Chat now with support
Chat with Support

Foglight Experience Monitor 5.8.1 - Security and Compliance Field Guide

Restricted access to the appliance

This section contains the following topics:
FxM access ports
Secure network communication
Data encryption
Configuration parameters and files
Defense against denial-of-service attacks
Defense against web console exploits
Auditing
IPv6
508 compliance

FxM access ports

The configuration of FxM, coupled with its firewall, severely restricts the ports through which it can be accessed. The following table summarizes the ports that are open by default, the ports that may be opened by FxM administrators through the FxM web console, and the ports that may be open when configuring FxM in a multiple-appliance cluster. These ports are accessible through FxM’s control port.

 
* 
NOTE: In this table, “Portal” refers to the appliance that serves as the master database for an installed cluster of FxM appliances. Portals are used to generate reports and to maintain a repository that contains all metrics collected by all monitoring appliances in the cluster. Monitoring appliances are referred to as “Probes”. Probes are also equipped with a full database and reporting user interface, but the metrics displayed are only those captured by that probe.
 
Table 2. FxM access ports
Port
Service
Protocol
Open
Type
Direction

80

HTTP

TCP

By default

Unidirectional

Inbound

443

HTTPS

TCP

Optional: SSL support

Unidirectional

Inbound

22

SSH

TCP

Optional: SSH support is activated

Unidirectional

Inbound

25

SMTP

TCP

Optional: Simple Mail Transport

Unidirectional

Outbound

21

FTP

TCP

Optional: FxM outbound FTP for backup

Unidirectional

Outbound

123

NTP

UDP

Optional: Network Time Protocol

Unidirectional

Outbound

162

SNMPTRAP

UDP

Optional: Simple Network Management Protocol

Unidirectional

Outbound

3306

MSQL

TCP

Optional: Foglight interface and remote database access

Unidirectional

Inbound

5000

-

Custom Protocol1

Multi-Appliance: default data port (configurable; between Probe and Portal only)

Unidirectional

Probe to Portal

3306

MSQL

TCP

Multi-Appliance: default control port (configurable; between Probe and Portal only)

Unidirectional

Probe to Portal

8080

HTTP

TCP

Optional: for authenticating Foglight users with FMS (port is configurable in FMS and FxM)

Unidirectional

Outbound

80

HTTP

TCP

Optional: for communication with FxV (port is configurable in FxV and FxM)

Unidirectional

Outbound

1

This is a proprietary protocol used for communication between FxM appliances.


In a stand-alone appliance setup, the Apache™ Web Server on the appliance uses port 80 (the only port open by default). Customers can configure the web server for SSL mode, if necessary. In that case, port 443 is opened and port 80 is closed.

If a remote troubleshooting session is required, customers can enable SSH access to the appliance for one or more users, in which case port 22 is opened. It it recommended to disable the SSH access immediately after troubleshooting the issue.

If time synchronization with a time server via NTP is enabled, then UDP port 123 is opened.

In addition, the FxM’s port scanner listens to inactive ports that are typically assigned to popular services, such as FTP, Telnet, POP3, etc. The following TCP ports are left open in order to detect port-scanning programs: 1, 11, 110, and 143. If the scanner detects that a machine is probing these ports, it automatically enters the machine’s IP address into its firewall filter and denies future access to FxM from that IP address.

Secure network communication

The FxM web server supports the use of the SSL protocol. This allows users to connect to FxM securely via the Internet and through the customer’s Intranet. In addition, FxM supports the use of SSH (Secure Shell) when command-line access is needed for Quest technical support to run low-level diagnostic procedures.

FxM supports multi-appliance use, whereby one appliance is defined to be the “portal” while the others are “probes”. The appliances communicate via a custom built TCP protocol over custom ports. The default data port is 5000 and the default control port is 3306. Probe appliances periodically send their collected analysis data to the portal appliance, which in turn acts as a central repository for all monitored data. The appliances can be configured to inter-communicate via SSL, whereby data sent over port 5000 gets encrypted with AES-256. When the optional use of SSL is not chosen, data is passed in the clear between the distributed monitors and the portal appliance. There is currently no mutual authentication between the appliances.

Data encryption

FxM uses the AES-256 data encryption algorithm to encrypt the customer’s private SSL keys. AES-256 is a symmetric key stream cipher that is widely used throughout industry. FxM’s encryption key is created upon installation and is unique to each customer. It consists of a combination of random data and certain data specific to the customer, making it difficult to guess or enter using brute force.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating