Steps to Configure Nodegrid Serial Console Security Features

            This is a guideline to walk you through the NSC - Nodegrid Serial Console's configuration pages to enable advanced security features (secure mode), assuming the start point of the configuration is the factory default.

            Step 1 - Change Default Administrative users' password

            1. from a browser, log in as admin to the NSC web
            2. click on the user (admin@nodegrid) on top right hand side of the page.
            3. then click on 'Change Password'
            4. enter the current password and the new password. Save.
            5. log out and log in back as admin to continue the other settings.

            NOTE: You should also change root's password. Login to NSC (ssh root@<IP>) and execute 'passwd root' command. You can also change admin's password using similar command. Just execute 'passwd admin' command.

            Step 2 - Services

            Go to Security :: Services page.

            Have the following parameters unchecked:

            • Enable detection of USB devicesEnable detection of USB devices
            • Enable RPC
            • Enable FTP Service
            • Enable SNMP Service
            • Enable Telnet Service to Nodegrid
            • Enable Telnet Service to Managed Devices
            • Enable ICMP echo reply
            • SSH Allow root access
            • Enable Automatic Cloud Enrollment
            • Enable VM Serial access
            • Enable Zero Touch Provisioning
            • Enable PXE (Preboot eXecution Environment)
            • Enable Autodiscovery
            • Enable HTTP access
            • Redirect HTTP to HTTPS
            • TLSv1.1
            • TLSv1

            Have the following parameters checked:

            • Enable Automatic Cloud Enrollment (if you want to cluster multiple NSC devices)
            • Enable VM Serial access (if you want to access virtual machines)
            • Enable Zero Touch Provisioning (if you want to allow push configuration)
            • Enable PXE (Preboot eXecution Environment) (if you want to allow recovering firmware via PXE)
            • Device access enforced via user group authorization (if you want to use access rights and roles via authorization)
            • Enable HTTPS access
            • TLSv1.2
            • High Cipher Suite Level

            Step 3 - Authentication / Local Users

            Go to Security :: Authentication page.

            1. set the desired Authentication Type.
            2. if a Remote Authentication Server (Kerberos, LDAP/AD, Radius, Tacacs+) is selected, fill out the necessary parameters for that Server.
            3. if Local Authentication is selected, then go to Security :: Local Accounts to add local users.

            Step 4 - Authorization

            Go to Security :: Authorization page.

            1. add New Authorization Groups.
            2. click on the new Group and Add Members. Save.
            3. go to Profile tab and set the Group Permissions. Save.
            4. go to Devices tab and add Devices to Manage by moving them from the left list to the right list. Set the necessary/desired Device Permissions. Save.

            Step 5 - Network

            Go to Network :: Connections page.

            1. click on 'hotspot'.
            2. uncheck 'Connect Automatically'.
            3. save.

            Step 6 - Serial Ports

            Go to Managed Devices page.

            1. select all ttyS ports by checking the first checkbox on the left hand side.
            2. click on Edit button.
            3. set mode to Enabled.
            4. uncheck 'Allow Telnet protocol'.
            5. save.

            Step 7 - Firewall

            Go to Security :: Firewall

            1. select the Chain you want to add firewall rules to.
            2. add rules according to your needs / security policies.
            3. repeat for other Chains, if required.

            Step 8 - System Configuration Checksum

            Go to System :: ToolKit page.

            1. click on System Configuration Checksum button.
            2. select the Checksum Type: MD5SUM or SHA256SUM
            3. then select 'Create a checksum baseline of the current system configuration'
            4. then time to time, compare the current configuration with the baseline, to check if there were any unauthorized changes since last time.


            Updated: 03 Aug 2019 11:04 AM
            Helpful?  
            Help us to make this article better
            0 0