Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Foglight 5.9.1 - Security and Compliance Guide

Table of Contents

Security overview

Foglight security measures Customer security measures Security features in Foglight

Service accounts

Agent credentials

Foglight users and groups Role-based access control Password policies

Setting password complexity levels

Required privileges

Installing Foglight Management Server Running Foglight Management Server Installing agent Components Manual database configuration

Controlling remote system access with credentials Protection of data collection infrastructure

Installation of data collection clients Agents requiring privilege escalation

Protection of stored data

Credentials for Foglight users LDAP credentials Management Server repository database credentials Foglight agent credentials Database repository

Protection of communicated data

Web application security Communication between Management Server and agents Communication between Management Server and clients Communication between Management Server and Java EE technology agents Communication between Management Server and XML over HTTP(S) agents Communication between Management Server and repository database

Enabling FIPS 140-2 mode for HTTPS traffic Network ports

Default port assignments Agent adapter ports Client communication

Configuration parameters Audit log Log files Masking sensitive input data Uninstalling Foglight IPv6 Monitoring patches for the embedded database Daylight savings time extension QuestClick scripts Understanding the Foglight platform's relationship to Java "Clickjacking" vulnerability

Security features for APM appliances

Overview of APM appliances Trust model Multiple layers of defense

Layer 1: Firewall Layer 2: Port scan detection and blocking tool Layer 3: Customized operating system distribution Layer 4: Apache Tomcat server configuration

Restricted access to appliances

No root access User authentication on appliances Secure remote access Restricted network ports for appliances Defense against Denial-of-Service attacks

Logs for appliances Data entry validation for APM dashboards Installation of upgrades and patches Customer data protection on appliances

Restricted access to sensitive captured data Secure data storage in the Archiver database Secure data transfer between software components Secure use of customers' private keys

Usage feedback Appendix: FISMA compliance

NIST 800-53 categories

Multiple layers of defense

Appliances include multiple layers of defense to protect against intrusions and hack attempts:

•

Layer 1: Firewall

•

Layer 2: Port scan detection and blocking tool

•

Layer 3: Customized operating system distribution

•

Layer 4: Apache Tomcat server configuration

Layer 1: Firewall

Appliances are designed to be installed in network environments that have strong security measures in place, including the use of firewalls and intrusion detection systems. Appliances must be installed behind the firewall. More specifically, the appliance’s control port must be accessible from behind the firewall only, while its monitoring ports may be connected to a network tap outside the firewall. The monitoring ports operate in promiscuous mode, and Web traffic that comes across these ports is copied to the Sniffer, so there is no risk of attack through these ports.

Appliances also include a built-in firewall which provides additional security beyond what is provided by the network environment. This firewall is constructed using the firewall rule-set building utility Bastille-Linux® (for details, see http://bastille-linux.sourceforge.net/). The firewall limits external access to the HTTP or HTTPS port for report viewing and additional ports used for intra-component communications.

If command-line access is needed for Quest Support to run low-level diagnostic procedures, customers may optionally open the SSH port. For more information, see Enable remote access using SSH.

The firewall also includes typical checks for illegal addresses and limits ICMP usage. Opening and closing HTTPS and SSH ports is the responsibility of APM Administrators.

Layer 2: Port scan detection and blocking tool

Many network intruders begin an attack by scanning the target network. Detection of such a scan offers one indication that an attack is about to begin. Appliance software attempts to detect such scans by monitoring access to ports that are not active on the appliance system, but are typically exploited by hackers (for example, FTP, POP3, IMAP). Upon detection, the appliance automatically adds the source IP address of the potential attacker to the firewall rule-set and blocks all future packets that appear to originate from that address. This functionality is implemented using the Port Sentry tool (for details, see http://sourceforge.net/projects/sentrytools).

Layer 3: Customized operating system distribution

System tools that are part of an operating system could potentially be exploited by hackers. To reduce this risk, the following measures are taken:

•

Appliances have a minimal version of the 64-bit SUSE Linux® Enterprise Server (SLES) 11 operating system preinstalled.

•

The latest operating system security patches and upgrades are applied with every release of the appliance software.

•

Many tools and packages that represent common vulnerabilities are stripped out of the distribution. For example, server instances of Telnet, FTP server, rlogin, NFS, Samba, and lpr are not installed on the appliance.

•

Access to potentially exploitable tools (such as ping and traceroute) is severely restricted.

•

ping — The appliance’s Console Program uses the ping utility to verify network access during the appliance setup process. The Console Program requires a user account distinct from the browser interface user account. For more information, see User authentication on appliances .

•

traceroute — The traceroute utility is used only as an option in the alerting system; users can specify to traceroute to a particular IP address if an alert is triggered. There is no other access to the traceroute utility other than through the alerting system.

•

Appliances implement shadow passwords to make brute force password attacks harder to execute.

•

All standard Linux® user accounts available on the appliance (such as, shutdown, halt, and mailnull) have no login shell that allows an attacker to enter shell commands. For more information, see User authentication on appliances .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center