Security is a top priority for organizations leveraging CTERA Edge Filers for file services. Out-of-the box the CTERA Edge Filer operating system is hardened (and users must not modify the underlying operating system):
- Unnecessary services are disabled.
- Default firewall rules are strict.
- The system is kept minimal.
In addition to antivirus and ransomware protection built-in to CTERA products, the following best practices will help to prevent compromise of a CTERA Edge Filer.
Firewall and Network Configuration
- Why: Protect the edge filer from unauthorized access and cyber threats from the Internet.
- How: Only expose required ports and restrict incoming connections to only what is necessary. If used in cloud or DMZ setups, double-check that only required ports are open. Follow the port table for your version. For more details, see CTERA Edge Filer Ports Diagram.Note
Usually only CTERA Portal and local SMB/NFS client connections are necessary.
- Impact: Blocks malicious or unwanted connections while allowing legitimate traffic to pass through. This helps prevent data breaches, malware infections, and other security incidents.
Authentication
- Join the edge filer to your Microsoft Active Directory domain.Note
A warning notification is issued if the edge filer is not joined to a Microsoft Active Directory domain.
- Review share permissions to ensure only authorized users have access to shares
Portal Connectivity
- Disable any unneeded services.Note
FTP and Telnet are disabled by default.
Certificate Policy
- Only use valid HTTPS certificates (from a trusted CA). Certificates are managed in System > Certificates in the edge filer user interface.
- Rotate certificates as needed.
Cyber-security
- Enable Antivirus.
- Enable CTERA Ransom Protect.
- Keep audit logging enabled and monitored. Forward audit logs to remote immutable storage, such as CTERA Insight.
Administrative Practices
- Disable unused administrator accounts.