Gateway Security

This gives an overview of gateway security measures, most of which relate to a clustered gateway.

Hardened hosts

The gateway appliance is packaged as a VMware Open Virtual Appliance (OVA). The appliance runs a hardened version of Ubuntu 20.04.

The latest version of the gateway runs containerized services. Containers run on MicroK8s, which is a secure Kubernetes distribution from Canonical.

The operating system and Kubernetes are hardened to meet several industry standard security requirements, including:

• Center for Internet Security (CIS) security benchmarks.

• Open Web Application Security Project® (OWASP) best practices for containers.

• Community-sourced hardening checks, such as:

  • Conduro
  • Konstruktoid

Secure container images

All container images are hosted securely in Google Artifact Registry. A set of rigorous vulnerability scans are applied to container images, including:

• Google Container Analysis
• Tenable Nessus scanner

Classic gateway hardening

The classic gateway appliance is packaged as a VMware Open Virtual Appliance (OVA) and ISO. The classic gateway appliance runs a hardened version of the Ubuntu 22.04 LTS server.

The operating system and all the internal packages, and kernels used in the gateway are hardened to meet several industry-standard security requirements, including:

• Center for Internet Security (CIS) security benchmarks.
• Open Web Application Security Project® (OWASP) .

OpsRamp uses Tenable Nessus Professional scanner for hardening and security assessment.

Classic gateway antivirus

ClamAV, which is pre-packaged with the classic gateway, is an open-source antivirus engine that detects trojans, viruses, malware, and other malicious threats.

Key gateway antivirus features include:

• If a vendor update is available, the antivirus software version is updated with each gateway release.
• ClamAV performs an antivirus scan every day at 2:15 AM.
• ClamAV updates antivirus definitions once daily and requires outbound access to database.clamav.net on port 443. You must whitelist the associated IP address to get the latest antivirus definitions from the database.clamav.net download server.

Get the gateway antivirus version

1. Log in to the gateway with the ruser account
2. Enter dpkg -l | grep clamav.

Disable ClamAV antivirus

By default, ClamAV antivirus is enabled. If you want to disable ClamAV antivirus or do not want gateway outbound communication with the ClamAV DL server:

1. Log in to the gateway as an admin user.
2. Go to the Antivirus section.
3. Disable the service.
4. Save the change.

Virus definition out-of-date alert

If the virus definitions in the gateway are out of date; the gateway will generate a Critical alert. This alert will be generated only if the gateway’s Antivirus service is enabled.

If the virus definitions in the gateway are up to date; the gateway will generate a Heal alert.

Next steps

See the Security Reference for more information.