Netskope Help

Secure Tenant Hardening and Configuration

Netskope provides prebuilt Publishers for VMWare (OVA format), Hyper-V (VHDX), and AWS (AMI).  Additionally, you can also deploy a publisher on top of CentOS machine for other environments, such as GCP.  The deployment methods and use of Docker images may raise some concerns about hardening and security.   This document provides info that can be used by customers under NDA to better understand how a Publisher is deployed and maintained.

Operating System and Software Versions (as of January 21, 2020)
  • Base OS

    • CentOS

      • The version depends on the exact platform that the publisher is being deployed on. 

        • AWS AMI – 7.6.1810

        • VMWare OVA – 7.7.1908

        • Hyper-V – 7.7.1908

        • All other platforms are dependent on what version of CentOS the provider supports.

  • Docker Engine

    • Client and Server: 19.03.5

  • Docker Container OS

    • Ubuntu 14.04

Netskope Hardening Steps

Netskope takes a number of hardening steps for the images we provide including:

  • Disabling root login to base OS and container OS

  • Removing root password

  • Removing unneeded Linux firmware and packages

  • Running the latest security updates prior to capturing the image

  • Disabling support for CTL – ALT- DEL to prevent accidental or malicious system restarts.

Hardening and Security Considerations
  • The Publisher only requires communication over the following ports and protocols:

    • Inbound

      • SSH Access

        • Port 22 for management

    • Outbound

      • DNS

      • HTTPS

        • Port 443

        • Outbound connectivity required for tunneling and updates

      • Other ports

        • The Publisher requires connectivity to/from the applications the customer defines on the ports necessary for their applications.

  • Netskope Private Access leverages RSA 2048 for all encrypted communications including Client, Publisher, and inner tunnel.

  • TLS certificates used in Netskope Private Access include limited information which does include any internal customer or service information. The certificates include a randomized identifier per client and Publisher, the Netskope tenant name, and the expiration date.

  • Netskope Private Access leverages an internal Public Key Infrastructure (PKI) that is managed and owned by Netskope. Certificates used in communication are signed and issued by either a tenant specific intermediate certificate authority or Netskope’s root certificate authority.

  • You can perform additional hardening steps such as:

    • Hardening SSH to use keys rather than passwords

      • AWS AMI uses keys by default. Publishers deployed on other platforms must be manually configured to use keys

    • Using the native CentOS firewall or network firewalls to limit access to and from the Publisher.

Updates

Netskope provides updates to the Publisher that include:

  • Base OS (CentOS) security updates

  • Publisher (security, functionality, and enhancements).

Netskope recommends that customers keep Publisher updates current.