Chat now with support
Tchattez avec un ingénieur du support

Foglight Experience Monitor 5.8.1 - Security and Compliance Field Guide

Layer 2: Port scan detection and blocking tool

Many network intruders begin an attack by scanning the target network. Detection of such a scan offers one indication that an attack is about to begin. FxM attempts to detect such scans by watching for access to ports that are not active on the appliance system, but are typically exploited by hackers (for example, FTP, POP3, IMAP). Upon detection, the FxM system automatically adds the source IP address of the potential attacker to the firewall rule-set and blocks all future packets that appear to originate from that address. This functionality is implemented using the Port Sentry tool (for details, see http://sourceforge.net/projects/sentrytools).

Layer 3: Customized operating system distribution

System tools that are part of an operating system could potentially be exploited by hackers. To reduce this risk, the following measures have been taken:

FxM bundles the 64-bit SUSE Linux® Enterprise Server 11 SP4 operating system.
Many tools and packages that represent common vulnerabilities are stripped out of the distribution. For example, Telnet, FTP server, rlogin, NFS, Samba, and lpr are not installed on the appliance.
Access to potentially exploitable tools needed by FxM to operate (such as ping and traceroute) has been severely restricted.
Foglight Experience Monitor requires the ping utility to verify network access during the appliance setup process. This is only available through the console program, whose access requires a different account, other than that used to access the web console.
The traceroute utility is only used as an option in the alerting system; users can specify to traceroute to a particular IP address if an alert is triggered. There is no other access to the traceroute utility other than through the alerting system.
All standard Linux® user accounts available on the appliance (that is, shutdown, halt, mailnull, etc.) have no login shell that would allow an attacker to enter shell commands. Only user accounts with “Terminal access enabled” have a login shell. The shell can only be accessed through the terminal or SSH. The password for a user account is specified by the FxM user, and must be a strong password in order to enable SSH access.

Layer 4: Apache Server configuration

The Apache™ Server that is included in FxM represents the single greatest point of vulnerability, since port 80 (or 443) is the only port that is normally open on the system. Therefore, the configuration of the Apache Server included in the appliance has been “locked-down” so that it is less vulnerable than the standard Apache installation.

Many Apache exploits typically attack vulnerabilities that are exposed due to the improper configuration of the Apache Server itself. Many of the Apache capabilities that are commonly exploited are disabled in the configuration of the FxM Apache Server. For example, CGI scripts are a notorious source of vulnerabilities in Apache. FxM does not employ CGI scripts and the handler for CGI scripts is removed from the Apache configuration file, so they cannot be executed.

The Apache processes on the FxM appliance run in a user account that has limited rights. This account has no login shell and can only access a restricted set of directories. If a buffer overflow exploit were to be successful against the FxM’s Apache Server, the hacker would not easily be able to modify or read system files, since the user account in which Apache runs has no rights to access those areas of the system.

User authentication and access control

FxM enforces identification, authentication, and password policies, providing well defined rules for controlling how user names and passwords are created, as well as ensuring that only authorized users are able to log into the system.

This section presents the mechanisms used to authenticate FxM users (see FxM user authentication) and Foglight Experience Monitor users drilling down in to the FxM appliance (see Foglight user authentication). It also presents the privileges associated with different types of user accounts (see User authorization and privileges), and provides information about strong passwords (see Strong passwords).

Documents connexes