Knowledge Base

Topic: Security
Certificates

CONS3RT sites supporting government users (e.g Arcus) requires the use of PKI certificate credentials for authentication. These can include: DoD Common Access Card (CAC) External Certificate Authority (ECA) (https://public.cyber.mil/eca/) DoD External and Federal PKI Interoperability approved organization (https://public.cyber.mil/pki-pke/) MITRE corporate credentials The 6 sections below cover most common user questions regarding certificates. How to Register with a Certificate Obtaining an ECA Certificate Logging in to CONS3RT with a Certificate Adding a New Certificate or CAC to your account Managing your Account Certificates Troubleshooting Certificate issues If you can’t answer your question by perusing this KB, please feel free to submit a support ticket to support@cons3rt.
Firewall Default Configuration

The default firewall configuration of a machine in a deployment run is set as follows: Linux inbound ports allowed on the cons3rt-net 22 TCP 5902 TCP ICMP Windows inbound ports allowed on the cons3rt-net 3389 TCP/UDP 5902 TCP All other incoming traffic on the cons3rt-net is either blocked or rejected All outgoing traffic on the cons3rt-net is not filtered Traffic on all other interfaces is not filtered Using firewalld The default firewall configuration is handled on Linux using iptables and iptables-service.
IATT-like Connectivity

IATT-like Connectivity By default, teams can not access systems inside of CONS3RT from an external source other than through the CONS3RTportal. This is by design and part of the security accreditation. However, for organization with short term test and evaluation needs, there is an Interim Authority to Test (IATT)-like process for granting temporary inbound access from specific sources. Users can request specific, event based exceptions to temporarily allow inbound traffic into their CONS3RT cloudspace for the purposes of a preplanned, coordinated test event.
Password Complexity Rules

Complexity Rules: Password must be more than 14 and fewer than 121 characters in length Password can not be the same as, nor contain, the user name Password must contain at least two uppercase letters Password must contain at least two lowercase letters Password must contain at least two numbers Passwords must contain at least two special characters
Anti-Virus Whitelist Process

In CONS3RT, you can request whitelist support for uploading files that might otherwise trip typical antivirus protections Whitelist Process Submit a ticket Scan your file at http://virusscan.jotti.org/en. If there are more findings than ClamAV, it is your responsibility to remediate. If only ClamAV has a finding, you can request a whitelist Submit the file to site admins (via support@cons3rt.com) Our site admin will scan your file. If it passes, we will add your file name to whitelist.