The Edge Services are not only set to auto-update themselves and do not expose anything on your network, but they also use multiple layers of encryption to secure connectivity with Delve's cloud.
The Edge Services are configured to update automatically
The Edge Services do not expose anything on the local network
The ES are specially configured in order to not expose any service or port (not even SSH) to your local network. As such, the only interface that exists for us to communicate information to you is through the regular TTY console of the virtual machine that hosts this ES.
The connectivity with the Edge Service is protected by multiple layers of modern encryption
Every ES is uniquely identified with dedicated cryptographic keys, so that we can do repudiation should your network become compromised and you require a brand new ES.
Additionally, the entirety of the traffic is encrypted and authenticated using modern cryptography:
- The control channel over which temporary session keys are exchanged is secured by TLS 1.2 using modern authenticated cryptography: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
- There is an additionnal layer of HMAC-SHA512 authentication on top of the TLS control channel (further mitigating DoS and TLS stack attacks): no packet will be accepted on the opened ports on both sides if they are not HMAC’d with the right respective pre-shared key (cryptographic firewalling). The keys are unique per Edge Service and set at generation time.
- The data channel packets are encrypted with temporary session AES-256-CBC keys, and the data channel packets are also authenticated with HMAC using SHA512 message digest algorithm. The data channel encryption protocol uses encrypt-then-mac (i.e. first encrypt a packet, then HMAC the resulting ciphertext), which prevents padding oracle attacks. The keys are unique per Edge Service and set at generation time, and can be repudiated.