The EcoStruxure IT Gateway is intended to be accessed from within a secure network, and not over the internet. Therefore, do not make the web UI accessible via the internet.
Regularly apply available operating system patches and security updates to the Gateway server.
Follow the recommended hardening guidelines for the operating system. Refer to Gateway default ports when configuring the firewall.
Do not allow local operating system login access to the Gateway server, except for IT administrators.
Use SNMPv3 instead of SNMPv1 and enable encryption and authentication whenever possible. Use HTTPS instead of HTTP for NetBotz devices. Use SCP instead of FTP for firmware updates and device configuration. Even when these devices are on a private network, using a secure protocol as part of a defense-in-depth strategy is recommended.
By default, the only external port enabled by the Gateway web application is 443, both inbound for the Gateway web UI, and outbound to communicate with the EcoStruxure IT web application. None of the protocols for communicating with the end devices are active. They are enabled by adding new device credentials.
The EcoStruxure IT Gateway password policy now requires:
- At least 10 characters in length
- At least 3 of the following 4 types of characters:
- Lower case letters (a-z)
- Upper case letters (A-Z)
- Numbers (0-9)
- Special characters (Example: !@#$%^&*)
- No more than 2 identical characters in a row (Example: aaa is not allowed)
Strong passwords are enforced when you first create your password and when you change your password. You are not required to change your existing password after updating your Gateway.
- There is only one permission level on the Gateway. The Gateway UI is intended for application administrators only. This user has the ability to:
- Create, delete, and change passwords for users, but cannot change usernames
- Configure device discoveries
- View sensor and alarm information from discovered devices
- Starting in Gateway version 1.9, strict password enforcement is in place. It is recommended to update your password after upgrading and to update your password periodically since passwords do not automatically expire.
A local administrator account on the operating system of the Gateway server is required in order to install the software, perform the other security hardening activities, and to retrieve log files if necessary.
The installer creates a local service account under which the applications runs. This service also performs database backups.
Software updates can be done three ways:
Auto update - When this option is selected in the EcoStruxure IT web application, software updates are automatically pushed to the Gateway. No additional user accounts or interaction is required.
Cloud initiated - Software updates are initiated by a user logged into the EcoStruxure IT application. No additional user accounts or interaction is required.
Local, manual - A local operating system administrator may also download the software update to the Gateway server and manually run the installer.
To decommission a Gateway server, it is recommended that you re-image the machine. This will erase all data and set all operating system settings back to their defaults.
If re-imaging is not possible, first run the uninstaller, then make sure the data is removed from the install location using a secure erase utility. This will remove the application, data, and certificate.
Log in to the organization's EcoStruxure IT account and remove the association with the Gateway from the account.
A vulnerability exists in Apache Tomcat that is only exploitable when a reverse proxy that is placed in front of the Gateway server incorrectly handles an invalid Transfer-Encoding header in a particular way. This is considered unlikely.
See CVE-2020-1935 for more details and this message from Apache to determine if you are at risk.