Securing the Aspera Faspex Server Application

Best Practices for the Enterprise | 2010

December 23, 2010

SSH

  • high port (>32000)

  • no root login

  • disable password authentication (allow public key authentication)

  • disable port forwarding, x11 forwarding, tun (can allow for some users if necessary)

  • faspex user - authorized_keys to include

  • no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding

  • keep logs forever (auth.log, secure.log)

  • examine sshd logs periodically

  • OpenSSH version 5.2 or higher (current version 5.6)

  • consider dedicated SSH to only allow faspex user

Faspex application

  • strong password

  • quick lock-out

  • admin - filter by IP address (admin is too powerful if broken into)

  • post-processing - available to admin; can be disabled in faspex.yml (set DisablePostProcessing)

  • consider encryption at rest (passphrase-based content encryption)

aspera.conf

  • global authorization deny

  • faspex user

  • docroot - dir_allowed false

  • authorization: token

  • strong encryption key (keep secret)

Enteprise Server

  • no aspera-prepost (or safe coding)

  • aspshell r34503 or higher

Operating System

  • security updates

  • local iptables to prevent unwanted incoming and outgoing access

Current Security Updates

  • aspshell (apply to ES 2.5 and 2.6) :   http://download.asperasoft.com/download/patches/entsrv/2.6/aspera-aspshell-security-patch-4.tgz

  • faspex (apply to release 2.0.1):  http://download.asperasoft.com/download/patches/faspex/faspex_2.0_security_patch_4.zip

  • ascp and astokengen (apply to ES 2.5 and 2.6) :

  • http://download.asperasoft.com/download/patches/ascp/2.7/AsperaASCP-2.7.0.34752-windows-32-patch-2.zip

  • http://download.asperasoft.com/download/patches/ascp/2.7/AsperaASCP-2.7.0.34752-linux-32-patch-2.zip

  • http://download.asperasoft.com/download/patches/ascp/2.7/AsperaASCP-2.7.0.34752-linux-64-patch-2.zip

Bitvise WinSSHD

Setup

  • Edit Advance Settings

  • Set a high port (recommend > 32000)

  • Access control

  • windows groups - remove "Everyone"

  • windows groups - add a restrictive group such as "Administrators"

  • windows users - add the faspex user (or individual users or groups for ES and CS)

  • set the proper shell and restrict tunnels, etc.

Notes on the below

  • Permit remote administration should be unchecked

  • for faspex "password authentication" disabled



General Areas of Security Considerations for Aspera solutions

  1. Authentication and access control

  • SSH user authentication

  • passwords vs keys

  • sshd_config restrictions

  • File system access control

  • Aspera restricted shell

  • document rooting

  • file system permissions

  1. FASP Transfer Authorization

  • Default Deny all;  Allow specific users only

  • Upload vs download - enable/disable as needed

  • read and writing allow/deny - enable / disable as needed

  • token key requirement - enable if appropriate (web apps only)

  • external web services authorization - enable if appropriate (web apps only)

  1. Content protection

  • Encryption in transit 

  • Encryption at rest

  1. Other considerations

  • Database logging

  • Reporting file movements

  • Advanced file handling

  • Firewall considerations

  • SE Linux

  • Pre and post transfer processing

  1. Network, Physical, Application, Transport

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk