Security
Introduction
VergeLink provides products and solutions that are developed to the latest security standards. It is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. VergeLink as a software or hardware version constitutes one element of such a concept. Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place. Sensitive network segments (In the VergeLink context often called "Machine Network") should always be separated from company networks and the internet by either physical separation of the networks or a suitable firewall.
VergeLink Security Features
Certificates & Public-key cryptography - VergeLink utilizes asymmetric cryptography for the automatic and secure generation of device identities and the authentication of each device against the VergeLink Configuration Portal. For the cloud & north-bound connectors VergeLink offers certificate and user/password authentication.
Encrypted communication: VergeLink supports encrypted communication for all endpoints in internet or company networks via HTTPS/TLS 1.3 with strong cipher suites. The communication between the VergeLink runtime (running on the device) and the VergeLink Portal is encrypted by default (unencrypted communication is not supported). The connection to user-defined north-bound endpoints like MQTT brokers or HTTPS web servers can be encrypted or not encrypted. The user is responsible for configuring encrypted connections whenever needed (e.g. the communication happens over non-isolated or untrusted networks).
Access control and roles:
Data protection : In VergeLink customers can transmit data outside of VergeLink devices/infrastructure in their own cloud or on-prem infrastructure. Customers are responsible for the confidentiality, integrity and availability (CIA) of data stored and for preventing unauthorized access to the stored data.
Domains & Ports: For a flawless operation of VergeLink, customers must enable access to the following domains for outgoing connections from the VergeLink Runtime (Device). The services behind these domains use using dynamic set of IP addresses and are subject to change at any time, so resolving the domain names and using the IP addresses within the proxy or firewall is not recommended.
edge-api.vergelink.iohosted.mender.ios3.amazonaws.com
Setup guidelines and recommendations - All components of the VergeLink system follow the security by default paradigm. In addition, the operation of components needs to consider several aspects:
- Passwords - Use only strong passwords - the system assists you in setting strong passwords.
- Admins: During the initial setup of VergeLink devices the default password of the local configuration web server should be changed to a device-specific, strong password. The VergeLink Portal access requires an individual password set by default, this can be changed by the user. New users should be created with the "least privilege principle" in mind.
- Device setup: Each device needs to be set up with a properly working internet connection (connection to the VergeLink Portal), DNS server and NTP server. By default public DNS and NTP servers are used - if this is not desired a working alternative needs to be set up. The local diagnostic web server includes a status check to verify the correct operation of all needed functionality
Operating system - VergeLink OS: The VergeLink OS includes security hardening and automatic over-the-air (OTA) updates. Security hardening includes: No root user login, no shell/terminal access, disabled USB ports, firewall, digital signatures for software integrity.