Quantcast

NetBotz v3 | Security Information

FA158322

15/05/2020

Issue:
NetBotz v3 Appliance Security Information

Product Line:
NetBotz v3 (355,450, 455, 550, & 570)

Environment:
NetBotz (all firmware versions)

Resolution:

Network Protocols and Ports
Protocol Transfer Protocol Port(s) Disposition Network Credentails/Access Encryption Comments
FTP TCP 21 Outbound - Not configured by default FTP traffic from the NetBotz depends on alarm policy configuration and number of alarms. As specificed in the FTP remote server settings Not supported by FTP  
Telnet TCP 23 Disabled by default Network requirements are low based on user input.   Not supported by telnet. Should only be open temporarily for support reasons.
SMTP TCP 25 Outbound - Not configured by default Network requirements are low. Email traffic from the NetBotz depends on alarm policy configuration and number of alarms occurring. As specified in email settings. Requires STARTTLS extension Communication with email server
DNS UDP 53 Outbound - Not configured by default Very limited traffic and bandwidth requirement As specificed in external system configuration Not supported DNS server communication
DHCP Client UDP 68 Outbound - Enabled only when DHCP IP address acquisition is enabled Very limited traffic and bandwidth requirement No credentials available Not supported by DHCP  
HTTP TCP (SSL) 80 (443) Inbound (default) Network speed of minimum 100Mbps is recommended. Bandwidth usage between client and server heavily depends on number of discovered devices, alarm configuration and operations carried out in the client e.g. report generation. Manual created user and password (default apc/apc) Authentication server integration support. There is no option to reset client user password. Password policy is not implemented in NetBotz. The password consists of ASCII characters. Server and client negotiate SSL cipher type and key length Communication from NetBotz Appliances / DCE Console / Web API and 3rd party integrations.
NFS TCP/UDP 111   Depending on system integration As specified in external system configuration Not supported by protocol NFS mounted external drive
NTP TCP 123   Very limited traffic and bandwidth requirement As specified in time settings Depending on system integration NTP server communication
SMB TCP/UDP 139   Depending on system integration As specified in system storage settings Depending on system integration SMB communication to NAS/SAN
SNMP UDP 161 Inbound / Outbound - Enabled by default The bandwidth needed heavily dpeneds on number of discovered devices, polling interval configured and alarm activity in the system. Specified in device SNMP configuration. Default community string: public SNMPv3 offer encryption as configured Change the default community strings and avoid SNMPv1 when possible
SNMP (Trap) UDP 162   The bandwidth requirement needed heavily depends on number of discovered devices, polling interval configured, and alarm activity in the system. Specified in device SNMP configuration SNMPv3 offers encryption as configured SNMP Communication between discovered devices and DCE
CIFS TCP 445   Depending on system integration As specified in external system configuration Depending on system integration CIFS communication to NAS/SAN
ModbusTCP TCP 502   The bandwidth needed heavily depends on number of discovered devices, polling interval configured, and alarm activity in the system. Not supported by ModbusTCP Not supported by ModbusTCP ModbusTCP Communication from Modbus Device/Gateway
Rsyslog UDP 514 Disabled by default Depends on configuration Not supported by rsyslog Not supported by rsyslog  
Socks   1080 Disabled by default Depends on traffic over HTTP and HTTPS ports As specified by the Socks proxy server    
NFS TCP/UDP 2049   Depending on system integration As specified in external system configuration Not supported by protocol NFS communication to NAS/SAN


Firewall Configuration
- NetBotz includes an IP Filtering feature.  Configure IP Filtering in Advanced View.

Cybersecurity Considerations
- Where possible, all unnecessary services should be disabled (SNMP, HTTP, etc.).
- Use Strong encryption (AES for SNMPv3, HTTPS, etc.).
- Change the default password and use passwords that are considered strong.
- If SNMP is required, consider changing the V1 community strings, and do not user SNMPv1 thereafter.  Use SNMPv3 instead, configured with SHA and AES-128.