cnMaestro On-Premises Best Practices

To ensure your on-premises deployment stays secure and reliable, we recommend integrating these best practices into your installation. Please check back regularly as the threat landscape evolves.

Confidentiality

Make use of cnMaestro RBAC (Role-Based Access Control)

Not everyone in the team needs to be a Super Administrator– use the predefined roles in cnMaestro to mitigate risks from attackers as well as human error.

Segment networks

Keep device management interfaces on separate LANS and limit access to cnMaestro and authorized infrastructure management networks only.

Do not allow management access from the internet

Restrict the management interface to trusted networks only. While Cambium strives to deliver secure code, vulnerabilities can be found anywhere. Removing an attacker’s ability to attempt potential exploits adds another layer of defense. The cnMaestro appliance should be installed behind a dedicated security system if possible.

Keep ssh disabled

SSH is not enabled by default. While it can be enabled from the virtual console, it is intended for use only with support assistance. Leaving the ssh service running increases attack surface and is not recommended.

Separate management and device traffic

Devices can have a dedicated network that does not allow direct access, this helps prevent unauthorized access to devices, and ensures all changes are managed centrally.

Update TLS certificate

Update the HTTPS certificate on your on-premises instance with your own signed certificate. This will ensure management traffic is less susceptible to interception.

Encrypt disk

Encrypting the storage at the backend for your on-premises instance ensures an attacker that gains access to the storage for your virtualization system cannot extract network information and secrets.

Change passwords

Password changes are enforced after first use on most products, but you may want to update these yourself.

Use your existing IAM (Identity and Access Management) (X)

Connecting to your existing authentication source means no orphaned accounts lying around after people leave. cnMaestro supports TACACS+, RADIUS, LDAP, Active Directory, OpenID Connect (OIDC), and SAML.

Integrity

Back up regularly, automatically

Configure your cnMaestro instance to automatically back up on a schedule that suits your system. If you are regularly updating and changing config, set backup frequency to the maximum lost changes that you can tolerate, e.g., if you can recover from losing only today’s changes set a daily schedule. If you can recover using last week’s changes, set a weekly schedule. It is also useful to do a full disk backup, details depend on your virtualisation backend with details in the use user guide

Send logs to a centralized collector and monitor them

cnMaestro can output via syslog to a centralized server. Configuring this ensures integrity of logs and can be useful for investigations and auditing.

Upgrade software as security updates become available

Cambium Networks regularly publishes maintenance releases of cnMaestro, and it may also publish security updates when needed. Make sure these are installed as soon as possible to maintain security.

Availability

Set up HA (High Availability)

Configure an HA cluster so service is maintained during accidental outages.

Test backups

Regularly test restoration of backups and include cnMaestro as part of your incident response plan. It is recommended to restore backups to an isolated clone instance for restore tests.

Take a VM snapshot before upgrades. This will help recovery if anything goes wrong during the upgrade. Ensure that snapshots are cleaned up after verification of the upgrade, in some setups, running from a snapshot long-term may impact performance.

Validate hardware

As your network grows, your initial hardware specifications for cnMaestro may no longer be enough. Remember to review assigned hardware for your VM when adding devices or making network changes.

2 Likes