Network Security profiles - TLS versions and ciphers supported

Sometimes you have to work with older operating systems that use older security protocols. Security profiles in N-able N-central enable you to select between modern security protocols or legacy ones. The Modern security profile is enabled by default and provides the most secure set of protocols and ciphers. If required in your environment, you can switch the N-central security profile between the Modern, Compatibility or Legacy security profiles. To change security profiles, at the System level, click Administration -> Mail and Network Settings -> Network Security.

With the Modern security profile being enabled by default, you will need to ensure that Agents and Probes are at version 12.1 SP1 or higher. Version 12.1 SP1 and newer, leverage TLS 1.2 to communicate with N-central 12.2 and newer. This also applies to Report Manager; you need to upgrade it to version 5.0 SP5 or newer.

N-able strongly recommends remaining on the default Modern security profile unless you have a strong business need to choose a less secure configuration.

Modern Security Profile

• Configures N-central's Web UI, Administration UI, Agent/API, and XMPP services to support TLS versions 1.2 and 1.3.

• For all web interfaces, enables AED Key Exchange (AKE) GCM, and ChaCha20 Poly1305 based TLS 1.3 ciphers, using either x25519 or secp256r1 EC curves.

• Enables only Perfect Forward Secrecy (PFS), GCM-based TLS 1.2 ciphers, using either x25519 or secp256r1 EC curves.

• Disables weak SSH Ciphers, MACs, and KEX Algorithms.

• Will work with Modern Operating Systems (Windows 10, Windows Server 2016, OS X 10.11 (El Capitan), iOS 9, Android 4.4.2, and newer).

• Meets PCI DSS 3.2.1, Requirements 2.3, and 4.1.

The Modern security profile supports the following ciphers:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The Compatibility security profile

The Compatibility security profile sits between the Modern and Legacy security profiles. It allows you to support operating systems in their Extended Lifecycle, such as Windows Server 2012 R2, without needing to allow TLS 1.1 or 1.0.

• Configures N-central's Web UI, Administration UI, Agent/API, and XMPP services to support TLS versions 1.2 and 1.3.

• For all web interfaces, enables AED Key Exchange (AKE) GCM, and ChaCha20 Poly1305 based TLS 1.3 ciphers, using either x25519 or secp256r1 EC curves.

• For the Administration UI and XMPP services, enables only Perfect Forward Secrecy (PFS), GCM-based TLS 1.2 ciphers, using either x25519 or secp256r1 EC curves.

• For the Web UI and Agent/API services, enables GCM-based RSA ciphers in addition to the ECDHE GCM-based TLS 1.2 ciphers from the “Modern” profile.

• Disables weak SSH Ciphers, MACs, and KEX Algorithms.

• Will work with Extended Lifecycle, and Modern Operating Systems (Windows 7/IE11, Windows Server 2008 R2/IE11, OS X 10.11 (El Capitan), iOS 9, Android 4.4.2, and newer).

• Meets PCI DSS 3.2.1, Requirements 2.3, and 4.1.

The Compatibility security profile supports the following ciphers:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_128_GCM_SHA256

When choosing which of the weaker ciphers to make available to the Compatibility security profile, we looked at the security levels and theoretical/proven attacks on both non-PFS, and CBC-based ciphers. At this time, the theoretical capability to decrypt CBC-based ciphers without the private key is easier for an attacker to exploit than an attack against non-PFS, GCM based ciphers without access to the N-central server’s private key.

PFS - Perfect Forward Secrecy: After negotiating the TLS connection, a new, ephemeral public/private key pair is generated for the connection, and the devices use this for encrypting the traffic. Non-PFS ciphers continue using the public/private key pair the connection was initiated with.

Legacy security profile

N-able plans to deprecate the Legacy security profile in a future release of N-central. As a result, we strongly recommend that you upgrade your legacy devices that may be preventing you from using a more secure security profile.

• Configures N-central's Web UI and Agent/API services to support TLS versions 1.0 through 1.3.

• Configures N-central's Administration UI and XMPP services to support TLS versions 1.2 and 1.3.

• For all web interfaces, enables AED Key Exchange (AKE) GCM, and ChaCha20 Poly1305 based TLS 1.3 ciphers, using either x25519 or secp256r1 EC curves.

• For the Administration UI and XMPP services, enables only Perfect Forward Secrecy (PFS), GCM-based TLS 1.2 ciphers, using either x25519 or secp256r1 EC curves.

• For the Web UI and Agent/API services, enables the same GCM-based RSA ciphers, ECDHE GCM-based ciphers from the “Compatibility” profile. Additionally, it enables the TLS 1.0/1.1 CBC-based RSA and ECDHE ciphers with SHA1, and the legacy CBC-based RSA cipher with 3DES as opposed to AED in all other ciphers.

• Fails PCI/DSS/HIPPA/NIST compliance requirements.

• Works with Legacy, Extended Lifecycle, and Modern Operating Systems (Windows Vista, Windows Server 2008, MacOS 10.11 (El Capitan), iOS 9, Android 4.4.2, and newer).

The Legacy security profile supports the following list of ciphers:

TLS 1.2

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_3DES_EDE_CBC_SHA