The purpose of the article is to provide comprehensive instructions and best practices to secure the Smart Cache devices against vulnerabilities, threats, and unauthorized access.
The aim is to enhance the security posture of the Operating System (OS) by implementing various configurations, policies, and controls to mitigate risks and protect sensitive data.
Regular OS Upgrades
-
For Smart Cache, base OS is the popular Linux distribution – Debian 11 and the device should be on the latest 11.x OS version.
- If the OS version is earlier than 11.x, it indicates the device is likely an older Smart Cache model that needs to be upgraded to the Smart Cache version, which is compatible with the 11.x OS.
- Smart Cache has the infrastructure to perform upgrades to address the security issues. It also has the capability for continuous upgrades without any manual interruptions.
Installing Minimal Software
- For Smart Cache, the build images (OVAs for ESXi or Nutanix and VHDs for Hyper-V) include carefully curated packages to minimize the risk of potential security vulnerabilities arising from unknown or unnecessary third-party software.
- Egnyte does not allow nor support installing any third party software or libraries apart from the ones that are shipped along with the Smart Cache product.
- Egnyte does not share root credentials with customers as it can lead to unwanted changes in the hybrid boxes.
Firewall and Port(s) Configuration
Debian distribution comes with an inbuilt firewall. The most known type of firewall, and the most initially implemented, are sets of rules based on netfilter software, based on a set of kernel modules and some user space tools, which the Debian OS provides.
Users should whitelist the list of domains on HTTPS port (443) for outgoing traffic from the device, which are detailed below. This is required to be done on the company firewall or internet gateway.
| Firewall Whitelist for Storage Sync | Ports |
| egnyte.com | 443 |
| Turbo-gpg.egnyte.com | 443 |
| Turbo-pkg.egnyte.com | 443 |
| <Your_Egnyte_Domain>.egnyte.com | 443 |
| Sync-<Your_Egnyte_Domain>.egnyte.com | 443 |
| https://prod-logg8.egnyte-internal.com/ | 443 |
| *.egnyte-appliance.com | 443 |
Removal of Unnecessary Services
The process of creating an OVA or VHD for distribution is closely controlled and only the necessary services are installed on the device.
SSH Service Protection
Smart Cache devices come with a strong password protection for the root password.
- Smart Cache has an admin login to perform some administrative tasks. The user can choose from the following 9 commands. Refer to the product guides for more details.
Port Allowlist (Whitelist)
The users need to open the following list of ports between the internal network and Smart Cache device, or on the internet gateway.
| Port | Protocol | Purpose | Notes |
| 53 | TCP, UDP | Query the DNS server | Outbound |
| 123 | TCP, UDP | Synchronize time using NTP protocol | Bidirectional |
| 135, 139 | TCP | Used by NetBIOS, MSRPC | Bidirectional, restrict to internal networks only |
| 389, 636 | TCP, UDP | LDAP(S) | Bidirectional, restrict to internal networks only |
| 3268, 3269 | TCP | Global Catalog | Bidirectional, restrict to internal networks only |
| 88 | TCP, UDP | Kerberos | Bidirectional, restrict to internal networks only |
| 139, 445 | TCP | CIFS | Bidirectional, restrict to internal networks only |
| 443 | HTTPS | Sync, SS Management | Bidirectional, restrict to internal networks only |
SMB Security
SMB is an industry standard protocol that is supported by the Smart Cache devices.
The Smart Cache product enforces that the SMB version is SMB2 or higher through configuration during installation time of the device. The Hybrid SMB provides following SMB security features
1. Message Signing: The messages between the client and server are signed. It ensures data integrity and authenticity by detecting tampering and impersonation attacks.
2. Message Encryption: The messages between client and server are encrypted to protect against eavesdropping.
AD Requirement for Smart Cache Devices
On-prem Microsoft Windows legacy Active Directory (AD) Server setup is required in the user environment and below are the values that end-users need to gather from the AD environment.
For Smart Cache with SMB mode configuration, there is only one requirement for AD setup.
-
In the Windows environment, any valid AD user can join up to 10 devices to the AD, while administrators are not subject to this limit.
- Therefore, for Smart Cache devices, any admin or non-admin user can be used to join the device to the AD.
Domain AD user ( non-admin scenario ) requirement:
Follow the steps listed below to set the permissions for fetching users from a normal AD user account:
- Go to an AD non-admin user -> Right click and Select user Properties. Navigate to the Security tab and click on Add.
- Provide the username that is being used from the Storage Sync UI ( Its the same user that is created on the Egnyte domain users list and it should be either Administrator or Service account ) to join the AD domain.
- Provide Full Control permissions for the user.
Internal Security Processes
- Egnyte’s security team does regular scans for vulnerabilities which includes external pen tests, security scans performed at both static and dynamic level.
- Egnyte uses the Wiz tool to perform security vulnerability scans.
- Software tools to ensure that libraries used in the implementation have no known vulnerability that can impact the end-users.
- Security signoff is mandatory for all Smart Cache software releases.