Architecture and Security 1.2

Application Architecture
========================

* Deployed as a virtual machine or hardware appliance

* Application built on top of Debian 7.5 Stable (Wheezy).

* MySQL used for data storage.

* Nervepoint Application server component is written in Java and industry standard components
including Spring, Jetty and others.

* Webmin is provided for virtual machine configuration. This will be phased out in a future
revision.

* The web server provides 2 different services. A web based UI for browsers, and a JSON based
RPC protocol used by the Mobile Application and the Windows "Desktop"

* Nervepoint web user interface uses the Wicket 6 framework.

Security
========

* On initial install end user is required to define a unique root password

* Operating system can only be accessed locally

* No direct remote access for maintenance. Our support staff use the customer initiated "support
callback" when required which is a reverse SSH tunnel.

* Customer should firewall webmin (port 10000).

* MySQL only allows local connections (from Nervepoint).

* All user secrets (answers, PINs, passphrases) are stored by default as one-way hashes.
An optional less secure two-way mode may be enabled by the administrator where they are
instead obfuscated.

* All other non-secret data is stored unencrypted in MySQL's data format.

* All communication with the server is via SSL. Customer must purchase and install a signed
certificate. This applies to web interface, mobile access and desktop access.

* Weak SSL ciphers and protocols are disabled by default.

* Connections to directories are secure. SSL must be used for Active Directory (although a
read-only mode is possible when unencrypted).

* Server may specify IP ranges and restrictions for desktop access and browser access.

* Password reset, account unlock and login attempts all limit the number of attempts that
may be made in certain time limits.

* Captchas may be used for authentication to further protect against brute force attacks.

* Multi-factor authentication including SMS, OTP, Passphrase, PIN, Captcha, IP authentication

Have more questions? Submit a request

Comments

Powered by Zendesk