In this part of Mixeway tutorial we will cover topic of global platform configuration
Administration panel from which You are able to access global settings can be reached via the menu under “Admin Zone” which leads to ‘/pages/admin’ URL.
This zone is available only for users with Admin permissions. Admin zone contains 3 parts User management, Scanner management, and other settings.
The current version of Mixeway support only two types of authentication: password-based (stores within local DB) or smart card (based on x509 certificate).
In order to add user use “Add user” button.
Possible role to be set for user are:
- Admin – administrator which can do operations such as project browsing, accessing admin zone or scan running,
- Editor – this permission permits to create a project, add assets for a project or run the scan in the scope of a particular project
- User – this permission gives access for a specific projects. User accounts cannot add assets for project or run a scan (read-only access)
- API – account type for API access
The operation such as password change and user blocking are available form the user table is shown on the picture above through buttons with a pencil (permission edit and password change) or minus (blocking an account – blocked account cannot log into Mixeway).
This area can be used to manage scanners integrations. From the table shown on the image above, we can see the type of scanner, address of API, routing domain (it will be covered below) which is available from a particular scanner and operations like scanner deletion or remote firewall integration configuration.
Adding a new scanner configuration is possible after clicking on “Add Scanner” button. This form will not be described in this part. Adding new scanner integration is strongly scanner-dependent and it will be covered in next parts of tutorial which will cover particular integration plugins.
Last tab of admin zone leads to other settigs
Security Quality Gateway Setting
This part configures quality gateway which is an API for checking of particular Application meets criteria to be deployed in CICD process or no. Configuration can be based on Severity metric obtained from Vulnerability Scanner or can be based on a grade obtained from Mixeway Vulnerability Auditor (https://mixeway.io/2020/07/13/mixeway-vuln-auditor/). If You decide on severity base gateway, You have to enter threshold number for Critical, High and Medium severity of detected vulnerabilities. If number of vulnerability of given severity will exceed configured limit, gateway will respond with “NO”. In scope of grade based gateway to configure is only number of vulnerabilities to be checked (grade is binary – 1 or 0).
As mentioned above Mixeway in current version support two types of authentication:
- Password-based – if this option is check, the login screen will have fields for username and password visible. User adding will require to pass both username and password data.
- X509 Certificate-based – this option is considered more secure but require additional configuration. If user certificates are signed by global untrusted Root CA it is needed to add root CA into the trust store of Mixeway (trust.jks, check https://mixeway.io/2020/07/13/tutorial-part-1-installation/).
Mailing is not yet used very often within Mixeway. At this moment only functionality that supports sending e-mails is the weekly trend of detected vulnerability for particular Projects. In order to enable report sendings, You have to properly configure the form below. Field ‘domain’ is required and has to be set as a domain from which mail will be sent.
Global API Key
The global API key can be used in any API configured in the scope of Mixeway (unlike the API key which is generated for specific projects). Only one APIKey can be active at a time. Generating a new API key will result in deactivating the previous one.
Not yet implemented
Routing domains are used when multiple scanners are used. It is possible to create integration with many scanners of the same type. In this case routing domain is used in order to decide which scanner will be used to scan particular asset.
This is used often in organizations which network is divided into many segments which don’t have access to each other. In this scenario You can create Scanner 1 with RoutingDomain1 which will be able to scan assets located in RoutingDomain1 and scanner 2 whith RoutingDomain2 which will be able to scan assets located in RoutingDomain2. Configuration is done once and doesn’t require much effort later.
Routing Domains can be added at any time.
Proxies for Mixeway can be set on multiple level. You can specify proxy for JVM on JVM opts level which will be properly configured or You can define multiple proxy which will be used by particular projects or scanners.
Mixeway Vuln Auditor Integration
Mixeway Vuln Auditor is an optional part of Mixeway which is using Machine learning and neural networks in order to properly classify detected vulnerabilities as “Confirmed and required to fix” or “Detected but not relevant in a given context”. In order to enable the Vuln Auditor integration service of Vuln auditor has to be running (https://github.com/Mixeway/MixewayVulnAuditor).
Automatic Scan Scheduling
Each scan performed via Mixeway can be performed both by scheduler or on demand by API call. Scheduling scan is done globally and is created as cron expression
IT Security Expert, DevSecOps enthusiast, Java developer in spare time, Mixeway lead architect and PhD candidate on Warsaw University of Technology in field of Machine learning techniques in Cybersecurity.