TCP/22 is accessible.

Authentication

LDAP authentication must be open, if relevant (TCP/389 or TCP/636)

RADIUS authentication must be open, if relevant (UDP/1812)

Backup saves AlgoSec automatic backup over FTP must be open, if relevant FTP (TCP/21) or SFTP (TCP/22)
Syslog messages Communication must be open to send Syslog messages to a Syslog server, if AFA is configured to do so

Note: AFA will send additional requests via interfaces that differ depending on your device types.

For more details, see Manage devices.