Nodegrid OS Security Considerations

Security is core to ZPE Systems and the Nodegrid product line, from the initial design of each new functionality to its final and operational deployment.

Nodegrid appliances are based on x86_64 Intel architecture and the Nodegrid OS is built on top of a current Linux Kernel. Security Best Practices can be applied just like it is done on regular servers.

This document's purpose is to present the security aspects of the Nodegrid product line.

The objective of this document is to present the security aspects of the Nodegrid product line.

The Nodegrid OS incorporates a robust Trust Security Framework, structured around the following components.

Vendor: Presents the Nodegrid performance terms of:

1. Certifications: FIPS 140-2, FIPS 140-3 status and Compliance with PCI-DSS.

2. Vulnerability and Penetration tests: Coverity Scan, Qualys Vulnerability Scan, Customer Penetration testing, Blackduck Scan, and CVEs.

3. Secure Software Development Life Cycle (SSDLC).

Software: Describes the properties, and functionalities of the Nodegrid in terms of:

• Security Packages and Cipher suites: Critical security open-source packages (e.g., OpenSSL, OpenSSH, Apache Webserver) are updated frequently.

• General guideline to secure the appliance, such as Fail2ban intrusion prevention, services configuration (allows protocols and ciphers that you need, lock what is not required), firewall (Linux iptables), and geofencing.

• SSL certificates management, including the creation of a CSR.

• VPNs: Wireguard (client/server), IPsec (site-to-site, PSK and Certificates keys) and SSL (client/server).

• VPNs via VNFs (Palo Alto, Juniper, …), executed by the Nodegrid hypervisor (KVM).

• 802.1x network port authentication

• Clustering, in mesh and star mode (via SSL tunnels).

• AAA, including Groups and user permission, with strong password enforcement.

• Fine grain authorization and RBAC (Role Based Access Control),

• Authentication servers LDAP/AD, RADIUS, TACACS+.

• 2-Factor Authentication with OTP or RSA.

• Single Sign On, via SAML2.0, with Duo, Okta, Ping Identity and Microsoft ADFS (Active Directory Federation Services), Microsoft Azure AD.

• Events and Alerts: trails logs, Compliance and Protection, forwarding to 3rd parties: Files, Syslog server, SNMP Manager (traps), emails, and Splunk.

• Configuration checksum and changes detection.

• Configuration reset button.

Hardware: Describes the properties, and functionalities in Nodegrid, in terms of:

• TPM Trusted Platform Module: UEFI Boot with Signed OS

• Password Protected Boot and BIOS.  

• Secure Erase

• Self-Encrypting Drive: solid state disk with a self-encrypted hardware controller

Security aspects: Describes other security aspects such as the integration of Nodegrid with third-party systems CyberArk and Delinea.

Nodegrid’s Zero Trust Security Framework is illustrated in the following synoptic.

Appendix: Lists copy of the NSA Security Recommendation, the results of Coverity Scan and Qualys Vulnerability Scan, the list of the CVEs, the letter of volatility, the attestation of the PCI-DSS certification, and the list of the firewall rules of the Nodegrid device.