How to Configure the NodeGrid to Be More Secure?

How to Configure the NodeGrid to Be More Secure?

As far as the NodeGrid software's networking services, it comes with some security in mind, but it still is not as closed as some network policies require.

This can be accomplished by changing the services settings in Security :: Services page per your needs.

 

Select/unselect the following checkboxes to enable/disable the following services: 

- Enable detection of USB devices

- Enable RPC

- Enable FTP Service

- Enable SNMP Service

- Enable Telnet Service to NodeGrid

- Enable Telnet Service to Managed Devices

- Enable ICMP echo reply

- Enable Automatic Cloud Enrollment

- Enable Zero Touch Provisioning

- Enable PXE (Preboot eXecution Environment)

- Enable Autodiscovery

- Enable HTTP access

- Enable VM Serial access

- Enable HTTPS access

 

Check/uncheck these options 

* Device access enforced via user group authorization

* DHCP lease controlled by autodiscovery rules

* SSH allow root access

* Redirect HTTP to HTTPS

 

Keep / change these TCP ports  

SSH TCP Port: 22

Cloud TCP Port: 9966

VM Serial Port: 9977

HTTP Port: 80

HTTPS Port: 443

 

Select these options

SSH Version:1 | 2 | 1,2 | 2,1

Cryptographic Protocols:  TLSv1.2 | TLSv1.1 | TLSv1

Cipher Suite Level: High | Medium | Low | Custom

 

An example of the Services settings to make your NodeGrid more secure:

* Disable ICMP echo reply

* Disable HTTP access 

* Enable HTTPS (or disable it so there will be no access via WebUI)

* Disable Redirect HTTP to HTTPS

* Disable SSH allow root access

* Use SSH version 2 only

* Use Cryptographic Protocol TLSv1.2

* Use High Cipher Suite Level

* Disable Telnet Service to NodeGrid

* Disable Telnet Service to Managed Devices

 

Additionally, have the following settings:

- if configuring the NodeGrid Serial Console, uncheck 'Allow Telnet protocol' parameter, and check 'Allow SSH protocol' and enter a TCP port such as 30xx or 80xx.

- change root and admin passwords.

- set authentication with a Remote Authentication server such as Radius, Tacacs and LDAP/AD (in Security :: Authentication)

- enable 'Device access enforced via user group authorization' in Services, and then set Authorization, so authorized users or groups have different permissions.

- configure some Firewall rules (in Security :: Firewall).

- create a checksum of your current configuration as a reference, and compare it from time to time, to see if nothing has changed without authorization (Systems :: Toolkit :: System Configuration Checksum)

 

    • Related Articles

    • How to Configure Nodegrid Serial Ports

      To configure the serial ports of your Nodegrid Serial Console, follow the guideline steps below.   WebUI Log in as admin to the Nodegrid Serial Console Web interface. Go to Managed Devices page. Select the serial ports you want to configure, or check ...
    • Nodegrid Manager Installation in ESXi 6

      Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...
    • Nodegrid Manager Installation in ESXi 5

      Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...
    • How Do I Upgrade the Software of My Nodegrid?

      Steps for the Nodegrid software upgrade via WebUI 1. Once you get the software from ZPE Systems (from your Sales representative), save the ISO file:       a. into your PC/laptop       b. into a Remote Server such as FTP, SSH, HTTP       c. into the ...
    • Default Users of the NodeGrid

      The Nodegrid OS comes with 3 default users:   - The “admin” user:   That provides full access to all features and functions, on the Web Interface as well as on the CLI. It can login via the Console, via SSH, WebUI and API. From the CLI, admin user ...