Hi,
I know we have sha1 or sha256 encryption in term of security but can someone please explain, 52311 is secure port or not ? if we talk abut DMZ communication.
Hi,
I know we have sha1 or sha256 encryption in term of security but can someone please explain, 52311 is secure port or not ? if we talk abut DMZ communication.
It depends on how you have communications configured.
Have you enabled encryption between clients and Relays?
By default, the information is not encrypted. Look into Message Level Encryption for more information.
52311 is just a port. The way the clients are configured determine how encryption is done. sha1 and sha256 values are file attributes and don’t have anything to do with security other than it confirms that all of the file has been collected or that it’s the correct file and hasn’t been switched out for another on the other end.
thx Tim but what if we implement relay client authentication. Will that suffix the requirement in term of security on 52311 & which one will better between MLE & Relay client authentication.
So MLE is for encrypting the reports the clients compile and can only be decrypted by relays that contain the certificate to decrypt it. Relay/Client authentication is a little different. Each client is given a certificate when they connect to your BigFix deployment. If your relays are configured to be authenticating relays, the clients would need to already have a certificate before the relay will authenticate the client and allow gathers and report posting.
For some additional clarification, since 9.0, clients will always attempt to use a secure HTTPS connection when talking to a relay (authenticating or not), but it requires a client certificate to exist, as jmaple mentioned. If a relay is not configured to be authenticating, then the relay will also accept HTTP connections as a fallback which can be used to generate the needed client certificate.
For DMZ relays, we recommending configuring them as authenticating, so they only allow HTTPS connections. This means that clients will need to initially register with a different non-authenticating relay or via password to an authenticating relay, in order to generate the certificate used in all HTTPS comm going forward.