Securing Messaging Gateway Best Practices
search cancel

Securing Messaging Gateway Best Practices

book

Article ID: 235571

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Security policy requires that Messaging Gateway (SMG) be secured from unauthorized access beyond it's default configuration.

Environment

Versions: All

Resolution

Vulnerability Scans

Messaging Gateway (SMG) is a secure and hardended appliance / virtual machine solution which is scanned for known vulnerabilities as part of the standard software development process. Where possible, vulnerabilities are addressed either through replacement of the affected component, configuration, or software patch of the vulnerable component as part of the normal software update and patch release process.

When conducting vulnerability scans of the Messaging Gateway system, the SMG should first be updated to the latest release and available patches applied

The underlying SMG operating system requires no additional "hardening" from its default installation provided that the software version is up to date and all available patches have been applied.

There are a number of SMG services which can be further secured via IP access control lists (ACL) or increased protocol security.

  • Administrator Account Security
  • Securing the Control Center Web Application
  • Securing the SMTP Service
  • Securing the Directory Data Service
  • Securing the Command Line Interface

Administrator Account Security

Messaging Gateway administrator policy groups can be populated with both local administrator accounts and Active Directory / LDAP users or groups if Directory Intergation has been configured. For Active Directory / LDAP based administrator accounts, it is expected that password complexity and expiration policies will be set at the AD level. For local administrator accounts, please ensure that the following options are set for local administrator accounts in Administration > Administrators

  • Require strong passwords is checked
  • Password expiration is set to a time limit which aligns with your security policy
  • Control Center Administrator accounts other than the default 'admin' account are assigned to an administration policy group which provides the minimum system rights needed to perform their job functions i.e. in accordance with the principle of least privilege

Note that the default admin account cannot be deleted but if another account has Full Administration rights the default admin account can had its access level reduced.

Securing the Control Center Web Application

The SMG Control Center web application may be further secured by setting a network access control list to limit which IPs can connect to the web application. Additionally, the minimum TLS protocol level for the web application can be set from the admin command line (CLI).

  • Updating the Control Center web interface TLS certificate
  • Configuring the Control Center web application network access control list
  • Setting the Control Center web application network minimum TLS level

Updating the Control Center web interface TLS certificate

The Messaging Gateway Control Center ships with a demonstration TLS certificate which will ensure that connections to the Control Center web interface and REST API are encrypted but the demo certificate is not signed by a trusted third party and will warn connecting web browsers that the identify of the server cannot be confirmed. To address this, an updated TLS certificate signed by a trusted third party.

  1. Requesting a Certificate Authority signed certificate
  2. Importing a Certificate Authority signed certificate
  3. Designating a Control Center certificate

Configuring the Control Center web application network access control list

    1. Log into the SMG Control Center as an administrator with Manage Settings rights (the default admin account and administrators with Full Admin Rights have this right)
    2. Go to Administration > Control Center > Access
    3. Select "Only the following hosts"
    4. Enter the IP addresses or networks you wish to allow to connect to the SMG Control Center either for administration, quarantine access, or API access.
    5. Click Save

In the event that an error was made in setting the Control Center web application network access control list, the ACL can be reset from the admin CLI via the following command:

delete bbchostacl

Setting the Control Center web application minimum TLS level

In its default configuration, the Messaging Gateway Control Center web interface will allow TLS 1.0 secured connections for backwards compatibility with some older web browsers. This may be flagged as a security concern by vulnerability scanners and the process to set the minimum TLS version for HTTPS sessions is as follows:

    1. Log into the admin CLI via ssh / putty
    2. Run the following command to set the minimum TLS level for the Control Center web application (this will restart the control center GUI)
      cc-config set-min-tls-level --tls12

Minimum TLS level can be set to TLS 1.0, TLS 1.1, or TLS 1.2

Note: Due to an issue with the upgrade to SMG 10.7.5, the minimum TLS level is reset to TLS 1.0 following the upgrade and cannot be changed although SMG will report that it is limited to later protocol versions. Please see TLS 1.0 allowed for Control Center connection regardless of cc-config set-min-tls-level in Messaging Gateway version 10.7.5 to address this.

Securing the SMTP Service

In its default configuration the Messaging Gateway mail server will allow encryption to be be negotiated using SSLv3, TLS 1.0, TLS 1.1, and TLS 1.2. Encryption protocols below TLS 1.2 are currently viewed as insecure and potentially being vulnerable to exploitation. To bring the SMTP TLS communication into alignment with current encryption standards the minimum TLS version should be increased to TLS 1.2 and the key exchange cipher list should be restricted to disallow insecure Diffie-Hellman key exchange.

  • Setting the minimum TLS level for SMTP communication
  • Restricting TLS ciphers used by the SMTP service

Setting the minimum TLS level for SMTP communication

    1. Log into the SMG Control Center as an administrator with Manage Settings rights (the default admin account and administrators with Full Admin Rights have this right)
    2. Go to Protocols > Setting > SSL Restrictions
    3. Check the "Disable support for... " checkbox and set the TLS protocol level to disallow. All lower protocol versions are also disallowed.
    4. Click Save

Restricting TLS ciphers used by the SMTP service

Please see Messaging Gateway and Diffie-Hellman key length for details on restricting ciphersuites and key exchange algorithms.

Securing the Directory Data Service

  • Using LDAPS for directory server connections
  • Requirements for LDAP server TLS certificate validation

Using LDAPS for directory server connections

    1. Log into the Control Center as an admin with administrator rights
    2. Go to Administration > Directory Integration
    3. Under LDAP server configuration select "Enable SSL"
    4. Ensure that the LDAP server port used in either port 636 or the TCP port used for LDAPS by your directory server
    5. Click Save

Requirements for LDAP server TLS certificate validation

The TLS certificate presented by the AD/LDAP server need to have either the hostname or IP used in the Messaging Gateway LDAP server configuration configured as a Subject Alternative Name (SAN) in the certificate. Certificate validation may work if the hostname is listed in the certificate's Subject distinguished name as the common name but use of the SAN extension is preferred.

Securing the Command Line Interface

  • Setting the SSH network access control list
  • Limiting SSH ciphers and hash algorithms

Setting the network access control list for the SMG ssh interface

    1. Log into the SMG admin command line
    2. Allow access for networks or hosts that can connect to the admin command line via ssh
      sshd-config --add allow 192.168.1.0/24
    3. Deny access to all other networks / hosts
      sshd-config --add deny ALL

Note: You MUST set the allowed networks and hosts before denying access to all other connections otherwise you risk being unable to connect to the SMG command line.

Limiting SSH ciphers and hash algorithms

Some vulnerability scanners will raise alerts regarding the SMG SSH service accepting some CBC ciphers, MAC algorithms, or key exchange algorithms. To further secure and limit the ciphers used by the SMG command line SSH service please see