Deployment security guide

NAM is a monitoring system composed of several components communicating with each other. Some of these components are responsible for monitoring network traffic and must be placed within your network infrastructure. These components have default security settings for communicating with each other and for monitoring.

Important

To avoid confusion, be aware of the following product and component name changes that were introduced with Dynatrace NAM 2018:

DC RUM 2017 May release Dynatrace NAM 2018 release
RUM Console NAM Console
Central Analysis Server (CAS) NAM Server
Advanced Diagnostic Server (ADS) Advanced Diagnostics on Demand feature of NAM Server
Agentless Monitoring Device (AMD) NAM Probe
You will see these name changes reflected in the help.

All of the components are designed to run on either MS Windows or Red Hat Enterprise Linux operating systems. For more information on supported operating system versions, see Supported OS and SQL versions.

Default component security settings

The following network ports are used for communication between various NAM components within a particular deployment variant:

NAM Deployment 1

NAM Deployment 2

NAM Deployment 3

NAM Deployment 4

For the complete list of network ports and protocols used in NAM deployments, see Network ports and protocols.

Diagnostic information exports

For all NAM components, you can use the Diagnostic information export to export basic diagnostic information such as:

  • NAM Probe boot logs
  • Core dumps
  • Information about the operating system
  • Information about the hardware (memory, CPU, average load, devices, network interfaces)
  • Monitoring configuration (any settings related to software services, licenses and monitoring)

The exported diagnostic information files DO NOT contain any sensitive information such as SSL keys, passwords or account details. For all NAM components you can specify and control any additional information that you wish to export for the particular component such as:

  • Configuration data of that component
  • Data sample used by that component
    Where you can specify the time range of the sample fragment, and where you can apply a RegEx filter to potentially exclude any information that you may deem private.
  • SQL trace logs for the database of that component
  • Installation logs of that component

MS Windows components

Some components can operate on the same machine, where the security of the operating system on that machine applies to all NAM components installed on the machine. For example, the NAM Server (old CAS) report server can coexist with the NAM Console on the same Windows machine and use the same physical hardware. In such scenarios, a system-wide security implementation covers multiple NAM components (see deployments 3 and 4).

  • NAM Server (old CAS)
  • DC RUM 2017 May Advanced Diagnostics Server (ADS Report Server)
  • NAM Console (old RUM Console). Including user management.
  • Microsoft SQL Server (Database Server)

All of the Windows-based components use a database to store their configuration,

Red Hat Enterprise Linux components

The NAM Probe (old AMD) is a passive network probe that analyzes network traffic forwarded to it. The NAM Probe is non-intrusive – it does not alter or affect the monitored network traffic in any way and it is transparent to the servers and clients communicating over the network.

The following are default security characteristics apply to both DC RUM 2017 AMD and NAM Probe (old AMD):

  • The NAM Probe operating system protocol stack has no access to packets received through the passive sniffing interfaces, and it does not use the sniffing interfaces to send any packets. As a result, no packet forwarding through the sniffing interfaces takes place.
  • The NAM Probe does not open connections to send data out. An explicit connection has to be established to get data out of the NAM Probe
  • The NAM Probe uses the root account only to load the drivers. The monitoring process uses a standard compuware user account. (Release 12.4.11 and higher)
  • The NAM Probe accepts incoming connections via the HTTPS port and the SSH port. The HTTPS port is used for transferring measurement data to the report server, and the SSH port is used for maintenance tasks (console login). All communications with the external world occurs over secure channels.
  • A set of default compiler libraries necessary for driver recompilation are loaded to the NAM Probe during installation in order to recompile drivers used by the monitoring NICs should the need arise.
  • System security is not controlled by NAM Probe setup tools. The tcpwrappers library is not used to limit access to network services, a full firewall implementation is recommended.
    To permit the NAM Probe to operate fully and to communicate with the report server, you must ensure that certain network ports are open in the firewall. Check the Network ports and protocols topic to find out which ports should be open. Note that system tools or third-party software must be used to configure this functionality. For most networks, it may not be sufficient to use the Security Level Configuration Tool provided by Red Hat.

FAQ

Does NAM hold a PCI DSS compliance certificate?

No. As can be seen from the PCI DSS Control Objectives and PCI DSS Requirements, PCI compliance relates to business management processes and environments, not individual products and tools used in these environments.

Can NAM be configured with a PCI firewall?

Yes. NAM architecture is designed to provide PCI firewall inspection points along the internal data flows.
Because the NAM Probe (network probe) has insight into the customer data, it should be protected in the same manner as the network and server equipment is protected on the customer data processing path. Secure access to the NAM Probe, including restriction and auditing of the management connection to the NAM Probe.

Does the NAM hold the SOC compliance certificate?

The Dynatrace does, but not NAM individually.

Is the NAM security tested by an independent party?

Yes. We hire an independent party to conduct the NAM security and penetration tests. We don't publish results f those tests, but can discuss them under a non-disclosure agreement.

Dynatrace NAM customers perform their own security and penetration tests and often share results with the Dynatrace lab, as an input to a continuous security improvement process.

As a part of the Dynatrace NAM development process, the lab uses the Nessus and Qualys scanners in every development cycle of the product.