Occasionally our sales and support teams will be asked how we make Nx Witness secure from hacks, so we've created this article to describe our security philosophy and how we ensure Nx Witness is as safe as possible from nefarious intervention.

Our Philosophy Assume the hacker knows the system intimately. 

With the assumption that an attacker is extremely familiar with how Nx Witness works, we take extraordinary steps including code reviews and automated testing to make sure there are no known encryption keys, backdoors, or hidden hacks in our code. 

What that means practically speaking is that even our core development team would be unable to hack a production system.

What data is encrypted in Nx Witness?

The following components are either encrypted by default or can be encrypted by turning it on in the Nx Witness security settings in the System Administration menu:

• Management traffic/data
• All data exchange between Server and cameras
• User login authorization

What encryption technologies are used in Nx Witness?

The following encryption technologies are used in Nx Witness:

• SSL/TLS AES-256
• HTTP Digest-MD5 (disabled by default, we use SCrypt instead)
• HTTP Cookie Sessions
• HTTPS

Nx Witness Security

The default security settings vary depending on the Nx Witness component that is being accessed. (↔ signifies a connection between two components.)

By default, we use Session auth (bearer token). We used to use Digest auth, but since 5.0 we disable it by default. It can be enabled for a specific user upon creating/editing.

Login Credentials

SCrypt (MD5 can be used but is disabled by default) for:

• Nx Server local user account
• Nx Cloud user account

Password Protected Export

• OpenSSL/ AES-256 encrypted

Email

• TLS is the default option for the Email Server

Nx Server ↔ Nx Server

• Data: Always encrypted (HTTPS)
• Video: Not encrypted by default, but optional TLS encryption can be enabled
• Authorization: HTTP Digest-MD5 with the Server auth key instead of password.

Nx WebAdmin ↔ Nx Server

• Data: Not encrypted, but can be forced via option.
• Video:  Not encrypted by default, but optional TLS encryption can be enabled
• Authorization: HTTP Cookie Sessions

Nx Desktop/Nx Mobile ↔ Nx Server

• Data: Always encrypted (HTTPS)
• Video: Not encrypted by default, but optional TLS encryption can be enabled.
• Authorization:
  • Local users - bearer token sessions for local users, 
  • Cloud users - OAuth2

Nx Cloud ↔ Nx Server

• Data: Always encrypted
• Video: Always encrypted
• Authorization: HTTP Digest-MD5 with the Cloud auth key instead of password

Nx Desktop/Nx Mobile ↔ Nx Cloud

• Data: Always encrypted (HTTPS)
• Authorization: OAuth2 + optional 2FA

3rd Party Integrations ↔ Nx Server

• Data: Not encrypted, but optional TLS encryption can be enabled
• Video:  Not encrypted, but optional TLS encryption can be enabled
• Authorization: Bearer Token, HTTP Digest-MD5, HTTP Cookie Sessions or URL-parameter

Optional SSL encryption

By default, both Data and Video Traffic are being encrypted. The encryption can be turned off in the Main Menu → System Administration:

• Data: Allow only secure connections - encrypts all management traffic (HTTPS redirect)
• Video: Encrypt video traffic - encrypts RTSP traffic (video over TLS)

OS Level Security and Advanced Settings

SSL Certificate

A 2048-bit SSL certificate with 256-bit encryption is used when installing Nx Witness. If a user certificate is not installed, we use certificate pinning for extra security.

You can replace the SSL certificate with one provided by a Certification Authority (recommended for any public servers that you may have in the system). Instructions on this topic can be found here.

Service Permissions

Nx Server runs on the server computer as a service and has administrator permissions. In order to protect Nx Server data from being overwritten by other applications on the same server, we highly recommend these other applications do not have administrator privileges and do not have access to Nx Server archive storage.

OpenSSL configuration for network connections

We use the OpenSSL library whenever something needs to be encrypted. Although Nx Server can utilize all the hash algorithms that OpenSSL is capable of, we disable deprecated and insecure protocols that have known security vulnerabilities, such as RC4 and 3DES ciphers). The Transport Layer Security (TLS) protocol aims primarily to provide privacy and data integrity between two communicating computer applications.

The default OpenSSL cipher setting is used "HIGH:!RC4:!3DES", but the cipher can be changed manually to be even more secure. We support TLS 1.3 by default, but other options can be enabled by modifying the parameter allowedSslVersions. Instructions on how to modify Nx Server configuration can be found here.

Advanced Settings

More logs mean more information that can be used to secure your system. The option to increase the audit trail and event log retention period can be found here.