Foglight 7.1.0 - Security and Compliance Guide

Protection of communicated data

The Management Server's Web application server supports the use of TLS, in order to protect Foglight® users' login credentials. Foglight provides its own self-signed TLS certificate on the Web application server, and enables customers to provide a replacement TLS certificate of their choice. TLS certificates are managed through the JavaTM keystore on the Management Server.

Basic HTTP (non-TLS) access can be disabled by disabling the HTTP port on the server. This disables both HTTP access to the Management Server browser interface and HTTP communication for agents that use the XML-over-HTTP protocol, forcing the use of HTTPS connections.

Web application security

The Management Server's Web application server supports the use of TLS, in order to protect Foglight® users' login credentials. Foglight provides its own self-signed TLS certificate on the Web application server, and enables customers to provide a replacement TLS certificate of their choice. TLS certificates are managed through the JavaTM keystore on the Management Server.

Basic HTTP (non-TLS) access can be disabled by disabling the HTTP port on the server. This disables both HTTP access to the Management Server browser interface and HTTP communication for agents that use the XML-over-HTTP protocol, forcing the use of HTTPS connections.

Communication between Management Server and agents

Most Foglight® agents communicate with the Management Server through the included client application, the Agent Manager.The exceptions are agents that use the low level XML over HTTP(S) data submission option. When activating an agent it is necessary to communicate its properties, which may include login credentials for accounts on the monitored host.

Communication between Management Server and clients

Foglight® Agent Manager (FglAM) implements a communication layer with XML messages sent to the Management Server over HTTP(S). These messages are sent to the same ports that the Management Server uses for all HTTP-based traffic, including the Web applications.

The Agent Manager allows the user to configure HTTP or HTTPS URLs for the Management Server, or a combination of both. When HTTPS is used, the Agent Manager rejects invalid certificates by default -- either self-signed, signed by an unrecognized certificate authority, or a certificate that declares a Common Name that does not match the Management Server host name (thus providing protection against man-in-the-middle attacks). Certificates can be added to the Agent Manager keystore. Like a Web browser, Agent Manager supports configuration options to relax these certificate verification controls, but these options will reduce the security provided by the TLS mechanism. If the Management Server is configured to only allow HTTPS access, the Agent Manager must be configured with an HTTPS URL to connect to the Management Server. By default, the Management Server uses the recommended cipher suites from the Open Web Application Security Project (OWASP). All default cipher suites are FIPS 140-2 compliant ciphers for its communication with the Agent Manager.

The Agent Manager supports concentrators. A concentrator is an Agent Manager instance that works similarly to an HTTP proxy. It is configured to accept connections from other Agent Manager instances (called downstream instances) and forward these connections to an upstream target, either the Management Server or another Agent Manager concentrator. These concentrators support HTTP or HTTPS communication with the upstream Management Server.

A concentrator’s upstream connection is independent of the downstream connections. For example, several Agent Manager instances on a local subnet can communicate to a concentrator using HTTP while the concentrator forwards requests over a non-secure network to the Management Server using HTTPS (or vice-versa).