Overview Generally a GNSS Spider installation does not cause any concern regarding your computers security. The notes in the following sections are intended to support the user for installations in corporate network infrastructure and to learn about how GNSS Spider configuration settings and software architecture help to achieve a highly secure installation set-up.
In corporate networks with firewall security, depending on how you install and configure GNSS Spider and the selected components, several IP-ports must be opened in a firewall for a certain
communication direction. The Section “Distributed installation in a corporate LAN” below should help to discuss required network settings with your IT administrator or manager. A summary of IP ports that are used by GNSS Spider and the Microsoft ® SQL Database was given in Section 5 above.
General Security Aspects
Any computer and software today is prone to be affected by external violations such as viruses, worms or hacking attacks. To prevent these, it is recommended to run appropriate software tools such as virus scanners and firewalls on your computer systems. These tools must always be kept up to date, the responsibility of your IT network personnel.
Of specific concern related to GNSS Spider is the protection against unauthorized access to GNSS Spider operation and data in terms of:
Remote user interface access at Spider Administrator level. Logged data files (GNSS raw data, event logs, RTK Rover user
logs).
Real time GNSS data streams. RTK rover account information.
Remote GNSS Spider GUI Client access control
GNSS Spider control and configuration is only allowed for users who are member of the Windows™ user group “Spider Administrators”. Any other user connection will have viewer rights only. Thus you should carefully manage the members of the “Spider Administrators” group. Please refer to the online help to learn more about this user group for GNSS Spider.
In case of security concerns regarding the remote client access, this can be fully disabled for a GNSS Spider Server or be limited to GNSS Spider Administrators access only. Use the settings on the Security tab in the Configuration dialog accessible via the Tools/Configuration menu.
A remote GNSS Spider GUI access requires the following IP ports to be open on the GNSS Spider Server computer and any firewall between the remote computer the GNSS Spider Server:
• GNSS Spider:
IP port = 9877 (Leica GNSS Spider Site Server Data Dispatcher) IP port = 9879 (Leica GNSS Spider Network Server Data Dispatcher) • SQL Server: IP port = 1433 GNSS Spider Server Access Password
For access to a GNSS Spider Site Server or Network Server the remote client must know the GNSS Spider Server password.
This server password is individually set during the installation for each GNSS Spider Site Server and Network Server.
The GNSS Spider Server password is required for connections of the GNSS Spider GUI Client to a GNSS Spider Server as well as for connections between the different GNSS Spider Servers. Therefore a GNSS Spider Cluster Server as well as a GNSS Spider RTK Proxy Server must also know the correct password of the Network Server to which they are assigned.
Modify Server Access Passwords
The GNSS Spider Site Server and Network Server access password can only be modified using the local GNSS Spider Client GUI. It cannot be modified through a remote GNSS Spider GUI.
To modify a local Site Server or Network Server password:
Start the GNSS Spider GUI Client.
Open the Local Site Server or Local Network Server.
Select Site Server Password or Network Server Password from the Tools menu.
For all local GNSS Spider Clients the passwords are updated. For example, changing the local Network Server password, will
automatically update the same password for a locally installed Cluster Server or RTK Proxy Server, as well as for the connection shortcut entry in the GNSS Spider Server Management. Restart the computer so that the Password changes are ‘accepted’.
For all remote GNSS Spider Clients that should still connect to the Site Server or Network Server, after the password has been changed, these must be updated separately. This can only be done directly at the computer where they are locally installed!
To update a GNSS Spider GUI Client connection shortcut entry to a remote Site Server or Network Server with a new password:
Step Action
1 Start the GNSS Spider GUI Client. 2 Open the Server Management
3 Select the remote server connection to be updated. 4 Right click and select Properties from the context menu. 5 Modify the Password as needed.
To update a Cluster Server or RTK Proxy Server clients after changing the password of the remote Network Server to which these are
assigned run the GNSS Spider Password Tool:
Step Action
1 Open the Windows™ Start menu
2 Select Programs → Leica GNSS Spider → Password Tool.
SBC default administrator access
At first installation of the Spider Business Center automatically a default master administrator account is created to allow access to the web GUI using an internet browser.
The default administrator account logon details are as follows:
User name: Admin
Password: Admin
It is strongly recommended to change the default password for this account after first logon and enter a valid email address for this account. Or to create a completely new master administrator account with a new name and password and then to delete the default Admin account.
Logged data file access
Access to logged GNSS Spider data files such as GNSS raw data, QC files and event log files, or RTK user access log files, is always
possible directly on the local computer.
To provide public access to some or all of the GNSS Spider product files, it is recommended to copy these to a FTP server (which is set-up with the required access security). GNSS Spider provides the tools to automatically push files onto FTP servers allowing public access. For security reasons, such an FTP server should either be installed in a company’s DMZ or with an external FTP provider. See Section “Distributed installation in a corporate LAN” below.
network to individual users via the internet we recommend using a web server application such as Leica SpiderWeb
(http://spiderweb.leica-geosystems.com).
RTK Proxy – Security for real-time data access
The RTK Proxy server is specifically designed to provide secured access to real time data streams for conventional RTK or Network RTK. It does not require access to the GNSS Spider SQL database, but only a single IP communication channel to the GNSS Spider Network Server. To cope with a typical corporate Internet security policy, the communication to the RTK Proxy Server is always initiated from the Network Server (on the Intranet, inside the firewall) to the RTK Proxy Server (on the Internet or DMZ, outside the primary firewall). Ports in the firewall must only be opened in the outside direction, therefore protecting the Intranet from unintentional access. Consequently the RTK Proxy Server can be easily installed on a computer in a company’s DMZ, whilst the remaining GNSS Spider servers are installed within the secured Intranet, separated by a firewall from the outside Internet.
The following IP communication port must be opened in a firewall to successfully connect from the Network Server to the RTK Proxy Server (in one direction only, from the LAN to the DMZ):
• IP port = 9880 (Leica GNSS Spider RTK Proxy Server Data Dispatcher) See also Section “Distributed installation in a corporate LAN” below. Additionally, access to the individual RTK product services that can be provided through the RTK Proxy Server can be secured with various authentication and authorization methods, available through the optional GNSS Spider RTK User Management option. This option also provides the possibility to log individual user accesses, providing the necessary information to charge RTK users for services received. Note that no User-related data is stored on the server in the DMZ.
SBC Proxy – Security for user
management access
The SBC Proxy server is specifically designed to provide secured access to all Spider Business Center related data and functions. It is used by the SBC web server portal, the GNSS Spider Network server and Leica SpiderWeb to communicate with the SBC Central Server. The GNSS Spider Network Server and SpiderWeb e.g. communicate with the SBC Central Server via the SBC Proxy to validate user login data for authentication that is stored in the SBC Central Server SQL database.
Consequently the SBC Proxy Server can be easily installed on a computer in a company’s DMZ, whilst the remaining GNSS Spider Servers are installed within the secured Intranet, separated by a firewall from the outside Internet.
The following IP communication port must be opened in a firewall to successfully connect from the Network Server to the SBC Central Server via SBC Proxy Server (in one direction only, from the LAN to the DMZ):
• IP port = 80
The following IP communication port must be opened in a firewall to successfully connect from the SBC Central server to the SBC Proxy Server to allow communication between the two (in one direction only, from the LAN to the DMZ):
• IP port = 8021 (Leica GNSS Spider SBC Proxy Server Data Dispatcher) See also Section “Distributed installation in a corporate LAN” below.
SQL Database
GNSS Spider does make use of the Microsoft ™ SQL Server database. This database contains all GNSS Spider configuration information and should therefore be well protected.
It is therefore important that you enter a secure password for the SQL System Administrator (sa) during the installation of SQL Database. If no GNSS Spider remote access is required through the firewall, then the following port must not be open in your company’s firewall (i.e. this port must be closed).
SQL Server: IP port = 1433 Distributed installation in a corporate LAN
This section is primarily of interest for distributed installations in a corporate network infrastructure. It does not apply to single stand- alone computer installations, such as a single reference station
installation with the GNSS Spider Site Server only. It should help you when explaining the security aspects relating to GNSS Spider to your IT network administrator.
A typical corporate network with public Internet access is structured in zones of different security levels.
Un-Secured Zone = Word Wide Web / Internet.
De-Militarized Zone (DMZ) = Subset of a corporate network, located between the unsecured Internet and the secure local area network (LAN or Intranet). This subset is the public part of the LAN. Communication between local and external networks are controlled by security devices such as routers, firewalls. Secured LAN/Intranet = Private network inside a company or
With its individual server components, Leica GNSS Spider is perfectly designed to fit into this concept.
Following are some sample information about the required IP ports to be opened in distributed installations. In general the GNSS Spider Site Server, Network Server and Cluster Server should be located in the secure LAN area on a single computer (or distributed over multiple computers), whilst for security reasons, the RTK Proxy Server ideally will be located in the DMZ.