Managing security

The system supports several security-related features that can help protect system data and resources from unauthorized access.

User security and authentication

The system supports both local users, and remote users who are authenticated to the system through a remote authentication service. You can create local users who can access the system. These user types are defined based on the administrative privileges that they have on the system. Local users must provide either a password, a Secure Shell (SSH) key, or both. Local users are authenticated through the authentication methods that are configured on the system. If the local user needs access to the management GUI, a password is needed for the user. If the user requires access to the command-line interface (CLI) through SSH, either a password or a valid SSH key file is necessary. Local user passwords are securely stored by using the PBKDF2 hashing algorithm. Local users must be part of a user group that is defined on the system. User groups define roles that authorize the users within that group to a specific set of operations on the system.

A remote user is authenticated on a remote LDAP server. A remote user does not need to be added to the list of users on the system, although they can be added to configure optional SSH keys. For remote users, an equivalent user group must be created on the system with the same name and role as the group on the remote LDAP server. Remote users cannot access the system when the remote LDAP server is down. In that case, a local user account must be used until the LDAP service is restored. Remote users have their groups that are defined by the remote authentication server.

Encryption is a technology that uses cryptography to help ensure confidentiality of sensitive information. Encryption uses keys to encode information so that it cannot be understood by unauthorized parties. Depending on your model, the system supports both encryption of data-at-rest and encryption of data-in-flight.

SSL/TLS security controls

The system supports a choice of security levels (2 to 7) to enforce a minimum level of SSL (Secure Sockets Layer) or TLS (Transport Layer Security) that can be used to access the system. The security levels 5, 6, and 7 support TLS 1.3, which provides more secure cipher suites along with a faster handshake process. Only clients that support the minimum SSL or TLS level that is enforced by the system are able to establish secure connections.