The purpose of the article is to provide comprehensive instructions and best practices to secure the Storage Sync devices against vulnerabilities, threats, and unauthorized access.
The aim is to enhance the security posture of the Operating System (OS) by implementing various configurations, policies, and controls to mitigate risks and protect sensitive data.
Regular OS Upgrades
-
For Storage Sync, base OS is the popular Linux distribution – Debian 11 and the device should be on the latest 11.x OS version.
- If the OS version is earlier than 11.x, it indicates the device is likely an older Storage Sync model that needs to be upgraded to the latest 13.x Storage Sync version, which is compatible with the 11.x OS.
-
Storage Sync has the infrastructure to perform upgrades to address the security issues. Storage Sync uses both Manual and automatic upgrades.
- Egnyte recommends using the Automatic option for Storage Sync devices for upgrades so that the device always has the latest product and security updates.
-
For Storage Sync, security patches are delivered through an internal module called Orchestrator, which manages the retrieval of third-party package dependencies on the Debian OS.
- The process is fully automated and handled entirely by the Orchestrator.
Installing Minimal Software
- For Storage Sync, the build images (OVAs for ESXi and VHDs for Hyper-V) include carefully curated packages to minimize the risk of potential security vulnerabilities arising from unknown or unnecessary third-party software.
- Egnyte does not allow nor support installing any third party software or libraries apart from the ones that are shipped along with the Storage Sync product.
- Egnyte does not share root credentials with users as it can lead to unwanted changes in the hybrid boxes.
Firewall and Port(s) Configuration
Debian distribution comes with an inbuilt firewall. The most known type of firewall, and the most initially implemented, are sets of rules based on netfilter software, based on a set of kernel modules and user space tools.
The Debian OS provides these filters and the kernel modules.
Storage Sync uses the IP tables to explicitly open a few ports and close the remaining based on the business requirements.
Users should whitelist the list of domains on HTTPS port (443) for outgoing traffic from the device, which are detailed below. This is required to be done on the company firewall or internet gateway.
| Firewall Whitelist for Storage Sync | Ports |
| egnyte.com | 443 |
| Turbo-gpg.egnyte.com | 443 |
| Turbo-pkg.egnyte.com | 443 |
| <Your_Egnyte_Domain>.egnyte.com | 443 |
| Sync-<Your_Egnyte_Domain>.egnyte.com | 443 |
| https://prod-logg8.egnyte-internal.com/ | 443 |
| *.egnyte-appliance.com | 443 |
Removal of Unnecessary Services
The process of creating an OVA or VHD for distribution is closely controlled and only the necessary services are installed on the device.
SSH Service Protection
Storage Sync devices come with a strong password protection for the root password.
- For Storage Sync, the root login is not allowed over SSH.
Port Allowlist (Whitelist)
The users need to open the following list of ports between the internal network and Storage Sync device, or on the internet gateway.
| Port | Protocol | Purpose | Notes |
| 53 | TCP, UDP | Query the DNS server | Outbound |
| 123 | TCP, UDP | Synchronize time using NTP protocol | Bidirectional |
| 135, 139 | TCP | Used by NetBIOS, MSRPC | Bidirectional, restrict to internal networks only |
| 389, 636 | TCP, UDP | LDAP(S) | Bidirectional, restrict to internal networks only |
| 3268, 3269 | TCP | Global Catalog | Bidirectional, restrict to internal networks only |
| 88 | TCP, UDP | Kerberos | Bidirectional, restrict to internal networks only |
| 139, 445 | TCP | CIFS | Bidirectional, restrict to internal networks only |
| 443 | HTTPS | Sync, SS Management | Bidirectional, restrict to internal networks only |
| 8806, 8807 | HTTP | SS Management | Bidirectional, restrict to internal networks only |
SMB Security
SMB is an industry standard protocol that is supported by the Storage Sync devices.
The product enforces that the SMB version is SMB2 or higher through configuration during installation time of the device. The Hybrid SMB provides following SMB security features
1. Message Signing: The messages between the client and server are signed. It ensures data integrity and authenticity by detecting tampering and impersonation attacks.
2. Message Encryption: The messages between client and server are encrypted to protect against eavesdropping.
AD Requirement for Storage Sync Devices
On-prem Microsoft Windows legacy Active Directory (AD) Server setup is required in the user environment and below are the values that end-users need to gather from the AD environment.
For Storage Sync configuration, the two requirements listed below are needed for the AD setup.
-
In the Windows environment, any valid AD user can join up to 10 devices to the AD, while administrator is not subject to this limit.
- Therefore, for Storage Sync devices, any admin or non-admin user can be used to join the device to the AD.
- However, Storage Sync performs the user-mapping which is unique. It maps the AD users to their respective cloud users. This mapping process runs every 4 hours. To map the users, Storage Sync pulls the users from local AD and cloud.
- Users can join the device to AD with temporary domain admin or domain AD user credentials, and can operate on a daily basis with AD users with lowered permissions ( As mentioned in the below section).
Domain AD user ( non-admin scenario ) requirement:
Follow the steps listed below to set the permissions for the fetching users from a regular AD user account:
-
Go to an AD non-admin user -> Right click and Select user Properties. Navigate to the Security tab and click on Add.
- Provide the username that is being used from the Storage Sync UI ( Its the same user that is created on the Egnyte domain users list and it should be either Administrator or Service account ) to join the AD domain.
- Provide Full Control permissions for the user.
- Configure the domain administrator account such that the password updates occur infrequently. Account updates to the Domain Administrator account might unbind the Storage Sync device with the domain controller. If the password expires, the user mapping will not happen. End users will not lose connectivity, but users added after password expiry will not be able to use StorageSync SMB (ELC) share. The administrator will be required to re-bind the Storage Sync device with the Domain Controller.
- Storage Sync will not be able to auto-map users to the device from the secondary Domain Controller, however users will still have access to the Storage Sync share in the event that the primary Domain Controller fails. Storage Sync can connect to a maximum of two Domain Controllers.
Internal Security Processes
- Egnyte’s security team does regular scans for vulnerabilities which includes external pen tests, security scans performed at both static and dynamic levels.
- Egnyte uses the Wiz tool to perform security vulnerability scans.
- Software tools to ensure that libraries used in the implementation have no known vulnerability that can impact the end-users.
- Security signoff is mandatory for all Storage Sync software releases.