Skip to content

Security

The appliance is the one credentialed thing on your management network, so its security model is deliberately conservative: credentials stay on-prem, every sensitive action is audited, and only outbound, encrypted traffic ever leaves the building.

On-prem credentials

Device credentials (switch/firewall/AP logins, SNMP communities, PAN-OS API keys) are stored encrypted, in your own backend's vault — never in the collector's source, and never baked into an image.

  • No secrets in source. collector.py is served from your backend to every appliance, so it contains zero credential literals. The collector fetches each device's credential from the vault at poll time, over its authenticated channel.
  • Encrypted at rest. Each secret is a salted, encrypted blob. List/metadata views never return the password.
  • Secrets off the world-readable unit. On the box, TENANT_API_KEY and COLLECTOR_KEY live in /etc/acutis-collector.env (mode 0600, root:root) — not the systemd unit, which any local user could read.
  • Least privilege service. The collector runs as the unprivileged networkops user, not root.
  • PAN-OS keys cached, not re-sent. The appliance mints a PAN-OS API key once and caches it in memory, so the admin password isn't put on the wire every poll cycle.

Zero-knowledge vault & break-the-glass

The vault is built so that even routine operation never exposes plaintext, and the rare time it must be revealed is fully accountable:

  • Reveals are "break-the-glass." Showing a plaintext credential requires a written reason (5+ chars) and, when step-up is enabled for that user, a valid MFA code (X-MFA-Token). The collector itself never needs this path — it retrieves what it needs programmatically; reveals are a human, dashboard action.
  • Role separation. Technicians and admins can add/modify/reveal (all audited). Deletes are gated: admins delete directly; technicians can only request a delete, which an admin must approve (also MFA-gated).
  • Tamper-evident audit trail. Every action (store, modify, reveal, delete-request, approve, reject) is written to a hash-chained log — each row's hash folds in the previous row's hash plus who/what/when/why/from-where. Altering or deleting any entry breaks the chain, and an admin can run a verify that proves the trail is intact or pinpoints the first broken row.

TLS everywhere it matters

  • Backend channel: HTTPS, with optional full certificate pinning via BACKEND_CA_CERT. Using https:// keeps collector↔backend credentials out of cleartext.
  • Device channel: independently controlled via DEVICE_CA_CERT / DEVICE_TLS_VERIFY so you can pin device identity and stop a LAN man-in-the-middle from harvesting a firewall admin password.

See Provisioning for how to set these.

Hardened parsing

Devices on the LAN are treated as untrusted input. PAN-OS XML responses are parsed with a defused XML parser (blocking entity-expansion / "billion laughs" DoS) and a hard 8 MB size cap, so a hostile or malfunctioning device can't crash or exhaust the box.

What leaves the building

Only two things ever leave your network, both outbound and encrypted to your backend:

  1. Telemetry — the device state shown on The Floor (interfaces, sessions, neighbors, health, etc.), plus the appliance's detected gateway/subnet on check-in.
  2. The local AI's short field brief — a summarised situation report, generated on-box.

What does not leave:

  • Device passwords / API keys never leave your backend's vault. The appliance pulls them locally to talk to gear; they're not shipped anywhere else.
  • Your managed devices never talk to the cloud. The appliance is the only component with outbound reach; it pushes data, it never opens a listener, and it needs no inbound port.
  • The local AI model runs on the box — device data isn't sent to a third-party model for it to function.

Inbound exposure

There is none by design. The appliance initiates every connection (telemetry submit, vault fetch, check-in, CLI-job pull, self-update). You never need to open an inbound port to it, which keeps its attack surface minimal even though it holds the keys to your gear.

Back to the Appliance overview.