New SSL / TLS Security Limitations in Nx Cloud
As part of our ongoing and continual evaluation of cyber security technologies in use in our cloud service Nx has determined, effective July 28, 2020, to discontinue support for devices connecting to the cloud service that utilize SSL/TLS versions 1.1 and lower.
TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms and as such, they contain security vulnerabilities that may be exploited by attackers. The Internet Engineering Task Force is also planning to officially deprecate both protocols. In addition, the vast majority of encrypted Internet traffic is now over TLS 1.2, which was introduced over a decade ago.
Disabling TLS & SSL 1.1 will cause an inability to connect to Nx Cloud if your system has the following combination of devices and software versions:
- Nx1 - all versions
- Any ARM-based device running Nx Witness VMS v3.1 or earlier, including:
- Raspberry Pi
- DW Edge
- Any other compatible ARM-based device
For the devices other than the Nx1 listed above please work with the appropriate manufacturer to upgrade firmware / OS to a version that supports the latest implementation possible of TLS / SSL (above v1.1).
What to do if you have an Nx1 connected to Nx Cloud?
There are two options for customers who have systems with Nx1 devices connected to Nx Cloud.
Option 1: Disconnect from Nx Cloud and use the Local System approach
For customers wishing to continue using their Nx1 devices, you will need to disconnect your System from Nx Cloud and log-in over a local area network (LAN) or remotely using remote access via WAN or Dynamic DNS. Follow the steps below if you wish to pursue this option:
- Create a Local User for all existing users connected via Nx Cloud that you would like to have access to the system. Make sure to grant them proper rights using roles and permissions.
- Determine mode of connection - via LAN / WAN / Dynamic DNS
- Share connection path (IP Address, or dynamically forwarded URL)
- Confirm everyone has no issues connecting to the System
- Disconnect the System from Nx Cloud and use it as a Local System.
- Reminder! All Nx Cloud users will be deleted from the System once disconnected!
Option 2: Add another Server to act as a Gateway
Install the Nx Server application on an existing or new computer and disable Internet connectivity on Nx1 devices. This approach allows users to continue utilizing the Nx1 with Nx Cloud but cuts off the ability of the Nx1 to communicate directly with Nx Cloud, maintaining a secure connection via a more modern OS. Customers choosing this approach should take the following steps:
- Install Nx Server on a Windows, Ubuntu Linux, or ARM device running TLS / SSL higher than v1.1.
- Generally speaking, this can be any device that meets the minimum server hardware spec, even a shared computer.
- This PC will always need to be on and always needs to be running the Nx Server application with an active Internet connection.
- Make sure to install the same version (e.g. v3.2, v4.0) or upgrade all System components (including the new Nx Server) to the latest version.
- Merge the Nx Server with your existing System.
- Disable Internet on Nx1 Devices
- Log in to your Nx1 using an SSH client (e.g. Putty).
- When logging you’ll need this information:
- IP address of your Nx1 (e.g. 192.168.50.101)
- SSH Port: 22
- Login: root
- System Owner password (from the user: admin)
- Once you have successfully logged in, run the following script to disable Internet access:
GW="$(route -n | awk '$1=="0.0.0.0" {print $2; exit}')"
route del default gw "$GW"
echo "$GW" >~/nx1_gateway
- Note: If you need to restore the Internet access for some reason, run the following script:
route add default gw "$(cat ~/nx1_gateway)"
Questions
If you have any questions related to this topic or you want to share your experience with other community members or our team, please visit and engage in our support community or reach out to your local reseller.
Comments
0 comments
Article is closed for comments.