1

Auvik Networks System Security White Paper

www.auvik.com

CONTENTS

You can’t take chances with an IT networkWhat is Auvik?

What is the virtual appliance and what does it do?What communication protocols does Auvik use?

What information does Auvik collect and how is it handled?How does Auvik use network information?

How is network information kept safe on Auvik servers?How is the data center secured?

What are the benefits of Auvik’s cloud-based system?What is Auvik’s data retention policy?

Can I try Auvik without putting it on my network?

03.04. 04.05.06. 07.08.09.10.11.11.

03

YOU CAN’T TAKE CHANCES WITH AN IT NETWORK. Security is a big part of network operations today. Are the infrastructure and data you manage safe? As a network administrator, you carry a lot of responsibility. We know that.

It’s why we built our network operations system from the ground up with safeguards in mind. Our goal is always to make your life easier. Less stressful. More effective.

This white paper will give you an overview of how Auvik collects and transfers data, and the security protocols we follow to keep the networks you manage safe.

Read on to learn more.

04

WHAT IS AUVIK?Auvik is a cloud-based system that provides unprecedented insight into networks and automates complex and time-consuming tasks. Auvik keeps network maps and documentation up to date in real-time, captures and manages device configurations, monitors network performance, alerts you to potential network issues, and more.

Data security was built into Auvik from the beginning. We’ve followed industry best practices to ensure Auvik is as safe and secure as the most well-known and respected cloud-based offerings.

WHAT IS THE VIRTUAL APPLIANCE AND WHAT DOES IT DO?Using Auvik begins with installing the Auvik virtual appliance on a network.

The virtual appliance is a piece of code that uses a number of protocols to gather information about the network, such as topology details, configurations, and network statistics. The appliance summarizes and sends that information to the Auvik servers over an encrypted connection.

When you download the Auvik virtual appliance to a network, the appliance is uniquely configured to be associated only with the account that created it. There’s no way another Auvik customer account can communicate with an appliance you’re using, either accidentally or purposefully.

The appliance only establishes outbound connections; our cloud servers cannot establish an inbound connection.

05

WHAT COMMUNICATION PROTOCOLS DOES AUVIK USE?To see and communicate with a network, the Auvik virtual appliance uses these communications protocols:

• ICMP (Internet Control Message Protocol)• MDNS (multicast Domain Name System)• RDP (Remote Desktop Protocol)• SMB (Server Message Block)• SNMP (Simple Network Management Protocol)• SSH (Secure Shell)• Telnet*• TFTP (Trivial File Transfer Protocol)• UPnP (Universal Plug and Play)• VNC (Virtual Network Computing)

* Telnet is used only when SSH is not available.

The virtual appliance sends information to the Auvik servers through an SSL-encrypted web socket, following industry standards for secure data transmission on the Internet. The appliance uses certificate authentication to ensure it’s communicating with the Auvik servers.

ICMP

ICMP is one of the main protocols of the Internet Protocol Suite. It’s most often used by network devices, like routers, to send error messages. It can also be used to relay query messages. Auvik uses ICMP to ping devices on a network.

MDNSMDNS resolves host names to IP addresses. It works by sending an IP multicast query message that asks the host having that name to identify itself.

RDP

RDP is a proprietary Windows system for sharing desktops over a network. Auvik uses it to allow remote login and management of Windows devices.

SMBSMB is an application-layer network protocol that Auvik uses to discover printers, serial ports, and miscellaneous communications between network nodes.

SNMP

SNMP is an Internet-standard protocol for collecting and organiz-ing information about devices on an IP network.

SSHSecure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers.

TELNETTelnet is a client-server protocol historically used to send clear text across a network. Today, most administrators prefer SSH, which provides much of the same functionality as Telnet but with the addition of encryption and public key authentication. Auvik will only use Telnet to communicate with your network if SSH is not available.

TFTPTFTP is a simple file transfer protocol that Auvik uses to send a configuration file to the network when you request a configuration restore. Since a config restore is the only time Auvik uses TFTP, the protocol doesn’t get much use.

UPNPUPnP is a set of networking protocols that allows devices to discover each other’s presence on a network.

VNCVNC is a platform-independent system for sharing desktops over a network. Auvik uses it to allow remote login and management of Mac and Linux devices, among others.(Source: Wikipedia)

06

WHAT INFORMATION DOES AUVIK COLLECT AND HOW IS IT HANDLED?

1) Auvik collects the authentication credentials of network devices.

Auvik needs credential information to see devices and how they’re connected to one another. All the credentials shared with Auvik are sent to the cloud and stored there using AES-128 encryption. They’re decrypted and made available to the system only as needed for delivering product features.

2) Auvik logs the configuration data of network devices.

Auvik requires configuration data to better understand a network. Auvik analyzes how configuration changes affect performance, allowing you to optimize network performance over time. Like credentials, all configuration data is encrypted using AES-128.

3) Auvik collects anonymized network metadata.

Auvik usually keeps some high-level anonymized metadata from every account. For example, we might log the connection speeds between devices, the number of bytes sent, and usage statistics. We aggregate this metadata with metadata from other accounts. It’s used solely for the purpose of analyzing and optimizing our system performance. The data isn’t encrypted but is stored in a secure database. Since the data is anonymized, no one could ever acquire information about a specific network with it.

Auvik doesn’t see any traffic content sent through a network.

If someone sends an email on your network, for example, Auvik would know how many bytes were transmitted. But there’s no way for our system to read the content of the transmitted packets.

