How is the Data Transferred to and from the Edge Services Secured?
The Edge Services (ES) are not only set to auto-update themselves and do not expose anything on your network, but they also use multiple layers of encryption to secure connectivity with Secureworks® Taegis™ VDR’s cloud.
The Edge Services Are Configured to Update Automatically ⫘
The Edge Services (ES) require Internet access on port 80/443 as described in the minimal networking requirements because ES are configured to auto-update themselves through this Internet channel.
The ES are built on a hardened, up-to-date Ubuntu distribution and will therefore manage updates in a secure way like any Linux distribution does over the official PGP-signed channels.
VDR is also in a position to push updates directly to its ES should it be required.
The Edge Services Do Not Expose Anything on the Local Network ⫘
You might notice that while scanning the Edge Service IP from within VDR, SSH on port 22 is marked as being open. The SSH port is seen open from within VDR as it is used as a control channel for VDR to manage updates & other support activities on the Edge Service itself. Strict firewalling rules are in place to restrict access to this port exclusively for internal VDR components. You can validate that this port is actually not open from within your own network by using nmap -p 22 <IP_OF_THE_EDGE_SERVICE>
.
The Connectivity with the Edge Service Is Protected by Multiple Layers of Modern Encryption ⫘
Every ES is uniquely identified with dedicated cryptographic keys so that we can do repudiation should your network become compromised and you require brand new ES.
Additionally, the entirety of the traffic is encrypted and authenticated using modern cryptography:
- The control channel over which temporary session keys are exchanged is secured by TLS 1.2 using modern authenticated cryptography: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
- There is an additional layer of HMAC-SHA512 authentication on top of the TLS control channel (further mitigating DoS and TLS stack attacks): no packet will be accepted on the opened ports on both sides if they are not HMAC’d with the right respective pre-shared key (cryptographic firewalling). The keys are unique per Edge Service and set at generation time.
- The data channel packets are encrypted with temporary session AES-256-CBC keys, and the data channel packets are also authenticated with HMAC using SHA512 message digest algorithm. The data channel encryption protocol uses encrypt-then-mac (i.e., first encrypt a packet, then HMAC the resulting ciphertext), which prevents padding oracle attacks. The keys are unique per Edge Service and set at generation time, and can be repudiated.