Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Foglight 5.9.1 - Security and Compliance Guide

Table of Contents

Security overview

Foglight security measures Customer security measures Security features in Foglight

Service accounts

Agent credentials

Foglight users and groups Role-based access control Password policies

Setting password complexity levels

Required privileges

Installing Foglight Management Server Running Foglight Management Server Installing agent Components Manual database configuration

Controlling remote system access with credentials Protection of data collection infrastructure

Installation of data collection clients Agents requiring privilege escalation

Protection of stored data

Credentials for Foglight users LDAP credentials Management Server repository database credentials Foglight agent credentials Database repository

Protection of communicated data

Web application security Communication between Management Server and agents Communication between Management Server and clients Communication between Management Server and Java EE technology agents Communication between Management Server and XML over HTTP(S) agents Communication between Management Server and repository database

Enabling FIPS 140-2 mode for HTTPS traffic Network ports

Default port assignments Agent adapter ports Client communication

Configuration parameters Audit log Log files Masking sensitive input data Uninstalling Foglight IPv6 Monitoring patches for the embedded database Daylight savings time extension QuestClick scripts Understanding the Foglight platform's relationship to Java "Clickjacking" vulnerability

Security features for APM appliances

Overview of APM appliances Trust model Multiple layers of defense

Layer 1: Firewall Layer 2: Port scan detection and blocking tool Layer 3: Customized operating system distribution Layer 4: Apache Tomcat server configuration

Restricted access to appliances

No root access User authentication on appliances Secure remote access Restricted network ports for appliances Defense against Denial-of-Service attacks

Logs for appliances Data entry validation for APM dashboards Installation of upgrades and patches Customer data protection on appliances

Restricted access to sensitive captured data Secure data storage in the Archiver database Secure data transfer between software components Secure use of customers' private keys

Usage feedback Appendix: FISMA compliance

NIST 800-53 categories

Secure data storage in the Archiver database

Content, metrics, and other details captured from the monitored Web traffic are stored in a distributed Archiver database. The port through which the database is accessed is not open, and no tools that would allow access to this data are available to non-root appliance users. The only way to access the data is through controlled queries from the APM > Search dashboards.

By default, captured data is stored until an Archiver determines that it needs more space. The Archiver deletes the oldest data in the system to make room for new data. However, customers who require that data be stored for a limited time can configure the Archivers to remove data based on a maximum retention duration setting (for example, 48 hours or one week).

If customers need to decommission an appliance, they have the option to reset its database and verify that data is securely deleted before withdrawing the appliance from active service. For detailed instructions about purging the appliance database, see the Foglight™ APM Administration and Configuration Guide.

Secure data transfer between software components

Some top-level APM dashboards require that metrics and details be sent from the Archiver database to the Foglight database repository at regular intervals. This data is encrypted before being sent. For more information, see Layer 4: Apache Tomcat server configuration.

For the capture subnet, data is sent in the clear from a Sniffer component to an Archiver component through a custom-built TCP protocol over the dedicated port 7623. When these components are located on separate physical appliances, isolate the capture subnet using a crossover cable or a dedicated private switch. For virtual appliances, use a separate virtual capture network to keep this traffic from being generally available to all virtual machines in the customer’s environment.

Secure use of customers' private keys

Secure use of customers’ private keys

In addition to monitoring regular HTTP traffic, appliances can monitor Secure Socket Layer traffic (SSL/TLS). To enable monitoring of SSL traffic, customers upload their private SSL encryption keys to Foglight™ using the browser interface. These keys are naturally of high sensitivity to customers.

The SSL keys are stored centrally on the Management Server in an encrypted file. When a Sniffer needs keys, the keys are transmitted over a two-way authenticated and encrypted SSL connection from the Management Server to the Sniffer. The remote Sniffer never writes the keys to disk, using them from memory only. When a Sniffer restarts, it submits a new request for keys.

Foglight uses the AES-256 data encryption algorithm to encrypt the SSL connection. The encryption key is created upon installation and is unique to each customer. It consists of a combination of random data and certain data specific to the customer, making it difficult to guess or enter using brute force. Each Sniffer has its own client certificate that is used for client side authentication, therefore only Sniffers added by the Administrator are allowed to connect to the Management Server. This prevents external attempts to open an SSL connection to the Management Server to request keys. The Sniffers use the server's certificate for authentication to prevent any man-in-the-middle attacks.

Foglight can also use private keys stored in a SafeNet Hardware Security Modules (HSMs) server to decrypt secure traffic. Foglight accesses and uses SafeNet private keys in a secure manner consistent with the SafeNet HSM model. In particular:

•

SafeNet server certificates and client certificates are used to authenticate Foglight with the HSM server.

•

Foglight communicates with SafeNet HSM servers using the recommended PKCS #11 API.

•

Foglight never stores SafeNet private keys on disk and never exposes them in any interface.

Usage feedback

The Foglight™ Management Server can collect usage data about your environment and send it to Quest Software Inc. to improve support response. This data helps Quest Software Inc. identify potential bottlenecks, and improve the overall Management Server performance and server versions going forward.

The collected usage data contains information about the visited dashboards. It also includes the unique ID of the Management Server and its version information. It does not identify any users or provide additional information about their actions in the user interface.

By default, this feature may be enabled. To turn it off, click Disable on the Communication dashboard. This dashboard is accessible from the navigation panel in the Foglight browser interface, under Administration > Support > Support Notifications > Automatic Communication with Quest.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center