Issue:
NetBotz v3 Appliance Security Information
Product Line:
NetBotz v3 (355,450, 455, 550, & 570)
Environment:
NetBotz (all firmware versions)
Resolution:
Network Protocols and Ports
Firewall Configuration
- NetBotz includes an IP Filtering feature. Configure IP Filtering in Advanced View.
Cybersecurity Considerations
- Where possible, all unnecessary services should be disabled (SNMP, HTTP, etc.).
- Use Strong encryption (AES for SNMPv3, HTTPS, etc.).
- Change the default password and use passwords that are considered strong.
- If SNMP is required, consider changing the V1 community strings, and do not user SNMPv1 thereafter. Use SNMPv3 instead, configured with SHA and AES-128.
NetBotz v3 Appliance Security Information
Product Line:
NetBotz v3 (355,450, 455, 550, & 570)
Environment:
NetBotz (all firmware versions)
Resolution:
Network Protocols and Ports
| Protocol | Transfer Protocol | Port(s) | Disposition | Network | Credentials/Access | Encryption | Comments |
| FTP | TCP | 21 | Outbound - Not configured by default | FTP traffic from the NetBotz depends on alarm policy configuration and number of alarms. | As specified in the FTP remote server settings | Not supported by FTP | |
| Telnet | TCP | 23 | Disabled by default | Network requirements are low based on user input. | Not supported by telnet. | Should only be open temporarily for support reasons. | |
| SMTP | TCP | 25 | Outbound - Not configured by default | Network requirements are low. Email traffic from the NetBotz depends on alarm policy configuration and number of alarms occurring. | As specified in email settings. | Requires STARTTLS extension | Communication with email server |
| DNS | UDP | 53 | Outbound - Not configured by default | Very limited traffic and bandwidth requirement | As specified in external system configuration | Not supported | DNS server communication |
| DHCP Client | UDP | 68 | Outbound - Enabled only when DHCP IP address acquisition is enabled | Very limited traffic and bandwidth requirement | No credentials available | Not supported by DHCP | |
| HTTP | TCP (SSL) | 80 (443) | Inbound (default) | Network speed of minimum 100Mbps is recommended. Bandwidth usage between client and server heavily depends on number of discovered devices, alarm configuration and operations carried out in the client e.g. report generation. | Manual created user and password (default apc/apc) Authentication server integration support. There is no option to reset client user password. Password policy is not implemented in NetBotz. The password consists of ASCII characters. | Server and client negotiate SSL cipher type and key length | Communication from NetBotz Appliances / DCE Console / Web API and 3rd party integrations. |
| NFS | TCP/UDP | 111 | Depending on system integration | As specified in external system configuration | Not supported by protocol | NFS mounted external drive | |
| NTP | TCP | 123 | Very limited traffic and bandwidth requirement | As specified in time settings | Depending on system integration | NTP server communication | |
| SMB | TCP/UDP | 139 | Depending on system integration | As specified in system storage settings | Depending on system integration | SMB communication to NAS/SAN | |
| SNMP | UDP | 161 | Inbound / Outbound - Enabled by default | The bandwidth needed heavily depends on number of discovered devices, polling interval configured and alarm activity in the system. | Specified in device SNMP configuration. Default community string: public | SNMPv3 offer encryption as configured | Change the default community strings and avoid SNMPv1 when possible |
| SNMP (Trap) | UDP | 162 | The bandwidth requirement needed heavily depends on number of discovered devices, polling interval configured, and alarm activity in the system. | Specified in device SNMP configuration | SNMPv3 offers encryption as configured | SNMP Communication between discovered devices and DCE | |
| CIFS | TCP | 445 | Depending on system integration | As specified in external system configuration | Depending on system integration | CIFS communication to NAS/SAN | |
| ModbusTCP | TCP | 502 | The bandwidth needed heavily depends on number of discovered devices, polling interval configured, and alarm activity in the system. | Not supported by ModbusTCP | Not supported by ModbusTCP | ModbusTCP Communication from Modbus Device/Gateway | |
| Rsyslog | UDP | 514 | Disabled by default | Depends on configuration | Not supported by rsyslog | Not supported by rsyslog | |
| Socks | 1080 | Disabled by default | Depends on traffic over HTTP and HTTPS ports | As specified by the Socks proxy server | |||
| NFS | TCP/UDP | 2049 | Depending on system integration | As specified in external system configuration | Not supported by protocol | NFS communication to NAS/SAN |
Firewall Configuration
- NetBotz includes an IP Filtering feature. Configure IP Filtering in Advanced View.
Cybersecurity Considerations
- Where possible, all unnecessary services should be disabled (SNMP, HTTP, etc.).
- Use Strong encryption (AES for SNMPv3, HTTPS, etc.).
- Change the default password and use passwords that are considered strong.
- If SNMP is required, consider changing the V1 community strings, and do not user SNMPv1 thereafter. Use SNMPv3 instead, configured with SHA and AES-128.
Published for:APC Belgium
