You can make custom configurations the Netify agent that will anonymize any data that you would prefer not to send up to the Netify cloud. All changes can be made from the command line using an editor of your choice on the Netify configuration file:
etc/netifyd.conf, if there isn't already, create a new section for privacy settings as follows:
Mask WAN IP Addresses
To remove your WAN IP address(es) from being stored, set private_external_addresses attribute to true.
[privacy_filter] private_external_addresses = true
Obfuscate LAN IP
If you would like to obfuscate one or more LAN IP addresses, use the host attribute:
[privacy_filter] host = 192.168.1.1 host = 192.168.1.2 ... host[n] = 192.168.1.n
Setting this directive will result in any of your IP addresses listed being to to 184.108.40.206 if they are in the local field, and 220.127.116.11 if they occur in the other field.
Obfuscate MAC Address
Similar to the host example above, if you would like to obfuscate one or more MAC addresses, use the mac attribute:
[privacy_filter] mac = a3:c7:43:00:00:00 mac = a3:c7:43:00:00:01 ... mac[n] = a3:c7:43:00:00:nn
Any matching MAC address will be converted to 01:02:03:04:05:06 if it is found in the local MAC field or 0a:0b:0c:0d:0e:0f if it occurs in the other MAC field.
Netify's Pattern Match and Replace engine is a powerful regular express engine that performs post-processing bulk regex statements prior to the meta-data being sent to the cloud.
Search strings are case-insensitive. It is recommended you try to keep the format of the data intact. As an example, an IPv4 address of 192.168.1.1 should be replaced with 0.0.0.0, rather than Johnson's Desktop.
[privacy_filter] regex_search = Acme regex_replace = A___
The preceding configuration code would remove all cases of Acme that might be found/extracted in the meta-data and replaced with an A___ to preserve the identify of the "Acme" organization/brand. Examples include:
Once meta-data is sent to the cloud, users may want to annotate and supplement the raw data to make the analysis easier to understand. Fortunately, Netify makes privacy of user-provided data a snap with our no-knowledge encryption and data silos.
You may recall during the agent provisioning process a step along the way where Netify asked you for a passphrase, similar to the screen capture on the right. If you weren't paying close attention, you may have thought this passphrase when creating an organization was just another security credential - it is that, but much more.
As an example, let's say you wanted to map a device that is showing up in Netify under MAC address - 00-14-22-01-23-45. That's not a particularly easy to remember reference, so you create a user who owns the device and assign it to them. In doing so, you've gone from having a fairly anonymous data source (a MAC address) to an association that requires privacy. This is where the organization's encryption passphrase comes in. Whatever user information (ex. first and last name) entered in the form is encrypted in your browser, then sent to the Netify servers, using the key only you have.
Data Silos and Mapping
Netify uses the concept of anonymous data silos to store information. There are four main data stores:
- Netify Meta-data
- Netify Archives
- Client Information
Let's deal with the last one first... the global data store contains no personal or network intelligence information at all. It is used across the Netify platform for things like Protocol and Application definitions, MAC vendor information, device hardware types etc.
The Netify Meta-data and Archives contain data that we use to present information to the client in the portal or accessed via the Netify API.
In this data silo, any information you choose to augment the dataset is encrypted with the passphrase you assigned to the organization on creation. This key is never sent to us, and resides only in the browser you use to access the client portal.
Any additional users accessing your organization by you 'sharing' it with them, also requires this passphrase. It is for this reason we encourage you to use a unique passphrase just for this purpose - one that you don't mind sharing with a colleague who needs access to your organization's Netify data.
Finally, we have the Client Information silo. This data is typical to any cloud-based service, containing your contact information, billing, settings and preferences. It does contain data linking to your Netify Meta-data and Archives, however, the relationship - a unique UUID - is encrypted on this end using the very same key used for the purposes of no-knowledge. This has very important implications - linking (or mapping) client identifying information to the meta-data and analysis pulled from your network can only be re-established through the use of the private key only you have and which is never sent over the network to our servers.