It is assumed that the usual standards of corporate security are followed when integrating SSH Tectia Manager into an existing environment.
Pay attention to the following security issues:
The Management Server host root accounts must be limited to authorized superusers, only.
The Management Server does not contain passwords or other access data for opening terminals to the monitored hosts, only for controlling the Management Agents.
The Management Server (dbsrv8) accepts connections from the network by default (port 2638). It is important to change the default password.
There should be no unnecessary open ports on the managed hosts.
The administrator group roles can be segregated according to the allowed host groups and management actions.
The Management Agent and administration interface connections are TLS-secured. The weak TLS ciphers (56-bit keys) are NOT supported by the web administration interface.
All administrator actions, including logins and logouts, are stored in the administrator audit log.
The Management Agent runs with root or admin privileges (system service or daemon).
The web-server administrator access is allowed via an encrypted tunnel only.
Critical database contents are 3DES-encrypted (host PSKs, admin passwords).
In case you identify any further issues compromising system security, please inform Tectia, see instructions at http://www.tectia.com/support/.
Please note that this Administrator Manual does NOT detail general security precautions that are required when incorporating a system such as SSH Tectia Manager into a production environment. These issues include:
Hardening the SSH Tectia Manager host on the operating system level
The physical security of the SSH Tectia Manager and its Management Server
The security on administrator workstations connecting to the Management Server through the administration interface (for example, turning off browser password caching).