What levels of encryption does Nimsoft support for the hub/robot?
UIM 8.5.x or later
Robot to Hub Encryption:
The robot communicates with the hub via a proprietary protocol over a TCP connection to which varying degrees of encryption can be applied. This encryption is implemented via the well-known OpenSSL library using an SSL/TLS encryption stream. This is similar to, but not the same as the encryption used for https communications. The robot / hub TCP listener will not communicate with web servers or browsers and does not use HTTP as the underlying protocol.
The robot/hub listener will use an SSL/TLS cipher suite which is configurable by the user. The cipher suites use selectable encryption algorithms and key lengths which provide increasing degrees of cryptographic strength. Encryption strength varies between none (for debugging and installation purposes) to strong. Please read the documentation for robot encryption (docs.nimsoft.com) to select the strength that meets your operational needs.
If you have a security scanner that is identifying an OpenSSL listener using a weak encryption cipher suite, please bear in mind that these scanners are looking for web servers with weak ciphers enabled, which is definitely a vulnerability for web servers especially those exposed to the open Internet. This does not apply to internal applications using proprietary protocols.
For further reference, the following configures the hub to robot SSL encryption mode:
1. In the hub GUI Advanced setting pane, click on Settings.
2. This will pop-up the Hub Advanced Settings Window. In this window select the SSL tab.
3. Instead of Normal mode, choose SSL only.
4. In the Cipher Type, select the desired encryption strength. The value you enter in this text field is passed to the OpenSSL library as it's cipherlist value.
5. For example, to select only the strongest encryption strengths, enter HIGH:@STRENGTH (without the quotes) which will give you only 128 bit and higher encryption sorted by the strongest first***
6. Please note: Arbitrary selection of cipher strength may require detailed configuration by local systems administrators to implement the requirements of the selected protocols.
7. For more information on cipher suites and strengths please see the OpenSSL ciphers web page which explains the cipher string types, how they are constructed and lists examples:
http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES
Note: Elliptic Curve cipher suites are NOT supported.
Turning on SSL within the Hub Settings, definitely slows performance. You would have to test it to assess the impact.
We use 128-bit key strength by default but you can configure and use a higher strength. Use of 128-bit cipher strength is by design. Robots must support weaker ciphers because hubs can support weaker ciphers, but it doesn't mean you have to use a weak cipher for tunneling or for robot communication as mentioned above.
hub communications:
Here are the encryption algorithms we use for the different settings in the hub.
NONE:
SSL using cipher: NULL-MD5 SSLv3 Kx=RSA Au=RSA nc=None Mac=MD5
LOW:
SSL using cipher: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
MEDIUM:
SSL using cipher: DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
HIGH:
SSL using cipher: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1