AES-128The Advanced Encryption Standard or AES is a symmetric block cipher used by the U.S. government to protect classified information. Symmetric or secret-key ciphers use the same key for encrypting and decrypting, so both the sender and the receiver must know and use the same secret key. AES-128 encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128-bits. (Source: TechTarget)

07

HOW DOES AUVIK USE NETWORK INFORMATION?Auvik uses the information gathered by the virtual appliance to drive product features. For example, the information is used to draw a network map, create device profiles for inventory, and log device configurations.

Auvik analyzes, distills, and visually renders network information, then shows it to your approved users through a secure login from a web browser.

BEST PRACTICE TIPDon’t share your Auvik login details with your co-workers.

Anyone who needs access to your Auvik instance should be set up with their own login and secure password. To add users to your account, click Manage Users in Auvik’s side navigation bar.

08

HOW IS NETWORK INFORMATION KEPT SAFE ON AUVIK SERVERS?Like many SaaS offerings, Auvik stores data in a cloud-hosted, multi-account environment. We follow industry best practices in every aspect of secure data collection and storage. Auvik servers use an industry standard four-tier architecture, with security protocols at every layer. Even if someone gained unauthorized access to our system, the risk of them being able to compromise all four layers to see or make use of customer data is extremely low.

As soon as information from a network reaches the Auvik system, it’s partitioned in such a way that it’s impossible for data to cross from one account to another.

At Auvik, we make it impossible for non-approved employees to access customer information. In order to access customer-specific servers, a special SSH key is needed. The key is accessible by a bare minimum of necessary Auvik personnel. For additional security and to ensure access privileges are kept up to date, the SSH key is rotated every month or anytime someone leaves or joins the access group.

Network security requirements in certain industries, such as public utilities or financial services, can be very stringent. You may be required by law to keep all of your company information entirely on premise. If that’s the case, Auvik is not the right solution for you.

09

HOW IS THE DATA CENTER SECURED? Auvik servers are kept in secure, state-of-the-art Amazon data centers. These data centers have the following security attributes:

• Electronic surveillance of servers• Multi-factor access control systems• Staffed 24-7 by trained security guards• Achieved ISO 28001 certification• Achieved ISO 9001 certification• Undergo regular SOC 1 audits

WHAT ARE THE BENEFITS OF AUVIK’S CLOUD-BASED SYSTEM?Cloud-based services, from SaaS to IaaS (infrastructure as a service) and everything in between, have been exploding in popularity in recent years. In fact, 87% of businesses are using some form of public cloud and more are moving there every day.

It’s easy to see why. Companies cite reduced IT management time, improved security and availability, and fewer outages as major benefits of cloud services. (source: RackSpace, Oct 2014)

10

Here are a few of the ways Auvik’s cloud-based system benefits companies and IT teams:

Less expensive than an on-premise solution. One of the major benefits of cloud-based solutions is that they tend to cost far less than installed on-premise solutions. You benefit from a subscription with one affordable monthly payment. No multi-year contracts, no installation fees, no complicated licensing.

Less time-consuming than an on-premise solution. If Auvik were a completely on-premise solution, you’d have to install it, configure it, and continually manage patches and upgrades. That translates into a lot of time and effort, both upfront and ongoing. Being cloud-based means all of these complex tasks are taken care of for you by Auvik.

Simpler and less resource-intensive. Don’t spend another painstaking minute building a topology by hand or compiling a device inventory. With Auvik, everything is automatically logged and maintained for you in real-time. Unlimited server space is included in your Auvik plan.

Always up to date. Because Auvik regularly performs maintenance and upgrades, you’re guaranteed to be running the best and most current version of our software at all times. Plus, all network information is maintained in real-time, ensuring maps and the other information you use to operate a network are never out of date.

Easy data recovery. If disaster strikes and you lose on-premises network data, there’s no problem. Your network map, configurations, inventory, and performance stats are safe on secure Auvik servers. Simply log in and restore the settings.

11

WHAT IS AUVIK’S DATA RETENTION POLICY?If you ever decide to cancel your Auvik subscription—which you may do at any time—the network data in your account is completely recoverable within 30 days of cancellation. After 30 days, most information is deleted for housekeeping purposes.

But as mentioned, Auvik usually keeps some anonymized metadata from your account for the purpose of analyzing and optimizing our system performance.

If you prefer that network data from your account not be included in our aggregated metadata set, let our support team know when you make your cancellation request. In that case, we’ll manually delete all information about your account from our system. The deletion will be permanent and the information will not be restorable.

CAN I TRY AUVIK WITHOUT PUTTING IT ON MY NETWORK?Yes! Head over to the Auvik website where you can play with a live, interactive demo featuring a sample network. There’s no installation required.

A second option is to bring the Auvik virtual appliance into any test network you have running on GNS3. Auvik integrates easily with this popular network simulator. For more information, download the Auvik-GNS3 integration guide.

METADATAMetadata are records derived from or generated by network information. They include items such as network size, the connection speed between two devices, and Auvik’s performance within a particular environment.

12

MORE QUESTIONS?Have a question about Auvik or our system security that’s not answered here? Give us a call. Or send an email. We’re happy to talk to you.

ABOUT AUVIKAuvik is a cloud-based system that delivers unprecedented insight into network infrastructure, and automates complex and time-consuming network tasks.

• Minutes to install• Virtually no configuration required• Simple, intuitive design• Integration with leading workflow tools• Works with 7000+ devices from 230+ vendors• Free support

Skype: AuvikSales

519-804-4700 x110

security@auvik.com

START TRIAL NOW

03-201509