Splunk® Secure Gateway

Administer Splunk Secure Gateway

Acrobat logo Download manual as PDF


Splunk Secure Gateway is a default enabled application that's included in Splunk Cloud version 8.1.2103 and Splunk Enterprise version 8.1.0 and higher. An admin must agree to the opt-in notice before using Splunk Secure Gateway. See Get started with Splunk Secure Gateway to get started.
Acrobat logo Download topic as PDF

About the Splunk Secure Gateway security process

You can view and interact with data on your mobile device using the Splunk Connected Experiences apps and the Splunk Secure Gateway app. The Connected Experiences apps connect to Splunk Secure Gateway, a required Splunk Platform app that facilitates encrypted message exchanges between mobile devices and a Splunk platform instance. Sophisticated encryption and a secure data exchange process remove the need for ingress firewall rules, port mappings, domain registrations, and device login details.

The Splunk Secure Gateway app connects devices to a Splunk Enterprise or Splunk Cloud instance. The app routes encrypted data through Spacebridge, an intermediary component that's hosted on the Splunk common cloud infrastructure. Spacebridge identifies client devices and establishes an encrypted transfer during transit and at rest.

Spacebridge has been certified to meet SOC2, Type 2 and ISO 27001 standards. Splunk Cloud customers who have specifically purchased a HIPAA or PCI-DSS regulated environment may transmit the applicable regulated data to Spacebridge as it is HIPAA and PCI-DSS compliant. Spacebridge may not be used in environments that require the FIPS 140-2 standard for cryptographic modules. See Splunk Secure Gateway and Spacebridge Compliance Standards to learn more.

Encryption

Spacebridge uses Libsodium and Transport Layer Security (TLS) 1.2 to encrypt data end-to-end at multiple layers of the process. Libsodium, a high-level cryptographic tool, features Integrated Encryption Scheme (IES). IES is a hybrid encryption scheme that provides semantic security functionality. TLS 1.2, which uses secure hash algorithms and advanced cipher suites, provides transport-level encryption. Libsodium encryption and TLS 1.2 protocol provide data protection both at rest and in transit.

Unique private and public key pair generation

For client devices and Splunk platform instances to communicate through the Spacebridge, both sides require a public and private key pair. Both the client and Splunk Secure Gateway app generate a unique private and public key pair with a 256-bit ECC key strength.

The client device key pair is generated when you load a Connected Experiences app on your device. If you unregister a device, a new client device key pair is generated.

The Splunk Secure Gateway app key pair is generated when you install the Splunk Secure Gateway app. Once the Splunk Secure Gateway keys are generated, WebSocket connection opens for data exchange between the client device and the Splunk Secure Gateway app.

Session initiation and data exchange

The Splunk Secure Gateway app requires you to open port 443 outbound to the host prod.spacebridge.spl.mobi, which allows Spacebridge to bidirectionally route the encrypted data between client devices and Splunk platform instances through WebSocket connection. No inbound ports are opened.

The following diagram shows the bidirectional communication between mobile devices and the Splunk Secure Gateway app: This diagram shows the bidirectional communication between mobile devices and the Splunk Secure Gateway app, with Spacebridge in between as an intermediary message router.

Arrows show the direction of connection initiation. Websocket and GRPC connections are bi-directional and always initiated by Splunk Secure Gateway or client devices, and never Spacebridge.

Optionally, you can route the outbound connection through a proxy. See (Optional) Use a proxy server with Splunk Secure Gateway for more information about how to use a proxy with Splunk Secure Gateway.

Your data is not stored in Splunk servers. Splunk servers store only anonymized routing information. Spacebridge cannot read any identifying information and does not persist any user data.

How mobile devices authenticate to a Splunk platform instance

The client device and Splunk Secure Gateway app exchange an authentication code, their public keys, and credentials during device registration. All registration details pass through Spacebridge, which performs encryption using Libsodium and TLS 1.2 protocol.

