What security features are available?

This article describes the extensive security measures employed in UpdateEXPERT. The drop downs answer some commonly asked questions, while any links below get into more detail by taking you to related knowledgebase articles.

Security measures exist for:

• Console to Master-Agent Communications

  This communication is always encrypted due to the relatively low volume of traffic between the Master-Agent and the Console.

• Master-Agent to Target-Machine Communications

  Communications and file-transfers between the Master-Agent and "Agentless or RPC" targets are unencrypted, with some exceptions.

  However, between Master-Agent(s) and Leaf-Agent(s) ALL communications and file-transfers are FULLY encrypted. This is a major reason for using Leafs in a secure environment.

• Storage of Credentials

  Credentials used to query and deploy patches to target machines are stored on the Master-Agent. They are stored encrypted using a unique encryption key. The encryption key is generated uniquely for each Master-Agent and is securely stored as well.

• Resumable Tasks

  "Resumable-task" information is kept in a secured location, and encrypted with a 64-bit blowfish key that is task unique and private (not used for any other encryption tasks).

• Firewalled Targets

  Targets behind a firewall/router are typically managed by "allowing" Master and Leafs to communicate over the default port of 9968, or the user-configured port number. If Master and Leaf(s) have different port numbers (possibly required with a low-end NAT firewall/router), then more ports will have to be "allowed" or configured (port forwarding) on the firewall/router.

  Managing "Agentless or RPC" targets across a firewall/router requires that ports 135, 139, and 445 be "allowed". This usually doesn't happen for an internet-connected DMZ, but may be allowable for the internal network of an organization.

  It is best to configure the firewall first, then telnet to the Master-Agent to test basic connectivity through the firewall, then run the Agent-Installer directly (local install) on the DMZ machines, and use IP addresses to refer to the Master and Leaf machines so you don't have to rely on name services (Netbios or DNS) for subsequent Master/Leaf communications, as in querying.

• Master/Leaf Security Details

• Master/Leaf Encryption Methods

• Non-Leaf Security Details

• Patch Download Repository

• Isolated Network Support (non-internet connected networks)