Security FAQs
MSP FAQs
General FAQs
Integration FAQs
Support FAQs
Lavawall® was built from the ground up with the Minimum Viable Secure Product requirements in mind.
Some of the controls we implemented include:
Some of the controls we implemented include:
- PassKeys as the preferred primary authentication at no additional cost
- Single Sign-on using modern, maintained, and industry-standard protocols for all customers at no additional cost
- Multi-Factor Authentication as a non-negotiable default
- Encrypting communications the same way as TLS again within the TLS tunnel, so we can allow TLS inspection without breaking like Huntress or disclosing security vulnerabilities to eavesdroppers.
- Encouraging external vulnerability reports and customer testing
- Passwords checked against popular disclosed passwords, hashed before they leave your computer, and then stored using Argon2id
- Not requiring the use of passwords at all. We consider them a temporary backup authentication in case you can't use passkeys or SSO.
Lavawall® scanning computers are on dedicated servers in Calgary, Alberta, Canada.
Lavawall® databases and front-end systems are hosted with AWS in Montréal, Québec, Canada.
We send emails through AWS in Ireland and dedicated servers in Calgary, Alberta, Canada.
We send text messages for additional identity verification through Twilio in the United States.
We store executables and pass requests through Cloudflare at your nearest edge location.
We use Cloudflare for risk management, turnstile, and web application firewall services.
We use LeadPages for landing pages.
We use Google and Facebook for analytics on our public-facing pages, but they do not have access to the console.
We integrate with third-party tools, such as Microsoft, Google, Huntress, Screen Connect, Axcient, and Datto in their respective locations. However, you must initiate these integrations through single sign-on or by enabling them in your Lavawall® console.
Lavawall® databases and front-end systems are hosted with AWS in Montréal, Québec, Canada.
We send emails through AWS in Ireland and dedicated servers in Calgary, Alberta, Canada.
We send text messages for additional identity verification through Twilio in the United States.
We store executables and pass requests through Cloudflare at your nearest edge location.
We use Cloudflare for risk management, turnstile, and web application firewall services.
We use LeadPages for landing pages.
We use Google and Facebook for analytics on our public-facing pages, but they do not have access to the console.
We integrate with third-party tools, such as Microsoft, Google, Huntress, Screen Connect, Axcient, and Datto in their respective locations. However, you must initiate these integrations through single sign-on or by enabling them in your Lavawall® console.
Please report bugs through our contact form.
For urgent security issues, lease call us at 1-403-538-5053 and select 1 or say support.
Please note that your IP address will be banned for doing generic vulnerability scans and high-volume scans/denial of service attacks.
Given that we are in the initial launch, our compensation structure is very dynamic. In all cases, however, we will publicly acknowledge your contribution in our Change Log and welcome any suggestions.
For urgent security issues, lease call us at 1-403-538-5053 and select 1 or say support.
Please note that your IP address will be banned for doing generic vulnerability scans and high-volume scans/denial of service attacks.
Given that we are in the initial launch, our compensation structure is very dynamic. In all cases, however, we will publicly acknowledge your contribution in our Change Log and welcome any suggestions.
We encourage primary authentication for Lavawall® through Passkeys or Single Sign On (SSO).
However, we do allow passwords and use passwords as part of the zero-knowledge encryption for your clients' sensitive data, such as Bitlocker keys and Personally-Identifiable Information (PII).
These passwords use Argon2id slow hashes with individual salts and peppers. They go through a few hash rounds on your computer before being sent to our servers for further hashing.
However, we do allow passwords and use passwords as part of the zero-knowledge encryption for your clients' sensitive data, such as Bitlocker keys and Personally-Identifiable Information (PII).
These passwords use Argon2id slow hashes with individual salts and peppers. They go through a few hash rounds on your computer before being sent to our servers for further hashing.
Yes! Lavawall communicates with its endpoints through TLS. However, given that many of our clients want to be as secure as possible and have
TLS inspection enabled, we allow for "insecure" connections with invalid certificates, which result from such configurations.
We have added an additional secure tunnel that mimics the TLS process within the public TLS tunnel. This extra tunnel provides authentication and privacy for the workstations and the Lavawall® servers to prevent attacks such as the one that took down Solar Winds.
We have added an additional secure tunnel that mimics the TLS process within the public TLS tunnel. This extra tunnel provides authentication and privacy for the workstations and the Lavawall® servers to prevent attacks such as the one that took down Solar Winds.
We do not enable remote access tools like ScreenConnect unless you authorize them
and are logged in. Lavawall® was not vulnerable to the ScreenConnect vulnerability
because we install and uninstall it right before it's used. In addition, we give the option of linking to Access.
Remote access is not enabled for read-only and audit situations.
Remote access is not enabled for read-only and audit situations.
Lavawall®'s designer holds a CISSP and CISA. In addition, we have external and internal security reviews.
