Chat now with support
Chat with Support

Foglight Evolve 9.0 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight Disclaimer
Security features for APM appliances Usage feedback Appendix: FISMA compliance

Multiple layers of defense

Appliances include multiple layers of defense to protect against intrusions and hack attempts:

Layer 1: Firewall

Appliances are designed to be installed in network environments that have strong security measures in place, including the use of firewalls and intrusion detection systems. Appliances must be installed behind the firewall. More specifically, the appliance’s control port must be accessible from behind the firewall only, while its monitoring ports may be connected to a network tap outside the firewall. The monitoring ports operate in promiscuous mode, and Web traffic that comes across these ports is copied to the Sniffer, so there is no risk of attack through these ports.

Appliances also include a built-in firewall which provides additional security beyond what is provided by the network environment. This firewall is constructed using the firewall rule-set building utility Bastille-Linux® (for details, see The firewall limits external access to the HTTP or HTTPS port for report viewing and additional ports used for intra-component communications.

If command-line access is needed for Quest Support to run low-level diagnostic procedures, customers may optionally open the SSH port. For more information, see Enable remote access using SSH.

The firewall also includes typical checks for illegal addresses and limits ICMP usage. Opening and closing HTTPS and SSH ports is the responsibility of APM Administrators.

Layer 2: Port scan detection and blocking tool

Many network intruders begin an attack by scanning the target network. Detection of such a scan offers one indication that an attack is about to begin. Appliance software attempts to detect such scans by monitoring access to ports that are not active on the appliance system, but are typically exploited by hackers (for example, FTP, POP3, IMAP). Upon detection, the appliance automatically adds the source IP address of the potential attacker to the firewall rule-set and blocks all future packets that appear to originate from that address. This functionality is implemented using the Port Sentry tool (for details, see

Layer 3: Customized operating system distribution

System tools that are part of an operating system could potentially be exploited by hackers. To reduce this risk, the following measures are taken:

Appliances have a minimal version of the 64-bit SUSE Linux® Enterprise Server (SLES) 11 operating system preinstalled.
Access to potentially exploitable tools (such as ping and traceroute) is severely restricted.
ping — The appliance’s Console Program uses the ping utility to verify network access during the appliance setup process. The Console Program requires a user account distinct from the browser interface user account. For more information, see User authentication on appliances .
traceroute — The traceroute utility is used only as an option in the alerting system; users can specify to traceroute to a particular IP address if an alert is triggered. There is no other access to the traceroute utility other than through the alerting system.
All standard Linux® user accounts available on the appliance (such as, shutdown, halt, and mailnull) have no login shell that allows an attacker to enter shell commands. For more information, see User authentication on appliances .
Related Documents