Views:

Customized Kernel Environment

Service Gateway uses customized Linux kernel and removes unnecessary tools/software/command to secure the environment.


Keeping Security Patches Updated

According to Trend Micro's security policy, when the Service Gateway receives a CVE or ZDI vulnerability report, Service Gateway will perform CVSS evaluation. If the vulnerability has impacted service gateway, it will release a Critical Patch or resolve it in next release. Normally, a build is released in two weeks.


Vulnerability on Service Gateway Appliance scanned

For the CVEs scanned by vulnerability product on service gateway appliance, some CVEs such as OS patch, OS package patch and Squid patch issue will be fixed in Service Gateway version 3.0 (released before 2023.12). For Service Gateway 2.0, it will not fix these CVEs since the Service Gateway deployed on the internal network with low effect.

Service Gateway version has upgraded OS image to Rocky Linux 9.2 and updated kernel, openSSL, squid to official latest version.


SSH support cipher(SG Version 3)

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-gcm@openssh.com
  • aes256-gcm@openssh.com
  • chacha20-poly1305@openssh.com


TCP Traffic Port support cipher on port 443 (SG Version 3)

  • ssl-enum-ciphers:
    • TLSv1.2:
      • ciphers:
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
        • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
        • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
        • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
        • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
        • TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
        • TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
      • compressors:
        • NULL
      • cipher preference: server
    • TLSv1.3:
      • ciphers:
        • TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
        • TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
        • TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
      • cipher preference: server
    • _ least strength: A


    TCP Traffic Port support cipher on port 5275 for WRS query (SG Version 3)

    • sl-enum-ciphers:
      • TLSv1.0:
        • ciphers:
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
          • TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
        • compressors:
          • NULL
        • cipher preference: client
      • TLSv1.1:
        • ciphers:
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
          • TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
        • compressors:
          • NULL
        • cipher preference: client
      • TLSv1.2:
        • ciphers:
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
          • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
          • TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
          • TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
          • TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
          • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
          • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
          • TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
          • TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
          • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
        • compressors:
          • NULL
        • cipher preference: client
      • TLSv1.3:
      • ciphers:
        • TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
        • TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
        • TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
      • cipher preference: client
  • _ least strength: A
  • _http-server-header: Trend Micro


Management Console Account Passwords

Service Gateway only supports default Admin user to log in to Clish console, and the default admin user will be forced to change password when logging in the first time.

Service Gateway only accepts passwords that contain the following:

  • 8 to 32 characters
  • At least one upper case letter: A to Z
  • At least one lower case letteR: a to z
  • At least one number: 0 to 9
  • At least one special character: ~!`@#$%^&*()/_+=[] {}-\|<>',.?:;"

Observe the following guidelines for creating a strong password:

  • Avoid words found in the dictionary.
  • Intentionally misspell words.
  • Use phrases or combine words.
  • Use both uppercase and lowercase letters.

The Service Gateway also supports changing the password manually with Clish command.


Service Addresses and Ports

Service Gateway provides HTTP and HTTPS port for other on-premise products to integrate with it. For detailed information refer to the Online Help Center article, Ports and URLs Used by the Service Gateway Virtual Appliance .

Service Gateway also provides the disabling and enabling of ports opened for services using the following clish command:

configure port list – showing the opened ports on service gateway.
configure port disable  – disable the pointed port service needed on service gateway except port 22(SSH service)
configure port enable  – enable the pointed port service needed on service gateway.


Hardware Appliance Availability

Service Gateway supports installation on virtual machines of different platform.

Now Service Gateway can support on-premise installation such as VMware ESXi , Microsoft Hyper-V. For more details, refer to this Online Help Center article, Deploying a Service Gateway Virtual Appliance .

Service Gateway also supports cloud virtual machine installation such as AWS EC2 and Azure Virtual Machine. For details, refer to the KB article, Launch Service Gateway Virtual Appliance from Amazon Web Services (AWS) - Amazon Machine Images (AMI), or Launch Service Gateway Virtual Appliance from Azure Virtual Machine (VM) image.


SSH support cipher(SG Version 2)

  • ssh-ed25519
  • ssh-ed25519-cert-v01@openssh.com
  • sk-ssh-ed25519@openssh.com
  • sk-ssh-ed25519-cert-v01@openssh.com
  • ssh-rsa
  • ssh-dss
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • sk-ecdsa-sha2-nistp256@openssh.com
  • ssh-rsa-cert-v01@openssh.com
  • ssh-dss-cert-v01@openssh.com
  • ecdsa-sha2-nistp256-cert-v01@openssh.com
  • ecdsa-sha2-nistp384-cert-v01@openssh.com
  • ecdsa-sha2-nistp521-cert-v01@openssh.com
  • sk-ecdsa-sha2-nistp256-cert-v01@openssh.com


TCP Traffic Port support cipher(SG Version 2)

  • ECDHE-ECDSA-AES128-GCM-SHA256:
  • ECDHE-ECDSA-AES256-GCM-SHA384:
  • ECDHE-ECDSA-CHACHA20-POLY1305:
  • DHE-RSA-AES128-GCM-SHA256:
  • DHE-RSA-AES256-GCM-SHA384:
  • DHE-RSA-CHACHA20-POLY1305:
  • ECDHE-ECDSA-AES128-SHA256:
  • ECDHE-RSA-AES128-SHA256:
  • ECDHE-ECDSA-AES128-SHA:
  • ECDHE-RSA-AES128-SHA:
  • ECDHE-ECDSA-AES256-SHA384:
  • ECDHE-RSA-AES256-SHA384:
  • ECDHE-ECDSA-AES256-SHA:
  • ECDHE-RSA-AES256-SHA:
  • DHE-RSA-AES128-SHA256:
  • DHE-RSA-AES256-SHA256:
  • AES128-GCM-SHA256:
  • AES256-GCM-SHA384:
  • AES128-SHA256:
  • AES256-SHA256:
  • AES128-SHA:
  • AES256-SHA:
  • DES-CBC3-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256