The “Add a Computer” page includes simple Powershell, Linux Bash, and Mac scripts to install the agent with any RMM.
We have specific instructions to set up variables with Datto RMM and are adding additional RMMs. Call our support team and we’ll set up an integration for your RMM.
We have specific instructions to set up variables with Datto RMM and are adding additional RMMs. Call our support team and we’ll set up an integration for your RMM.
Lavawall® indicates which computers have any of the following servies installed:
Huntress
Axcient
Datto RMM
Sophos
Panorama9
Lavawall also has API integrations with:Axcient*
Cloudflare*
Connectwise Screen Connect*
Datto RMM*
FreshDesk*
Huntress*
Microsoft 365*
Panorama9*
ZenDesk*
*In limited release/development
Lavawall also has API integrations with:
Lavawall® indicates which computers have any of the following servies installed:
Lavawall® breaks vulnerabilities into the following groups:
- Domain risks
- Operating System (OS) patches
- Application patches
- Network vulnerabilities
- Cloud vulnerabilities
- OS configurations
Yes!
You can use your own logo for the console and notifications. You can also use a CNAME to automatically brand your console.
Note: you cannot currently re-proxy the CNAME to Lavawall® through Cloudflare, but we are already behind Cloudflare.
You can use your own logo for the console and notifications. You can also use a CNAME to automatically brand your console.
Note: you cannot currently re-proxy the CNAME to Lavawall® through Cloudflare, but we are already behind Cloudflare.
Yes!
Lavawall® supports the following operating systems:All versions of Windows 10 and 11.
Debian, Ubuntu, Mint, and RedHat-based Linux distributions
MacOS
Lavawall® does not currently support non systemd distributions, such as Devuan, Artix Linux, PCLinuxOS, OpenWRT, and DD-WRT. However, we will support them by the end of 2025.
In June 2024, we combined the Windows and Linux systems for a consistent experience. This added support for RedHat and MacOS.
Lavawall® supports the following operating systems:
Lavawall® does not currently support non systemd distributions, such as Devuan, Artix Linux, PCLinuxOS, OpenWRT, and DD-WRT. However, we will support them by the end of 2025.
In June 2024, we combined the Windows and Linux systems for a consistent experience. This added support for RedHat and MacOS.
Lavawall® support is entirely in Canada from 8:00AM Eastern (Toronto) to 5:00PM Pacific (Vancouver).
For those in Mountain (Calgary) time, that is 6:00AM to 7:00PM.
Chat support is primarily supported from Alberta and BC. We have limited chat support before 8:00AM Mountain time.
For those in Mountain (Calgary) time, that is 6:00AM to 7:00PM.
Chat support is primarily supported from Alberta and BC. We have limited chat support before 8:00AM Mountain time.
The scanner’s default settings are non-intrusive and low impact. Unless you select the option to do so, it won’t scan ports for administrative services like SSH, databases, or Remote Desktop. Those ports tend to trigger alerts in some systems and we don’t want to receive abuse complaints. If you do select that option, the scanner only makes a short connection to the related ports. It doesn’t try to do any brute force or DDOS attacks. It doesn’t crawl the website or do rapid page requests. As such, in most situations, it isn’t only non-intrusive, but most systems won’t even notice it.
We hear you! As a managed IT provider, we feel your pain. The good news is your users can easily install it themselves or you can deploy it with your existing RMM or MDM without requiring an MDM or any security & privacy settings.
Seriously.
We were amazed that it worked too, but it is the easiest Mac security tool we’ve ever used.
Seriously.
We were amazed that it worked too, but it is the easiest Mac security tool we’ve ever used.
Maybe.
We’re building more automated fix-it tools into Lavawall®, so it’s possible that if you ask us to help you, we might be able to give you early access to fix the problem yourself with one click.
If you’re working with one of our Managed IT Service Provider (MSP) partners, then we’ll direct you to them.
If you’re an MSP, we’ll happily help you directly or support your clients with our white label service.
If you aren't working with one of our partners, then we’ll gladly support you and quickly fix any issues that Lavawall® identifies.
We understand that this is a bit complicated. However, Lavawall® grew out of our MSP practice, where we endured vendors going around us to serve our clients directly so they could make a couple bucks and we don’t ever want to do that to our partners.
We’re building more automated fix-it tools into Lavawall®, so it’s possible that if you ask us to help you, we might be able to give you early access to fix the problem yourself with one click.
If you’re working with one of our Managed IT Service Provider (MSP) partners, then we’ll direct you to them.
If you’re an MSP, we’ll happily help you directly or support your clients with our white label service.
If you aren't working with one of our partners, then we’ll gladly support you and quickly fix any issues that Lavawall® identifies.
We understand that this is a bit complicated. However, Lavawall® grew out of our MSP practice, where we endured vendors going around us to serve our clients directly so they could make a couple bucks and we don’t ever want to do that to our partners.