Chat now with support
Chat with Support

Please note, you may experience access issues between 6am - 7am Eastern time on Saturday, May 28 2022 due to planned maintenance

Foglight 6.0.0 - Security and Compliance Guide

Security overview
Foglight security measures Customer security measures Security features in Foglight FIPS-compliant mode Disclaimer
Security features for APM appliances Usage feedback Appendix: FISMA compliance

Secure use of customers' private keys

In addition to monitoring regular HTTP traffic, appliances can monitor Secure Socket Layer traffic (SSL/TLS). To enable monitoring of SSL traffic, customers upload their private SSL encryption keys to Foglight® using the browser interface. These keys are naturally of high sensitivity to customers.

The SSL keys are stored centrally on the Management Server in an encrypted file. When a Sniffer needs keys, the keys are transmitted over a two-way authenticated and encrypted SSL connection from the Management Server to the Sniffer. The remote Sniffer never writes the keys to disk, using them from memory only. When a Sniffer restarts, it submits a new request for keys.

Foglight uses the AES-256 data encryption algorithm to encrypt the SSL connection. The encryption key is created upon installation and is unique to each customer. It consists of a combination of random data and certain data specific to the customer, making it difficult to guess or enter using brute force. Each Sniffer has its own client certificate that is used for client side authentication, therefore only Sniffers added by the Administrator are allowed to connect to the Management Server. This prevents external attempts to open an SSL connection to the Management Server to request keys. The Sniffers use the server's certificate for authentication to prevent any man-in-the-middle attacks.

Foglight can also use private keys stored in a SafeNet Hardware Security Modules (HSMs) server to decrypt secure traffic. Foglight accesses and uses SafeNet private keys in a secure manner consistent with the SafeNet HSM model. In particular:

 

Usage feedback

The Foglight® Management Server can collect usage data about your environment and send it to Quest Software Inc. to improve support response. This data helps Quest Software Inc. identify potential bottlenecks, and improve the overall Management Server performance and server versions going forward.

The collected usage data contains information about the visited dashboards. It also includes the unique ID of the Management Server and its version information. It does not identify any users or provide additional information about their actions in the user interface.

By default, this feature may be enabled. To turn it off, click Disable on the Communication dashboard. This dashboard is accessible from the navigation panel in the Foglight browser interface, under Administration > Support > Support Notifications > Automatic Communication with Quest.

 

Appendix: FISMA compliance

The Federal Information Security Management Act (FISMA) was passed by the U.S. Congress and signed by the president as part of the Electronic Government Act of 2002. It requires “each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information system that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source”.

A major component of FISMA implementation is the publication by the National Institute of Standards and Technology (NIST), entitled “Recommended Security Controls for Federal Information Systems”, listed as NIST Special Publication 800-53 (for additional information about this document, see http://csrc.nist.gov/publications/PubsSPs.html#800-53). This document presents 17 general security categories that can be used to evaluate an information security to measure its level of compliance with FISMA. For this reason, this appendix offers the 17 categories listed in 800-53 and describes how Foglight® addresses them.

NIST 800-53 categories

This section presents the 17 categories listed in the NIST Special Publication 800-53 and describes how Foglight addresses those that apply.

The secure employment of Foglight® forms only one part of an information security program. A statement in this appendix that a particular security category is “applicable” to Foglight means only that Foglight contains security features that are or may be relevant to some or all aspects of the security category in question. It does not necessarily mean that Foglight fully meets all of the requirements described in that security category, or that the use of Foglight by itself guarantees compliance with any particular information security standards or control programs. The selection, specification, and implementation of security controls in accordance with a customer-specific security program is ultimately dependent upon the manner in which the customer deploys, operates, and maintains all of its network and physical infrastructure, including Foglight.

Access Control (AC)

Yes

Foglight 5 has an internal security service through which all requests must pass regardless of whether they originate from the user interface, the command-line or external APIs. The security service is user and role based and can be linked to LDAP or Active Directory®, enabling the storage and management of the user accounts, roles, and passwords, through those directories.

For appliances, access to an appliance is controlled through a separate user authorization mechanism. The appliance’s root password is not distributed to customers.

Awareness and Training (AT)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own security awareness and training policy.

