* Deployed as a virtual machine or hardware appliance.
* Application built on top of Debian 7.5 Stable (Wheezy).
* MySQL used for data storage.
* Nervepoint Application server component is written in Java 7 and industry standard components
including Spring, Jetty 9.2.9.v20150224 and others.
* Webmin is provided for virtual machine configuration. This will be phased out in a future
* The web server provides 2 different services. A web based UI for browsers, and a JSON based
RPC protocol used by the Mobile Application and the Windows "Desktop".
* Nervepoint web user interface uses the Wicket 7 framework.
* On initial install end user is required to define a unique root password.
* Operating system can only be accessed locally.
* No direct remote access for maintenance. Our support staff use the customer initiated "support
callback" when required which is a reverse SSH tunnel.
* Customer should firewall webmin (port 10000).
* For the 1.3 version VNC ports should be firewalled (although done by default through VMCentre firewall).
* MySQL only allows local connections (from Nervepoint).
* MySQL access account has a unique randomly generated password.
* MySQL root password is set to the same as system root password.
* All user secrets (answers, PINs, passphrases) are stored by default as one-way hashes.
An optional less secure two-way mode may be enabled by the administrator where they are
* Encryption mode is now configurable.
* "Drupal7" (a clone of Drupals algorithm) is the default for hashing (Salted SHA512).
* AES-256 is the default for 2 way encryption (key obsfuscated).
* FIPS mode (using software or hardware token).
* All other non-secret data is stored unencrypted in MySQL's data format.
* All communication with the server is via SSL. Customer must purchase and install a signed
certificate. This applies to web interface, mobile access and desktop access.
* Weak SSL ciphers and protocols are disabled by default.
* Connections to directories are secure. SSL must be used for Active Directory (although a
read-only mode is possible when unencrypted).
* Server may specify IP ranges and restrictions for desktop access and browser access.
* Password reset, account unlock and login attempts all limit the number of attempts that
may be made in certain time limits.
* Captchas may be used for authentication to further protect against brute force attacks.
* Multi-factor authentication including SMS, OTP, Passphrase, PIN, Captcha, IP authentication.