Luminate Connector - Communications and Security Measures Description

Products

Symantec ZTNA

Issue/Introduction

Resolution

For information about the Luminate Security platform, its basic architecture and how to get started with it, please read the Getting Start article.

This article explains the technical details of the communications between the Luminate Connector components (deployed in physical or virtual datacenters hosting applications that are being accessed via Luminate) and the Luminate Cloud Service.

The following diagram depicts the communication scheme:

The communications between Luminate Connectors and Luminate Cloud Service Connectivity PoDs are carried out over TCP Port 443 and are initiated by the Connectors. The customer's data center firewall is required to allow outbound communication on this port to Luminate Cloud destinations.

The outbound connections are carried out with a proprietary binary protocol, similar to HTTP/2 and GRPC in its principle, but optimized for security and performance of delivering simultaneous requests. The connections are long-term/persistent, but if they are terminated, the Connector attempts at recreating them as quickly as possible.

The connections are secured using TLS with both sides authenticating each other (including certificate pinning) in the following way:

Luminate Cloud Service - each PoD (in fact, each component that terminates TLS inside each PoD) has ephemeral Certificates that are allocated by a dynamic PKI. Luminate Connector is capable of checking the validity of these certificates to make sure that it is communicating directly with the cloud service.
Luminate Connector - when initiated, each Connector receives an ephemeral OTP, allowing it to establish initial communications with the Cloud Service and pull a TLS Certificate. From this point, every communication between the Connector and the Cloud Service is done with the certificate, including pulling new certificates. The cloud service performs a strong pinning of each new certificate for each connector.

The above scheme ensures that the connectivity between the Luminate Connector and the Luminate Cloud Service is carried out with the highest level of security, using the most up-to-date cipher suites and without any inspection in the middle.

Note:

For the connector's deployment, the machine running the connector needs to have access to:
- https://registry-1.docker.io/v2/
- https://production.cloudflare.docker.com
For the Connector's operation, the following URLs needs to be accessible:
- luminate-ws.<tenant>.luminatesec.com – endpoint for core-server connection, metrics collection, connector-orchestrator connection.
- internal.<tenant>.luminatesec.com – endpoint to CMS (registration, policy, last-seen status, traces)
- sentry.io – Sentry endpoint for health monitoring.