This gives an overview of gateway security measures, most of which relate to a clustered gateway.
Hardened hosts
The gateway appliance is packaged as a VMware Open Virtual Appliance (OVA). The appliance runs a hardened version of Ubuntu 20.04.
The latest version of the gateway runs containerized services. Containers run on MicroK8s, which is a secure Kubernetes distribution from Canonical.
The operating system and Kubernetes are hardened to meet several industry standard security requirements, including:
Center for Internet Security (CIS) security benchmarks.
Open Web Application Security Project® (OWASP) best practices for containers.
Community-sourced hardening checks, such as:
Secure container images
All container images are hosted securely in Google Artifact Registry. A set of rigorous vulnerability scans are applied to container images, including:
Classic gateway hardening
The classic gateway appliance is packaged as a VMware Open Virtual Appliance (OVA) and ISO. The classic gateway appliance runs a hardened version of the Ubuntu 22.04 LTS server.
The operating system and all the internal packages, and kernels used in the gateway are hardened to meet several industry-standard security requirements, including:
- Center for Internet Security (CIS) security benchmarks.
- Open Web Application Security Project® (OWASP) .
OpsRamp uses Tenable Nessus Professional scanner for hardening and security assessment.
Classic gateway antivirus
ClamAV, which is pre-packaged with the classic gateway, is an open-source antivirus engine that detects trojans, viruses, malware, and other malicious threats.
Key gateway antivirus features include:
- If a vendor update is available, the antivirus software version is updated with each gateway release.
- ClamAV performs an antivirus scan every day at 2:15 AM.
- ClamAV updates antivirus definitions once daily and requires outbound access to database.clamav.net on port 443. You must whitelist the associated IP address to get the latest antivirus definitions from the database.clamav.net download server.
Get the gateway antivirus version
- Log in to the gateway with the
ruser
account - Enter
dpkg -l | grep clamav
.
Disable ClamAV antivirus
By default, ClamAV antivirus is enabled. If you want to disable ClamAV antivirus or do not want gateway outbound communication with the ClamAV DL server:
- Log in to the gateway as an
admin
user. - Go to the Antivirus section.
- Disable the service.
- Save the change.
Virus definition out-of-date alert
If the virus definitions in the gateway are out of date; the gateway will generate a Critical alert. This alert will be generated only if the gateway’s Antivirus service is enabled.
If the virus definitions in the gateway are up to date; the gateway will generate a Heal alert.
Next steps
See the Security Reference for more information.