\pagebreak \tableofcontents \pagebreak
Configuration
The out-of-the-box configuration for deaddrop is created to focus on security where parameters are selected to be as secure as possible. The setup also allows administrators to configure some of the system and application parameter values so the system can be compliant with internal policies.
Static configuration
The following configuration is static but it may enhance over time, depending on new releases of the platform where new web setup options are available in the base system components, e.g. apache.
HTTPS communication
The deaddrop service and the graphical administration interface uses the HTTPS, i.e. HTTP with the TLS protocol, to protect the communication.
As per the default setup, the following cipher suites is allowed in the TLS connection to the deaddrop server:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-CBC-SHA384
This list is a small subset of the full set of protocol cipher suites that TLS allows. The list is trimmed to just allow the more secure variants, but also at the same time versions that are compatible with the latest versions of the web browsers.
The following variants of the TLS protocol are allowed:
- TLS version 1.2
Older versions of the protocol, called TLS 1, TLS 1.1, and SSL, are not allowed in the default setup.
Deaddrop use HSTS1 to enforce encrypted communications once a secure connection has been made
Deaddrop can be configured to be protected behind a proxy
Deaddrop can be configured to use HKPK (i.e. certificate pinning)
Local firewall
The system is configured with a local firewall which only allows inbound access to the webservice on the following ports
- 22
- 80
- 443
- 8443
External firewall
It’s strongly recommended to block access, besides for the internal administrators access, to the following TCP/IP ports
- 22
- 8443
For all firewall rules that may be needed, see the network diagram for deaddrop.
Customer configuration
The following configuration is or should be configured
Network communication
The private key for TLS must be generated on the appliance and the key must be trusted by the supported web browsers. This key is normally created at customer site during onsite installation
deaddrop service configuration
All configuration can be configured on the administrator web interface
© Copyright sysctl Aktiebolag 2013-2021. All rights reserved
-
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security ↩