Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

FREE TRIALS

Foglight 5.9.8 - Security and Compliance Guide

Table of Contents

Security overview

Foglight security measures Customer security measures Security features in Foglight

Service accounts

Agent credentials

Foglight users and groups Role-based access control Password policies

Setting password complexity levels

Required privileges

Installing Foglight Management Server Running Foglight Management Server Installing agent Components Manual database configuration

Controlling remote system access with credentials Protection of data collection infrastructure

Installation of data collection clients Agents requiring privilege escalation

Protection of stored data

Credentials for Foglight users LDAP credentials Management Server repository database credentials Foglight agent credentials Database repository

Protection of communicated data

Web application security Communication between Management Server and agents Communication between Management Server and clients Communication between Management Server and Java EE technology agents Communication between Management Server and XML over HTTP(S) agents Communication between Management Server and repository database

Default port assignments Agent adapter ports Client communication

Configuration parameters Audit log Log files Masking sensitive input data Uninstalling Foglight IPv6 Monitoring patches for the embedded database Daylight savings time extension QuestClick scripts Understanding the Foglight platform's relationship to Java "Clickjacking" vulnerability

FIPS-compliant mode

FIPS-compliant mode for Foglight Management Server FIPS-compliant mode for Foglight Agent Manager

Security features for APM appliances

Overview of APM appliances Trust model Multiple layers of defense

Layer 1: Firewall Layer 2: Port scan detection and blocking tool Layer 3: Customized operating system distribution Layer 4: Apache Tomcat server configuration

Restricted access to appliances

No root access User authentication on appliances Secure remote access Restricted network ports for appliances Defense against Denial-of-Service attacks

Logs for appliances Data entry validation for APM dashboards Installation of upgrades and patches Customer data protection on appliances

Restricted access to sensitive captured data Secure data storage in the Archiver database Secure data transfer between software components Secure use of customers' private keys

Usage feedback Appendix: FISMA compliance

NIST 800-53 categories

Overview of APM appliances

Appliances can host one or more of the following software components: Management Server, Sniffer, and Archiver. Appliances with a Sniffer component are attached to the customer’s network where they passively monitor Web traffic. Sniffers capture, decrypt, and analyze the Web traffic, and transmit content and metrics to one or more Archivers within the same capture group as the Sniffer. Archivers receive the data from Sniffers, analyze the data, and maintain databases used for searching, reporting, and replay. Archivers send snapshots of collected data to the Management Server for display in top-level APM dashboards.

The following table describes the type of appliances that implement the security features discussed in the rest of this section. Appliances come with a predefined set of software components installed on the appliance. Appliances can be physical appliances (PowerEdge series hardware) or virtual appliances (VMware® vSphere®). Both physical and virtual appliances can exist in the same installation, with some restrictions.

Table 1. Appliance types

Software Components

Available as a Physical Appliance

Available as a Virtual Appliance

All-in-One Appliance

•

Management Server

•

•

•

Management Server

•

Yes, on separate virtual disks

Management Server Appliance

•

Management Server

Archiver Appliance

•

Sniffer Appliance

•

Trust model

The following assumptions are made about the installed environment:

•

When more than one physical appliance is in use, the capture subnet ports are connected by a private cable (one Sniffer to one Archiver) or through a private network (when there is more than one Sniffer or Archiver).

•

An appliance’s control port is connected to the customer’s network. The IP addresses assigned within this network should preferably be private, that is, not directly accessible through the public Internet.

•

Only trusted, authorized personnel have physical access to the PowerEdge servers hosting physical appliances.

•

Only trusted, authorized personnel have user accounts on the appliances.

•

The password for the default setup account on each appliance is changed during the initial setup.

•

The password for the default foglight user in Foglight® is changed during the initial setup.

Multiple layers of defense

Appliances include multiple layers of defense to protect against intrusions and hack attempts:

•

Layer 1: Firewall

•

Layer 2: Port scan detection and blocking tool

•

Layer 3: Customized operating system distribution

•

Layer 4: Apache Tomcat server configuration

Layer 1: Firewall

Appliances are designed to be installed in network environments that have strong security measures in place, including the use of firewalls and intrusion detection systems. Appliances must be installed behind the firewall. More specifically, the appliance’s control port must be accessible from behind the firewall only, while its monitoring ports may be connected to a network tap outside the firewall. The monitoring ports operate in promiscuous mode, and Web traffic that comes across these ports is copied to the Sniffer, so there is no risk of attack through these ports.

Appliances also include a built-in firewall which provides additional security beyond what is provided by the network environment. This firewall is constructed using the firewall rule-set building utility Bastille-Linux® (for details, see http://bastille-linux.sourceforge.net/). The firewall limits external access to the HTTP or HTTPS port for report viewing and additional ports used for intra-component communications.

If command-line access is needed for Quest Support to run low-level diagnostic procedures, customers may optionally open the SSH port. For more information, see Enable remote access using SSH.

The firewall also includes typical checks for illegal addresses and limits ICMP usage. Opening and closing HTTPS and SSH ports is the responsibility of APM Administrators.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating