Default monitoring security
After it is configured and running, the NAM Probe device operates on a copy of the monitored network traffic obtained through network TAPs or switch port SPANs, and then sends metrics to a report server (or report server farm) for analysis, aggregation, and presentation of the collected metrics.
- The NAM Probe does not process the monitored traffic; it is not an in-line device.
- All packets are present in the NAM Probe’s RAM, but the typical analysis is limited to first few request and response packets. The remaining packets are counted and tracked, but the payload is not read. It is possible to analyze the full payload, but to meet security requirements you can configure it to analyze only packet headers. The analysis scope is defined during the analysis configuration phase.
- By default, the NAM Probe allows all packets to enter the network adapter driver’s buffers. After the analysis is completed, packets remain in memory until the memory is freed up and returned to the available memory pool. The NAM Probe analysis process uses proprietary memory management to achieve best performance.
Depending on the buffer sizes and traffic intensity, as soon as driver buffers are reloaded with new packets, the old packets are overwritten with no trace left of the old packets.
- Measured traffic is processed in NAM Probe memory and only the results of the analysis are saved. Results are the metrics and the measurement identification attributes such as server and client IP addresses, ports, application names, and user and transaction names (if so configured).
How is the personal information protected?
The security of the deployment is controlled on three levels: network access control, software access control, and physical access control.
- Network Access Control
The NAM Probe is fitted with two kinds of interfaces: monitoring and management. The monitoring interfaces have no IP addresses and are not addressable. They are connected to a SPAN port on a switch that is a transmit-only interface.
The management interface is the only one through which communication with the NAM Probe can be accomplished. The management interface has to be connected to the protected portion of the network.
- Software Access Control
The NAM Probe does not originate any traffic. The NAM Probe accepts incoming connections on the HTTPS port used for measurement data transfer to the report server and on the SSH port used for maintenance (console login). All communication of the NAM Probe with the external world occurs over secure channels. The maintenance port (SSH) can be disabled, so that the NAM Probe could only be accessed with physical KVM console access.
The NAM Probe requires the user to authenticate prior to accessing the system. This is governed by standard Linux OS procedures. This includes the ability of the NAM Probe to generate the access log (device access), both in the local disk storage and using remote messaging (syslog).
- Physical Access Control
Cavium and nCipher nShield cards offer the capability of storing private keys in hardware. This guarantees that the private keys are not present on the hard drive. Cavium and nCipher nShield HSMs provide FIPS-validated key management for all respective vendor cards in the servers you manage. The NAM Probe with an FIPS-compliant SSL accelerator becomes such a server installed on site.
The security policies applied within the enterprise to protect the WWW servers running SSL protocol have to be also applied to the NAM Probe that has the SSL keys on it. SSL key management procedures for your Web servers apply equally to the NAM Probe with SSL accelerator installed. This involves restricting physical access to the device to authorized personnel only and controlling how and when SSL keys are loaded to the NAM Probe.
Since the NAM Probe monitoring software operates on Red Hat Enterprise Linux, the NAM Probe as a system is susceptible to the default operating system security settings. For example, ports 22 (SSH) and 123 (NTP) may be open and used as a result of separate operating system security settings.