During registration, Spacebridge reads the client device public key and the Splunk Secure Gateway app public key. The public key uniquely identifies the client to the Splunk Secure Gateway app. The Splunk Secure Gateway app then sends its public key and a session token that's encrypted with the client public key to the client device.

The following diagram illustrates the step-by-step client registration process:

This diagram shows the step-by-step device registration process

This is the Splunk Secure Gateway registration process in detail:

  1. When the user registers their device, the Connected Experiences app provides an authentication code. The user enters the authentication code into the Splunk Secure Gateway app. The client device sends its public key and client metadata to Spacebridge.
  2. The authentication code refreshes every 15 minutes.
  3. The client polls registration with the authentication code and client ID.
  4. The Splunk Secure Gateway app sends the authentication code to Spacebridge.
  5. Spacebridge sends device public key and client metadata to the Splunk Secure Gateway app.
  6. The Splunk Secure Gateway app sends the authentication code, client ID, app public key, and encrypted credentials to Spacebridge.
  7. The client receives the encrypted credentials and app public keys and device registration completes.

How mobile devices exchange messages with a Splunk Platform instance

Spacebridge facilitates message flow between the client device and the Splunk Secure Gateway app using a hybrid encryption scheme called Elliptic Curve Integrated Encryption Scheme (ECIES). Routing information is anonymized so that the sender's and receiver's identities are private. During this message exchange, sensitive data is encrypted with the receiver's public key. The client identifies itself to the Spacebridge with a hash of its public key. The entire payload is signed with the sender's private key. Spacebridge verifies the message's signature and verifies that the sender is allowed to send messages to the receiver.

This diagram shows a message request from the client device to the Splunk Secure Gateway app:

This diagram shows a message request from the client device to the Splunk Secure Gateway app.

Here are the steps that occur during a message exchange between the client device and the Splunk Secure Gateway app:

  1. When the user makes a message request, such as loading a list of dashboards, the client encrypts and signs the message.
  2. The client routes the encrypted and signed message to Spacebridge.
  3. Spacebridge validates the message signature.
  4. Spacebridge routes the encrypted and signed message to the Secure Gateway app.
  5. The Secure Gateway app validates the signature and decrypts the message.
  6. The Secure Gateway app processes the message and creates a response.
  7. The Secure Gateway app signs and encrypts the response.
  8. The Secure Gateway app sends the encrypted and signed response to Spacebridge.
  9. Spacebridge validates the response signature.
  10. Spacebridge routes the encrypted and signed response to the client.
  11. The client validates the response signature and decrypts the response.
  12. The client processes the response.

More security features

The Splunk Secure Gateway app secures your data when connecting your Splunk platform instance to mobile devices in the following additional ways:

  • Sandbox security allows you to restrict data to an isolated environment. The sandbox is separate from your Splunk platform instance. You define exactly what data to encrypt and transfer and which devices can receive the data. The rest of your deployment is untouched.
  • Splunk Secure Gateway provides periodic threat modeling and static code analysis that happens at build time.
  • Splunk Secure Gateway uses BLAKE2b, a secure cryptographic hash function.
  • Automated dynamic code analysis monitors system memory, behavior, and overall performance.

Host your own Spacebridge

You can deploy Private Spacebridge within your own Kubernetes cluster so that you can own an end-to-end pipeline for connecting mobile devices to your Splunk platform instance.

To learn more, see the Private Spacebridge Documentation.

Last modified on 07 March, 2023
PREVIOUS
Share data in Splunk Secure Gateway
  NEXT
Splunk Secure Gateway and Spacebridge Compliance Standards

This documentation applies to the following versions of Splunk® Secure Gateway: 2.5.6 Cloud Only, 2.5.7, 2.6.3 Cloud only, 2.7.3 Cloud only, 2.7.4, 2.8.4 Cloud only, 2.9.1 Cloud only, 2.9.3 Cloud only, 2.9.4 Cloud only, 3.0.9, 3.1.2 Cloud only, 3.2.0 Cloud only, 3.3.0 Cloud only, 3.4.251, 3.5.15 Cloud only


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters