How we can prove that all communication is secure? Is there anything we can prove with client logs or something else?
What encryption methods are currently used.
How secure is the communication between BES Clients and BES Relays (and Relay to Relay / Root as well),
How is the BES Client/BES Relay initial handshake handled?
When we create a Software distribution package, which which security authentication is used there ?
I need to share this content with my security team exactly how BigFix secures all of its communication, and how each endpoint trusts the infrastructure.
I tried searching for the documents but i have not found any, i need to share this report with the team.
There is a private key that is the root of trust for all bigfix content in your environment. Only the root server has a copy of it. Access to this private key and BESAdmin is secured with a password.
The matching public key is in the masthead file that is required for clients to join and trust the bigfix root server. With this public key they can validate all content the bigfix root server provides. Since all content is signed with the private key and validated with this public key, it isnât possible for someone to modify bigfix content and actions and get downstream clients to accept it, even if they had compromised a bigfix relay and directly modified files. This means even without any encryption, you canât get BigFix clients to accept or run something arbitrary.
In the default setup, any client with the masthead can join a bigfix environment, but this is no longer the case if you enable âClient Authenticationâ on the relays. At this point, a client can only join bigfix if they have a prior connection and have attained a client certificate. This is the ârightâ way to have BigFix relays that allow connections from outside the corp network. (DMZ relays) You could also enable this for internal relays, but then you must provide an extra mechanism for all clients to join bigfix, which could be a password or a one time token.
I believe all content is gathered from relays over SSL, as well as any client reports sent up to relays is over SSL. But there is actually an additional protection available called Message Encryption. If enabled in BESAdmin, then client reports are additionally encrypted at rest such that only the root server or top level relays can decrypt them. This added protection is such that if a BigFix relay were to be compromised, then client reports being passed to that relay could not be decrypted unless it happened to be a âdecrypting relayâ which is generally only the root server or top level relays.
Relays do send UDP notifications to clients. These notifications themselves are not encrypted or secured, but they also do not contain any content. They only serve to let clients know that there is something new for it to gather, at which point the client reaches out over a secure TCP connection to get the content from the relay. This allows BigFix clients to be responsive without having to wait around for them to check for new content on an interval and instead check nearly real time.
Communication using an authenticated relay is a two-way trusted and private communication channel that uses SSL to encrypt all communications. However, communication between a non-authenticating relay and its children is not encrypted unless it is an encrypted report or a mailboxed action or file.
I just realized I didnât fully answer this part.
BigFix content uses prefetches to download software for installation. The prefetch itself is in the content and canât be modified because the content itself is signed. The prefetch includes the Size of the payload, the SHA1, and SHA256. The size and hashes are used to ensure the payload that is downloaded has not been modified.
Do also consider the advanced security settings in the BESAdmin tool. If you turn this on, TLS 1.2 will be used for all the Server <> Relay <> Client communication. Under the same configuration tab, you can configure the use of SHA256 as well.
Note: With 1.2 TLS, itâs necessary to modify several other pieces in the BES stack as well.
Web Reports requires the property _WebReports_HTTPServer_RequireTLS12 = 1
Notification service steps:
Open \BigFix Enterprise\BES Server\Applications\NotificationService\apps\ns-notifier\app\server\notifier_server.js
Towards the bottom of that file, add the line highlighted (and donât forget to add the comma to the end of the âpassphraseâ line too)
var options = { key: key, cert: cert, passphrase: âCBFACC092A654f2bBF06EF73FCA3DA41â, secureProtocol: âTLSv1_2_server_methodâ };
Identify and kill any processes associated with the NSâs notifier component
Note1: Change is supposed to stay through BigFix upgrades.
Note2: BigFix is considering modifying task 2240 with an option to configure the notification service to use TLS 1.2 (01/02/2020 - Ticket CS0074217)
Hi @jgstew Thanks for the above clarification for my issue and sorry for replying so late as i was busy with all my other activities, yes i will share you my report once i get the final version of the report. There have been a lot of changes in the report and i am still in the process of making it. Once i am done with the final report i will surely share it here.
I donât think there are any significant differences between the versions with respect to that article.
Thatâs about Relay Authentication, which absolutely should be turned on for any Internet-facing relays.
If you enable Enhanced Security with the BESAdmin Tool, then itâs TLS 1.2 exclusively. With Enhanced Security turned off, Iâm not certain but it supports at least 1.1 and possibly even 1.0