Security Recommendations

Securing your terminal operating system (TOS) is essential to avoid the worst case scenario of a cyber-attacker taking over your entire system without your knowledge. Although it is possible for attackers to compromise even the most secure systems, you must still take every step you can to deter and discourage unauthorized users from accessing your system.

Navis recommends that you take action in the following areas to reduce the vulnerability of your terminal operating system:

Password/Users Management

• Change the default passwords for all pre-configured users in N4. For details on the users and how to change the passwords, see Change default passwords in N4 and N4 Billing in the Navis N4: Installation Guide for Windows or the Navis N4: Upgrade Guide for Windows and for Linux.

• Implement strong password requirements and retry rules. N4 administrators should review and apply the appropriate N4 security settings under Administration Settings.

• Use LDAP for password storage, if available. See Set up LDAP support for User Authentication for instructions on setting up external user authentication with LDAP.

• Disable any guest users for all Windows server or server room clients. Follow security standards for securing your operating systems.

• Do not allow multiple users to share a login account. Each user should have a unique login account.

• If you are running N4 on Windows, configure the N4 service to log on with a non-administrator user account, such as:

• the Network Service account (a password is not required for this account)

• a domain user account

• a managed service account

Make sure this account has full access to the local N4 folders and read/write permission on the shared network folder.

Internet Access Restrictions

• Use Transport Layer Security or Secured Sockets Layer (TLS/SSL) for all web components. Limit internet access through the load balancer, such as the Apache HTTP Server, and configure it for SSL.

• Keep all web services behind the firewall. 

• Hide the N4 Mobile URLs from the internet. Any N4 URLs that are not explicitly needed for clients to access N4 should be hidden.

• Consider using VPN or Citrix to access internet-facing URLs such as N4 CAP. The risk of being hacked due to N4 being accessible on the internet can be reduced by hiding the URLs behind VPN access. Users would need to be authenticated on the VPN to access N4.

• Use third-party Denial of Service mitigation. If Denial of Service attacks are of concern, invest in a service or tool specializing in this type of attack.

Firewall Policies

• Limit access to the XPS telnet port. If the XPS telnet port is not being used for integration purposes, the telnet port should be disabled.

• Restrict external access by using an IP address whitelist on your load balancer. Use either the N4 IP Address Whitelist feature or a third-party configuration to limit access between components within your network.

• Keep JMX (MBeans) behind the firewall. Firewalls and load balancers should be configured to block access to the JMX port. If you are using a third-party monitoring tool, the servers should be whitelisted for access to JMX.