I’m really confused as to exactly what encryption methods are enabled when IEM (v9.1) Enhanced Security is activated. I’ve searched the documentation and forum material but I’m still none the wiser.
However, however, looking at the screen where Enhanced Security in enabled - states that TLS 1.2 relates to all HTTPS communication, which to me only relates to the link between the IEM Console and Server (or between WebReports and the Server):
The reason I ask is that I’m designing an IEM implementation for a very security conscious customer and need to show that their Encryption Standards are being adhered to.
My questions are as follows:
With Enhanced Security enabled does this enable TLS 1.2 encryption between the IEM sever and the IEM Clients?
a) If so what is actually encrypted?
b) How is this implemented - for example, is it a single encrypted pipe between each IEM Client and the IEM Server? Or does is it established between a Client and a Relay then another encrypted pipe created between the Relay and IEM Server?
c) TLS typically uses port 443 - so would we need to also open that port if TLS is enabled (or is it a hybrid TLS implementation which uses the 52311 port)?
If TLS 1.2 encrypts the communications between IEM Client and Server what additional encryption does MLE provide?
a) Why would you need MLE if TLS 1.2 encrypts the Client/Server communication?
Same question for Client Mailboxing?
If an Authenticating Relay is configured - the documentation still talks about the clients authenticating with SSL - is this still correct if Enhanced Security enabled? Or is TLS 1.2 now used - or is it a different mechanism? (any details on how this actually works under the covers would be much appreciated).
With the different encryption pipes where are the AES-256 and RSA 2048 bit encryption algorithms used and when in the IEM system?
I am replying to “shake the dust” off of this chain. I am getting similar questions regarding Client/Server communication within my organization and online searches are thus far less that fruitful. Perhaps you were able to get your questions answered elsewhere @DrLarryDunn ?
ability to force SHA-256 over SHA1 instead of prefer
uses TLS 1.2 for all agent to relay, relay to server communications
root certificate key strength increased from 1024 to 4096 bits
(Note that enabling enhanced security will result in loss of management of any agents or relays with version less than 9.1)
This is effectively dropping all HTTP communications, so your securing the connection itself.
About MLE - Enabling Message Level Encryption allows your agents to encrypt the upstream data itself using a combination of an RSA public/private key-pair and an AES session key.
Client Mailboxing - You would use client Mailboxing if you wanted to securely encrypt the downstream data itself e.g. for passing down a password to the agent.
Regarding #4, the gather traffic (when a client goes to gather site information from its parent relay), the actual payload site data is not encrypted unless you have enabled client-relay authentication.
This is only recommended on public facing relays where gather traffic happens across the Internet, not for relays that are internal to your organization’s network.
The assumption is that the network channels within your organization or through VPN are already encrypted or trusted so adding this additional layer of protection is of no benefit and it only increases the manageability of the deployment (increasing potential for problematic configurations or failure scenarios)
Confidentiality
MLE - encrypts reporting data (from client to server)
Client-Relay authentication - encrypts gather data from (server/relay to client)
Integrity
Enhanced Security is more about preserving the integrity of signed messages and downloads