Firewall port(s) and required software disclosure

  • Updated

LucidLink Filespaces Security Model: https://www.lucidlink.com/wp-content/uploads/LucidLink-Security_Model.pdf 

Firewall configuration:

Encrypted LucidLink client filesystem data is communicated securely with our service via Transmission Control Protocol/Internet Protocol (TCP/IP) port 443 and the Object Store (S3 compatible Bucket or Azure Container) using the Object Storage credentials provided. 

All Object Storage transfers are performed with Advanced Encryption Standard (AES-256) end-to-end, client-side authenticated encryption through the LucidLink Windows, macOS or Linux client and Filespace user access controlled filesystem credentials.

LucidLink client communicates with AES-256 encryption via TCP/IP port 443 with our Discovery Service for the purpose of Namespace verification and Metadata coordination.

In order for the LucidLink client to work behind a firewall, the following outbound connections on port 443 must be enabled:

  • The filespace ID, as the fully qualified domain name (FQDN) <filespaceID>.fs.lucidlink.com. Use the lucid status command to obtain the Filespace id.
    As an example, the FQDN should look like the following:
    0a00a00a-bb11-22cc-333d-4e44e44e4444.fs.lucidlink.com
  • LucidLink discovery service - DNS Record discovery-service.lucidlink.com.
    Whitelisting by the FQDN is recommended, as the IP address of this service can change.
  • Object storage endpoint(s) TCP/IP typically port 443 standard HTTPS traffic or as per the Filespace endpoint specified during initialization.
  • LucidLink web service - api.lucidlink.com.

Additionally, we use certificates signed by our internal certificate authority (CA).

Some firewalls do Secure Sockets Layer (SSL) decryption (aka Deep Packet Inspection (DPI) or SSL Certificate Inspection). This is interpreted as a man-in-the-middle attack, by injecting their own CA in the trusted store and using it to impersonate the accessed service.

In case of local object storage the inbound traffic on port the filespace was initialized must also be enabled. All data and proprietary metadata of the Filespace are client-side encrypted. They never go in decrypted form even in LucidLink internal traffic. LucidLink services have a zero-knowledge policy. Even if a firewall wants to analyze the traffic it will still be encrypted.

Software:

FUSE https://en.wikipedia.org/wiki/Filesystem_in_Userspace will be installed as a dependency on Linux.

LucidFS is a required driver within a Windows and macOS environment and is included within our installation.

Most object storage providers require Transport Layer Security (TLS) 1.1 or greater SSL connections

Was this article helpful?

0 out of 0 found this helpful