Skip to main content

Communication defenses

Bravura Security Fabric sends and receives sensitive data over the network. Its communications include user passwords, administrator credentials, and personal user information.

HTTPS

Require HTTPS only connections to Bravura Security Fabric and deploy real (i.e., not self-signed) SSL certificates on each server.

Firewalls

If Internet access to Bravura Security Fabric is required, protect this access using a firewall:

  • Ensure you purchase all network hardware, including the firewall, directly from the manufacturer or resellers authorized and certified by the equipment manufacturer.

  • Always ensure the latest firmware is running.

  • Shutdown unused physical interfaces on the device.

  • Implement access lists that only allow the required protocols, ports, and IP addresses and deny everything else.

  • Never use default usernames and/or passwords.

  • Monitor outbound traffic to prevent internal machines from being used to launch a zombie attack on a server.

  • Use egress filtering to block all traffic by default, allowing only certain traffic such as email and the Web.

  • Consider purchasing a firewall with three connections; one for the internal network, one for the Internet, and the third for the DMZ.

  • Use NTP to synchronize the time on the firewall. This will ensure the logs have the correct timestamps.

  • Configure the Intrusion Detection System on the firewall if available.

Communicating with target systems

Avoid sending sensitive data as plaintext:

  • Where possible ensure that communications are encrypted.

    For example, if you have an Oracle target system, the default setup for the Oracle client is to configure unencrypted communications with the Oracle database. Ensure that you configure encrypted communication.

  • When communications cannot be encrypted, you can:

    • Use a proxy server to set up a secure channel with the primary server.

    • Not synchronize the accounts on that target system and ensure that administrative passwords are periodically rotated.

HSTS configuration for CDN and reverse proxy deployments

HTTP Strict Transport Security (HSTS) instructs browsers to connect to a site only over HTTPS, protecting users against SSL-stripping attacks on untrusted networks. Bravura Security Fabric configures HSTS in IIS automatically since release 12.1. However, when a CDN or reverse proxy terminates SSL before the origin server, the IIS HSTS rule may not take effect because the connection between the CDN and the origin can use plain HTTP.

In this scenario, you must enable HSTS at the CDN or reverse proxy layer to ensure the header reaches the end user's browser. This applies to any SSL-terminating intermediary, including Cloudflare, AWS CloudFront, Azure Front Door, and similar services.

Requirements

Before configuring HSTS at the CDN layer, verify the following:

  • Bravura Security Fabric version 12.1 or later is installed. Earlier versions do not include the IIS HSTS rule and require additional configuration at both the CDN and application layers.

  • All subdomains serving Bravura Security Fabric traffic use HTTPS. Enabling the includeSubDomains directive when HTTP-only subdomains exist causes those subdomains to become inaccessible.

  • The SSL/TLS encryption mode between the CDN and the origin server is set to Full or Full (Strict). Do not use Flexible mode, which connects to the origin over plain HTTP and can cause security headers to be dropped.

Configure HSTS at the CDN layer

The following procedure uses Cloudflare as an example. If your deployment uses a different CDN or reverse proxy, consult its documentation for the equivalent HSTS settings.

  1. Log in to the Cloudflare dashboard.

  2. Navigate to SSL/TLS > Edge Certificates.

  3. Enable HSTS and configure the following settings:

    • Max Age: 31536000 (one year).

    • Include subdomains: Enable if all subdomains use HTTPS.

    • Preload: Consider enabling for maximum protection. The preload flag submits the domain to browser preload lists, which enforce HTTPS before the first connection.

  4. Verify that the SSL/TLS encryption mode is set to Full or Full (Strict).

Verify the HSTS header

After enabling HSTS at the CDN layer, confirm that the header is present from the client's perspective.

From the command line:

curl -I https://<your-domain> | grep -i strict-transport

Expected response:

Strict-Transport-Security: max-age=31536000; includeSubDomains

You can also verify using browser developer tools (F12 > Network tab > select any request > check Response Headers) or an online scanner such as securityheaders.com.

Troubleshooting

Symptom

Cause and resolution

HSTS header not present after enabling in the CDN.

The SSL/TLS encryption mode may be set to Flexible, which uses HTTP between the CDN and the origin. Change the mode to Full or Full (Strict).

Header present from the origin server but missing at the client.

The CDN may be stripping or not forwarding the header from the origin. Enable HSTS directly at the CDN layer rather than relying on the origin to pass it through.

Bravura Security Fabric version is earlier than 12.1.

The IIS HSTS rule does not exist in versions prior to 12.1. Configure HSTS entirely at the CDN layer.

Additional resources

In this section: