Occasionally our sales and support teams will be asked how we make Nx Witness secure from hacks - so we've put together a quick article about our security philosophy and how we ensure Nx Witness is as safe as possible from nefarious intervention.
Our Philosophy: Assume the hacker knows the system intimately.
With the assumption that an attacker is extremely familiar with how Nx Witness works we take extraordinary steps - including code reviews and automated testing - to make sure there are no known encryption keys, backdoors, or hidden hacks in our code.
What that means practically speaking is that even our core development team would be unable to hack a production system.
What We Secure
- Access to the system (either local or remote)
- Any data (other than the video stream itself) transferred between system components (e.g. client ↔ server, server ↔ server, server ↔ cloud, client ↔ cloud)
Technologies We Use
OpenSSL for network connections
Whenever something needs to be encrypted, we use the OpenSSL library with the default settings "HIGH:!RC4:!3DES". Although Nx Server can utilize all the hash algorithms that OpenSSL is capable of, we disable deprecated and insecure protocols and use only TLS v1+.
As a result, RC4 and 3DES ciphers are not able to be used in Nx Server due to their security vulnerabilities. The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications.
- Server -> Client (Mobile, Desktop, Web) Communications: HTTPS
HTTPS is used by default for all connections.
- Email: TLS / SSL
TLS is the default option for the Email Server.
HTTP Digest Authentication
- Nx Witness is fully conformant with the authentication defined in rfc2617. Desktop, Mobile Client Applications, and Web-Browsers use this technology for authentication by default.
Salted/Hashed Passwords Storage
- Local Credentials (e.g. local user accounts) are protected using a salted MD5 hash
- Cloud Credentials (e.g. Nx Cloud user account) use a complex multi-level hash
Enabling Additional Encryption
- Open the Main Menu and click System Administration.
- a) To encrypt all management traffic and apply SHA-256 hashes, enable the Allow only secure connections option.
b) To encrypt RTSP traffic, enable the Encrypt video traffic option.
Security Installation Certificate
A 2048 bit SSL certificate with 256-bit encryption is used when installing Nx Witness.