Secure communication within Paessler PRTG
In the rapidly evolving cybersecurity landscape, security is crucial. At Paessler, we understand the importance of security and have committed ourselves to providing a robust and secure network monitoring solution. In this blog, we are going to explore how Paessler PRTG ensures the confidentiality and integrity of the transmitted data. Specifically, we will discuss how secure communication is established, and what options you have at your disposal to further improve your setup
Encrypted communication
By default, PRTG encrypts the communication between its components, which means that the communication between the PRTG web server and the probes is secured by default using the SSL/TLS protocol. Specifically, PRTG can be configured to use only HTTPS combined with secure ciphers. TLS 1.3, for example, is supported (and recommended for use if the user’s setup allows it) which by default allows only state-of-the-art secure ciphers. While TLS 1.2 is also perfectly fine, users should know that it brings some weak ciphers as well (e.g. ECDHE-RSA-AES256-SHA384 and ECDHE-RSA-AES256-SHA). Users have the option to specify exactly the which ciphers are allowed according to their needs by editing registry keys. Since this can be an error-prone action which can make PRTG unusable, we encourage you to open a ticket to express your exact needs and receive a suitable configuration that meets those needs.
An example of instructing the PRTG web server to allow only TLS 1.3 can be seen below:
1. Open regedit.exe
2. Go to path HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver
3. Create a new DWORD (32-bit) with:
a) Name: OverrideSSLVersionV2
b) Value: 128 (as decimal)
4. Restart the PRTG core server service using the PRTG Administration Tool
Another example is to restrict the PRTG web server to use only TLS 1.2 and disable CBC ciphers that are enabled by default:
1. Open regedit.exe
2. Go to path HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver
3. Create a new DWORD (32-bit) with:
a) Name: OverrideSSLVersionV2
b) Value: 64 (as decimal)
4. Create a new string with:
a) Name: OverrideSSLCipherV2
b) Value: ECDH+AESGCM
5. Restart the PRTG core server service using the PRTG Administration Tool
This will make the PRTG web server only accept TLS 1.2 with the following ciphers:
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
Note that to make the above work, both OverrideSSLVersionV2 and OverrideSSLCipherV2 should be present in the registry.
The role of OpenSSL
Input sanitization
In addition to the SSL/TLS implementation, PRTG protects users from various web security threats as well. We are achieving this by enforcing input sanitization methods within our code, reducing the risk for successful attacks like cross-site scripting (XSS) or path traversals. However, since we are aware that there is no such thing as 100% security, on top of our input sanitization methods, we constantly run automated security tests against our web server to further improve the defenses of PRTG.
HTTP (custom) headers
👉 Using nginx web server as SSL Proxy for PRTG
No comments