This article addresses questions from users about how secure Nx Cloud is from hacks and the level of access Network Optix has to users’ systems.
Does Nx Have Access to Users' Private Data?
It is reasonable for users of a product to wonder how secure their data (e.g., authentication, archive, or databases) is from others, even from the company that made the product. Users can use Nx Witness confidently, knowing that we do not have access to their private data due to the following security practices:
- Network Optix does not store or have access to unencrypted passwords.
- The Nx Cloud database stores user passwords as a complex multi-level salted hash.
- Nx Witness does not create or store any API keys for accessing a particular VMS installation.
To learn more about how we use encryption to protect your data, see our “How secure is Nx Witness?” support article.
Can Nx Developers Somehow Gain Access to Users' Private Data?
No, Network Optix designed Nx Witness with “the enemy knows the system” principle in mind, so our developers and outside entities CANNOT gain access to users' Systems without their unencrypted passwords.
There are no universal passwords, no backdoors, and no stored passwords that Network Optix developers can use to gain access to users’ systems, even taking into account bad faith actors.
Can Traffic Be Intercepted on the Relay Server or Other Cloud Components?
The user traffic exchange between Nx Desktop/Nx Mobile and Nx Server is performed directly between each other. Nx Desktop/Nx Mobile and Nx Server use the cloud mediator service to establish a TLS-over-UDP connection (UDP hole punch). User traffic and credentials are NOT sent to the cloud mediator.
If the UDP hole punch cannot be established, Nx Witness uses relay servers to proxy TLS-encrypted traffic between Nx Desktop/Nx Mobile and Nx Server. Encryption keys are known only to Nx Desktop/Nx Mobile and Nx Server. Nx Witness relay servers do not receive the encryption keys, so there is no way this traffic can be decrypted and analyzed on a relay server.
The user traffic between Nx Cloud Portal and Nx Server is TLS-encrypted and proxied through an Nx Witness relay server. Afterward, the TLS connection is terminated by the relay server. Similar to how any other website operates, user traffic to a website can only be viewed if an intruder has physical access to the web server.
In all cases, authentication requests are handled the exact same, by the Nx Server at the user's site and never by the relay or mediator. The Nx Server does not distinguish between requests that were received through a public TCP port or a relay. For more information, see our “Cloud Connect” support article.
Does Nx Witness Software Change Firewall Rules?
No, it is impossible for Nx Witness to change users’ firewall rules. For information about outgoing connections related to Nx Witness, see our “Firewall Pass List” support article.
Has Nx Witness Software Undergone an Independent Cybersecurity Audit?
Yes, Nx Witness is designed to be secure from the ground up and has completed comprehensive white-box penetration testing. For more information on our approach to security, see our “Cybersecurity and Nx Witness” support article. Please get in touch with Nx support to obtain more information about the penetration testing that Nx Witness undergoes.