Chat now with support
Chat with Support

Foglight 5.9.5 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight Disclaimer
Security features for APM appliances Usage feedback Appendix: FISMA compliance

Daylight savings time extension

Foglight® is not affected by the changes introduced by the Daylight Savings Time (DST) Extension (U.S. Energy Policy Act of 2005). It relies on the operating system for time management and does not implement any special logic regarding DST settings.

QuestClick scripts

QuestClick scripts can potentially store confidential information including IDs, passwords, account numbers, and SSNs. It is therefore important that additional security options are provided to safeguard and protect such confidential information embedded within recorded scripts.

Understanding the Foglight platform's relationship to Java

Foglight® does not run JavaTM code in the browser, and therefore is not vulnerable to Java applet security issues. The recently reported Vulnerability Note VU#625617 is one example of such an issue.

The Foglight platform uses the Java Runtime Engine (JRE) internally to run the Management Server and the Agent Manager(s). These are self-contained software systems that are fully isolated from the Foglight platform’s content delivery system (the Web-based user interface) and as such they are not vulnerable to browser-based attacks. In particular, the Management Server and Agent Managers are not vulnerable to browser-based attacks that rely on the Java plug-in. Even when a Java plug-in is enabled in the browser, it cannot communicate with or influence the JRE instances that run Foglight in a separate process.

The Foglight platform’s Web-based user interface is a pure HTML interface which does not use Java. As such the Web-based user interface cannot be manipulated by Java plug-in–based attacks, and it remains fully operational when the Java plug-in is fully disabled. Customers using the Foglight platform’s Web-based user interface in their browsers may fully disable the Java plug-in without impacting their access to the Foglight platform.

"Clickjacking" vulnerability

Clickjacking is a vulnerability that causes an end user to unintentionally click invisible content on a web page, typically placed on top of the content they think they are clicking. This vulnerability can cause fraudulent or malicious transactions. One way to prevent clickjacking is by setting the X-Frame-Options response HTTP header with the page response. This prevents the page content from being rendered by another site when using iFrame HTML tags.

The Foglight Management Server adds the X-Frame-Options response HTTP header with the page response in the main URL: https://<localhost>:<port>/console/page. For the following two URL addresses, you can specify whether or not the page content is rendered by configuring the Frame Option option:

Remote Portlet URL: https://<localhost>:<port>/console/remote/<Referecen Id>
Network Operations Console URL: https://<localhost>:<port>/console/noc/<Referecen Id>

After specifying the value of Frame Option, the Foglight Management Server overwrites the value of the X-Frame-Options response header with the value of Frame Option. The value of the Frame Option option includes the following:

Related Documents