Foglight 6.0.0 - Security and Compliance Guide

QuestClick scripts

QuestClick scripts can potentially store confidential information including IDs, passwords, account numbers, and SSNs. It is therefore important that additional security options are provided to safeguard and protect such confidential information embedded within recorded scripts.

Understanding the Foglight platform's relationship to Java

Foglight® does not run JavaTM code in the browser, and therefore is not vulnerable to Java applet security issues. The recently reported Vulnerability Note VU#625617 is one example of such an issue.

The Foglight platform uses the Java Runtime Engine (JRE) internally to run the Management Server and the Agent Manager(s). These are self-contained software systems that are fully isolated from the Foglight platform’s content delivery system (the Web-based user interface) and as such they are not vulnerable to browser-based attacks. In particular, the Management Server and Agent Managers are not vulnerable to browser-based attacks that rely on the Java plug-in. Even when a Java plug-in is enabled in the browser, it cannot communicate with or influence the JRE instances that run Foglight in a separate process.

The Foglight platform’s Web-based user interface is a pure HTML interface which does not use Java. As such the Web-based user interface cannot be manipulated by Java plug-in–based attacks, and it remains fully operational when the Java plug-in is fully disabled. Customers using the Foglight platform’s Web-based user interface in their browsers may fully disable the Java plug-in without impacting their access to the Foglight platform.

"Clickjacking" vulnerability

Clickjacking is a vulnerability that causes an end user to unintentionally click invisible content on a web page, typically placed on top of the content they think they are clicking. This vulnerability can cause fraudulent or malicious transactions. One way to prevent clickjacking is by setting the X-Frame-Options response HTTP header with the page response. This prevents the page content from being rendered by another site when using iFrame HTML tags.

The Foglight Management Server adds the X-Frame-Options response HTTP header with the page response in the main URL: https://<localhost>:<port>/console/page. For the following two URL addresses, you can specify whether or not the page content is rendered by configuring the Frame Option option:

After specifying the value of Frame Option, the Foglight Management Server overwrites the value of the X-Frame-Options response header with the value of Frame Option. The value of the Frame Option option includes the following:

NOTE: Only the value configured in the top-level view takes effects.

FIPS-compliant mode

FIPS (Federal Information Processing Standard) 140-2 is a U.S. government security standard for hardware and software cryptography modules. Modules validated against the standard assure government and other users that the cryptography in the system meets the standard. For more information about the NIST FIPS 140-2 program, see Cryptographic Module Validation Program (CMVP) validation.