The collector is designed to allow for a secure and reliable data transmission between the EventSentry agents and the collector. Most security settings below only apply when TLS communication is enabled.
Certificates for TLS communication are created automatically by the collector when the service starts for the first time. Certificates are created with a bit length of 2048 bits (1024 bits on Windows Server 2003) using SHA256 as the signature algorithm.
The agent(s) and collector negotiate the most secure cipher available on both hosts. The cipher used depends on the Operating System as well the Schannel configuration on Windows (both on the client (agent) and the server (collector)).
It is recommended to run the collector on the newer version of Windows (2012 or higher) if possible, to ensure that the most secure ciphers are available.
Default Security Features
The following security features are always enabled, regardless of the security level selected below.
When an EventSentry agent connects to a collector for the first time, it generates a unique id as well as a shared secret (password) which it sends to the collector over an encrypted TLS channel. The collector then stores the shared secret locally and associates it with the remote host's unique id. Once the shared secret is associated with the remote host, only connection attempts which match the locally stored shared secret will be accepted. This ensures that a remote host can not be impersonated.
Certificate Validation (Agents)
When an agent connects to a collector for the first time, it downloads the remote host's certificate and caches it locally. Any future connection attempts to the same collector compare the certificate presented by the collector with the locally cached certificate. The connection is aborted by the agent if the certificates do not match.
The collector supports 3 different security levels as well as IP-level access lists to ensure that only authorized hosts are able to connect to the collector. The security levels are accumulative: A medium security level requires that checks from the basic security level pass, a high security level requires that check from both the basic and medium security levels pass.
Network-based authorizations (authorized and blocked networks) are always evaluated before a further check based on the security level is performed.
Lets any EventSentry agent with a valid shared secret connect.
The remote host name (which is sent by the agent in an authorization packed based on the agent's host name) must be in an EventSentry group in order to connect.
A reverse IP lookup of the connecting host must resolve to a host in a group. For example, if a host with IP address 192.168.1.50 connects, then the collector will attempt to perform a reverse lookup and will then attempt to find the resulting host name in an EventSentry group.
Resetting the collector certificate is only necessary under the following circumstances:
•The certificate has been compromised and needs to be replaced
•The certificate needs to be replaced with a different certificate
•The remote hosts have a different certificate for the collector host cached and are rejecting the collector
When resetting the certificate, the following actions are performed:
1.The existing certificate is renamed (to preserve the certificate)
2.A new certificate will be created when the EventSentry Collector is restarted
3.Remote agents will be authorized to accept a new certificate for up to 1 week
After clicking the "Reset Certificate" button, the following actions need to be performed:
1.The configuration needs to be pushed to all remote hosts
2.The EventSentry Collector service needs to be restarted
Reset Shared Secrets
Resetting shared secrets is only necessary if a remote EventSentry agent is re-installed without being prior being removed from the configuration. Clicking the "Reset Shared Secrets" button will erase the entire local shared secret database and accept new shared secrets from all remote hosts, as if they are connecting for the first time.
Authorized and blocked networks can be specified to either:
•allow only certain hosts or subnets access
•block certain hosts or subnets
Specifies all authorized networks. Authorizes all subnets/hosts when empty. Blocked networks take precedence over authorized networks.
Specifies all subnets/hosts which will not be allowed to connect. Blocked hosts always take precedence over authorized hosts.