Field Effect appliances are physical devices installed on a client network that, owing to their privileged location within the client environment, can establish specific connections inside and outside of a client network. These connections are necessary for the proper operation and management of the appliance and to provide value-added security and defense in-depth.
Here are some points around the security considerations for the appliance:
Remote Access: Most of the “day-to-day” operation of the appliance is entirely autonomous and does not require human interaction or intervention. Once the OpenVPN connection is established between a client site and Field Effect’s operational network, telemetry such as logs and metrics pass through an SSH tunnel within the VPN and are used for monitoring and alerting. Appliance configuration is performed using automated taskings which run through the established tunnel. In rare cases, a member of the Field Effect operational team may require remote access to an appliance. If an operator does need to connect to an appliance, there is an audit trail indicating which individual logged into which appliance at what time.
Appliance Security: At the Operating System level, Field Effect leverages iptables for fine-tuned network control and AppArmor for application security. AppArmor is designed to confine programs to a specific set of resources and is used on appliances to enhance the security of programs such as mysql, named, rsyslog, tcpdump, and others. System level services that are not required and that do not directly contribute to the function of Field Effect are disabled by default. By default, all data at rest on the appliance and data in-transit to/from the appliance is encrypted.
Agent Tasking: The Field Effect appliance exposes an API that allows specific, privileged members of Field Effect to issue commands through the Field Effect agent running on endpoint machines. This requires specific role-based access that is limited to select users with signed keys that can issue signed commands. In such cases there is, again, an audit trail which user issued what command and when.
Exploit Vectors: A threat actor could theoretically gain access to an appliance to establish a foothold in a client environment. As highlighted throughout, Field Effect has put various processes and protection in place to significantly reduce the viability of an actor to gain such a foothold. For example, a threat actor would need to compromise private SSH keys, on the operational network, and connect in through the VPN to gain access to an appliance. Assuming an actor does gain access to an appliance, the following holds true:
- An attacker cannot communicate with or task an endpoint agent on the client network.
- An appliance requires SSH out to the client-specific relay, nowhere else. SSH “fact of” connections are logged and stored in the same manner as audit logs.
- An attacker with access to an appliance could run tcpdump on an interface to view client traffic being captured by the appliance.
- Lateral movement within a client network from a Field Effect appliance would not be possible with the limited tools available on the system. This type of activity would also be highly anomalous, and likely to be detected by Field Effect monitoring.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article