Architecture and Security 1.4

Application Architecture 

* Deployed as a virtual machine or hardware appliance.

* Application built on top of Debian 8 Stable (Wheezy).

* MySQL used for data storage.

* Nervepoint Application server component is written in Java 8 and industry standard components 
including Spring, Jetty 9.4.6.v20170531 and others.

* The web server provides 2 different services. A web based UI for browsers, and a JSON based 
RPC protocol used by the Mobile Application and the Windows "Desktop".

* Nervepoint web user interface uses the Wicket 7.6 framework.


* On initial install end user is required to define a unique root password.

* Operating system can only be accessed locally.

* No direct remote access for maintenance. Our support staff use the customer initiated "support 
callback" when required which is a reverse SSH tunnel.

* For the 1.4 version VNC ports should be firewalled (although done by default through VMCentre firewall).

* MySQL only allows local connections (from Nervepoint).
    * MySQL access account has a unique randomly generated password. 
    * MySQL root password is set to the same as system root password.

* All user secrets (answers, PINs, passphrases) are stored by default as one-way hashes. 
An optional less secure two-way mode may be enabled by the administrator where they are 
instead obfuscated.

* Encryption mode is now configurable. 
    * "Drupal7" (a clone of Drupals algorithm) is the default for hashing (Salted SHA512).
    * AES-256 is the default for 2 way encryption (key obsfuscated).
    * FIPS mode (using software or hardware token).

* All other non-secret data is stored unencrypted in MySQL's data format.

* All communication with the server is via SSL. Customer must purchase and install a signed 
certificate. This applies to web interface, mobile access and desktop access.

* Weak SSL ciphers and protocols are disabled by default.

* Connections to directories are secure. SSL must be used for Active Directory (although a 
read-only mode is possible when unencrypted).

* Server may specify IP ranges and restrictions for desktop access and browser access.

* Password reset, account unlock and login attempts all limit the number of attempts that 
may be made in certain time limits.

* Captchas may be used for authentication to further protect against brute force attacks.

* Multi-factor authentication including SMS, OTP, Passphrase, PIN, Captcha, IP authentication.

Have more questions? Submit a request


Powered by Zendesk