This section outlines recommendations on security related best practices for VSP. These instructions are applicable for the VSP infrastructure components (such as CMS and Remote VRule Engine) in VM-based or cloud-based environments.


The recommended best practices are: 

  1. Security of cloud/infrastructure where Virsec services are running 

    1. Disable API access and secret keys for all the cloud root and default accounts with superuser privileges 

    2. Combine the cloud platform security features with the existing Infrastructure components

    3. Perform regular security assessments on the instances and patch the vulnerabilities regularly

    4. Use Bastion hosts to enforce control and visibility to instances where Virsec services are running

    5. Disable services and protocols to authenticate users in clear text over the network insecurely or otherwise

  2. Security of instances where Virsec services are running

    1. Avoid using shared accounts to provision and access instances where Virsec services are running

    2. Avoid exposing VSP services on public IP. If required, restrict the access to instances from limited IP ranges using firewall rules

    3. Within local VPC/private networks, access to the Virsec services must be limited using the firewall rules

    4. Launch instances from trusted and validated images only

    5. Configure sshd to allow only public key authentication on instances where Virsec services are running

    6. Ensure that .pem/.ppk file on the user machine is password protected

    7. Rotate credentials to instances where Virsec services are running. Enforce complex passwords and a strong rotation policy

    8. Do not execute any other services on instances where VSP CMS and AE services running unless required by VSP

  3. Securing access to CMS

    1. Integrate with authentication services like LDAP or SAML to give users access to CMS

    2. Do not share accounts, instead create a named account on CMS with privileges assigned on a need-to-know basis using the RBAC feature on CMS