New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What security features does PRTG include?

Votes:

0

Your Vote:

Up

Down

I would like to know more about the high security standards of PRTG. Is there a list of PRTG security features?

encryption features prtg security security-features ssl

Created on Aug 7, 2014 9:42:52 AM by  Gerald Schoch [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 17.3.34 or later

PRTG Network Monitor Security Features

We at Paessler take the responsibility for your network safety seriously and put a lot of effort into providing you with the most secure network monitoring solution possible. A strong focus is especially on the secure connections to and from the PRTG web server, but PRTG also includes many other security mechanisms to protect against potential attacks.

The list below shows you sample security features of PRTG Network Monitor:

  • The PRTG web server supports SSL encryption (HTTPS, TLS, Elliptic Curve Cryptography, Forward Secrecy) with OpenSSL libraries of the 1.0.2 branch.
  • PRTG only accepts the most secure ciphers for SSL connections. These ciphers have to allow Perfect Forward Secrecy and TLS 1.2. See below for used ciphers.
  • All communication between PRTG probe(s), PRTG core(s), and clients is secured by SSL encryption. The same is for cluster probe connections. See this article for recent SSL changes.
  • PRTG uses a RSA certificate with 2048 bits as default certificate.
  • PRTG uses unique pre-defined Diffie-Hellman (DH) parameters with a 1024-bit key by default. Note: You can also change the key length manually. Please see this article for details.
  • You can filter probe connections to the core server. This means that you are able to allow connections from specific IP addresses only or deny connections from certain IPs (or even from all). A Remote Probe or Mini Probe must also have a special access key to connect.
  • The PRTG web server cleans and sanitizes all GET and POST parameters that could potentially be used for XSS attacks.
  • The PRTG System Administrator can give individual access rights to each user account and to each user group. By default, users do not have permissions to see or change anything in the PRTG web interface without the explicit rights provided by the admin.
  • The PRTG web server does not deliver files from folders that are not configured by PRTG. This feature helps avoid directory traversal attacks.
  • The internal data management of PRTG is not based on an SQL server, so SQL injection attacks are impossible.
  • You cannot edit script files for custom sensors, SQL sensors, and custom notifications within the PRTG web interface, so anyone who wants to edit these scripts must have access to the file system. This prevents users that have access to the PRTG web interface from injecting and running malicious scripts on the PRTG system. See also this article for more information about this security feature.
  • Every user account requires a password.
  • A password that you enter into any webpage of the PRTG web interface (for example, login credentials for a sensor) will never be sent back to the browser.
  • PRTG stores internal passwords always encrypted and never into logfiles. If you send a support bundle to our tech support, passwords will be removed from the config file in advance.
  • PRTG logs out users that were inactive for a defined time span.
  • PRTG system administrators have to re-authenticate with their credentials every 15 minutes while working on administration pages. Both the logout and the re-authentication mechanism help prevent unauthorized access to PRTG and secure the web interface against potential phishing attacks.
  • Other optional security settings include the ability to disable browser auto-complete in the login form and to deny loading of PRTG web pages in frame elements. This is an additional protection mechanism against clickjacking attacks.

Elliptic Curve and Ciphers

PRTG uses the secp384r1 elliptic curve and the following ciphers:

High Security Modus (default):

'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256!ADH!aNULL!eNULL!LOW!3DES!MD5!EXP!PSK!SRP!DSS!RC4'
https://www.ssllabs.com/ssltest:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Weak Security Modus:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS'
https://www.ssllabs.com/ssltest:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

SSH Sensors: Ciphers, MAC, Key Exchange (KEX), Key Types

The default SSH engine of SSH sensors uses the following ciphers, MAC, KEX, and key types:

Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc

MAC: hmac-sha1, none or hmac-sha2-512, hmac-sha2-256, hmac-sha1, none

KEX: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1

Key types: ssh-dss, ssh-rsa or ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-dss, ssh-rsa

Created on Aug 7, 2014 9:46:02 AM by  Gerald Schoch [Paessler Support]

Last change on Nov 13, 2017 6:15:26 PM by  Gerald Schoch [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.