This gives an overview of gateway security measures, most of which relate to a clustered gateway.

Hardened hosts

The gateway appliance is packaged as a VMware Open Virtual Appliance (OVA). The appliance runs a hardened version of Ubuntu 20.04.

The latest version of the gateway runs containerized services. Containers run on MicroK8s, which is a secure Kubernetes distribution from Canonical.

The operating system and Kubernetes are hardened to meet several industry standard security requirements, including:

Secure container images

All container images are hosted securely in Google Artifact Registry. A set of rigorous vulnerability scans are applied to container images, including:

Classic gateway antivirus

ClamAV, which is pre-packaged with the classic gateway, is an open-source antivirus engine that detects trojans, viruses, malware, and other malicious threats.

Key gateway antivirus features include:

  • If a vendor update is available, the antivirus software version is updated with each gateway release.
  • ClamAV performs an antivirus scan every day at 2:15 AM.
  • ClamAV updates antivirus definitions once daily and requires outbound access to database.clamav.net on port 443. You must whitelist the associated IP address to get the latest antivirus definitions from the database.clamav.net download server.

Get the gateway antivirus version

  1. Log in to the gateway with the ruser account
  2. Enter dpkg -l | grep clamav.

Disable ClamAV antivirus

By default, ClamAV antivirus is enabled. If you want to disable ClamAV antivirus or do not want gateway outbound communication with the ClamAV DL server:

  1. Log in to the gateway as an admin user.
  2. Go to the Antivirus section.
  3. Disable the service.
  4. Save the change.

Next steps

See the Security Reference for more information.