N/A

Audit and Accountability (AU)

Yes

Foglight can display security and change audit logs for select time periods, including information about login history as well as any administrative and configuration changes made. Audit log entries contain identifying information such as a timestamp, user name, service name, and operation name.

A separate log file records troubleshooting data, debut information, lifecycle information, and agent information. No user names or passwords are included in the log file.

For appliances, changes made using the Console Program are logged. Separate logs are kept for Sniffers, Relayers, Archivers, and upgrades to appliance software.

Certification, Accreditation and Assessments (CA)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own security assessment, accreditation, and certification policy.

N/A

Configuration Management (CM)

Yes

The audit and log files contain information about any configuration changes made to Foglight. Role-based access control is enforced to limit users' ability to make changes. Foglight's configuration parameters are stored in local files and are read and cached internally upon startup.

The Foglight communication ports are restricted and configurable by administrators only.

Appliances are configured to provide only the services necessary for their operation, and makes unnecessary ones unavailable. A separate configuration change log records incremental changes to traffic capture and traffic analysis settings.

Contingency Planning (CP)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to design and implement their own contingency plans. As defined by NIST (publication 800-34), disruptive events to IT systems include power-outages, fire and equipment damage, and can be caused by natural disasters or terrorist actions.

N/A

Identification and Authentication (IA)

Yes

Foglight enforces identification, authentication, and password policies, providing well-defined rules for controlling how user names and passwords are created, as well as ensuring that only authorized users are able to log into the system.

The customer can also choose to authenticate users against an LDAP or AD supported directory.

 

For appliances, a user authorization mechanism (built on the Linux® Pluggable Authentication Modules) controls access to an appliance.

Incident Response (IR)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own incident response policy and procedures.

N/A

Maintenance (MA)

Yes

Quest Software Inc. monitors the embedded PostgreSQL® database included in Foglight developments for security developments and flaws and provides product updates and patches to customers when necessary.

 

For appliances, Quest Software Inc. monitors the systems on which the appliance is based (such as SLES and Apache), and provides security patches to customers when necessary. Remote appliance maintenance using SSH is available in agreement with the customer.

Media Protection (MP)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own media protection policies.

N/A

Physical and Environmental Protection (PE)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own physical and environmental policies.

N/A

Planning (PL)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own security planning policies.

N/A

Personnel Security (PS)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to enforce their own personnel security policies, including personnel screening and employment termination.

N/A

Risk Assessment (RA)

No

This category does not apply to Foglight, since it is the responsibility of the Foglight customers to develop and review their own risk assessment policies.

N/A

System and Services Acquisition (SA)

Yes

Quest Software Inc. has performed an internal security and compliance assessment of Foglight, including a risk analysis. A security checklist was completed with the help of the development team. This document is the result of the assessment.

N/A

System and Communications Protection (SC)

Yes

The Management Server's Web application server supports the use of SSL to protect user communication. A self-signed SSL certificate is used by default, and the customers have the ability to upload their own SSL certificate. Agent Manager communication between agents and the Management Server can also be protected with SSL. Communication between Java agents (non-Agent Manager-based) and the Management Server is unencrypted. No security is enforced to protect communication between the Management Server and an external database. The network ports over which Foglight components and protocols communicate are configurable.

For appliances, communication is encrypted between the Management Server and other components. Between Sniffers and Archivers, data is sent in the clear. Appliances are monitored for denial-of-service attacks and other potential attacks using a port scanner. To support secure communication with an appliance, SSH can be enabled.

System and Information Integrity (SI)

Yes

The Management Server and Cartridges/Agents use the JavaTM Cryptographic Extension library for cryptographic operations. The Triple DES (Data Encryption Standard) algorithm in chain block cipher mode is used for encrypting the service account's passwords (for example, the LDAP account). User passwords are hashed with the MD5 algorithm and stored in the Foglight database. Agent properties marked as sensitive are masked during display and encrypted during storage.

For appliances, user access is restricted, and a firewall and port scanner are used as intrusion detection tools. Appliances are build on a customized SLES operating system on which only necessary services are installed. Ports used for network connections are restricted. Hit details and content can be marked as sensitive and access restricted to authorized users. The collected data is stored in a database that is not accessible through the network. Changes to the traffic capture and traffic analysis configuration are tracked, allowing for the system to be rolled back to a stable state in case it gets corrupted. All upgrades, patches, and hotfix packages are digitally signed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating