Local Broker Hardening
Local Broker Hardening
Review these sections for Local Broker hardening information.
OS Requirement
Ubuntu 20.04 is supported.
OS Hardening
This section provides information that you can use to better understand how a Local Broker is deployed and maintained.
Netskope provides prebuilt Ubuntu 20.04 VM images, for VMWare (OVA format), Hyper-V (VHDX). Netskope applies the following hardening steps for prebuilt Ubuntu 22.04 VM images:
- Disabling the root login.
- Removing the root password.
- Removing unneeded Linux firmware and packages.
- Running the latest security updates prior to capturing the image.
- Disabling support for CTL-ALT-DEL to prevent accidental or malicious system restarts.
- Applying the strong password policy; passwords must meet the following minimum requirements:
- Minimum password length must be 14 characters.
- Must contain one upper case letter.
- Must contain one lower case letter.
- Must contain one digit (number).
- Must contain one non-alphanumeric character.
- Cannot be a palindrome.
You can perform additional hardening steps, such as:
- Hardening SSH to use keys rather than passwords.
- Using the native Ubuntu 20.04 firewall or network firewalls to limit access to and from the Local Broker.
Netskope Private Access leverages RSA 2048 for all encrypted communications including Client, Publisher, and inner tunnel.
Updates
The Local Broker wizard provides the host OS and the Local Broker package capabilities:
- Base OS ( Ubuntu 20.04) security updates.
- Local Broker (security, functionality, and enhancements).
Netskope recommends that Local Brokers should always be updated to the most recent software version.
AppArmor and ufw for Ubuntu
The NPA Local Broker OVA/VHDX are configured with AppArmor and ufw enabled and running, the following ufw configurations are made:
apt-get install -y ufw echo y | ufw enable ufw allow 22/tcp ufw allow in on lo ufw deny in from 127.0.0.0/8 ufw deny in from ::1 ufw reload