Data security
To establish data security and protect sensitive information,
provides the following features:- Data storage
- Data confidentiality
- Data export security
- Cross-domain policies
- Custom fields
- SSL encryption
- Network segments monitoring
- Default protocols and ports configuration
Data storage
By encrypting traffic, the system protects both traffic data and end-users’ private data. To provide additional security, you can create data storage rules to specify what pages and objects the system should store, and how long they are retained.
By default, the system applies the data confidentiality policies on the traffic and then stores all traffic data until the maximum capacity (configurable value) is filled.
Data confidentiality
The system hides or deletes private data according to traffic confidentiality policies.
By default, the system deletes all key/value pairs received from cookies, URI query, POST, and PATH parameters, except the following:
- jsessionid
- aspsessi*
- asp.net_sessionid
- sid
- uid
- *tltuid*
- phpsessid
- crd_*
- udm_*
Confidentiality policies page
Users with Security-level access can configure confidentiality rules in conformity with your organization's privacy policies to ensure that the system does not retain private information derived from monitored traffic (such as credit-card numbers or dates of birth).
For more information, see the Securing-sensitive-data section.
Data export security
BMC recommends that you limit access of data-export APIs (Bulk data export, Watchpoint Summary export, Watchpoint streaming export, and so forth) to system services like data export, Watchpoint streaming, and non-secure data transfer.
Use the data export security options to permit or refuse the API access (see the Data export section on the Analyzer's Administration > Security settings > Services page).
Cross-domain policies
For security reasons, some applications (notably Adobe Flash Player) prevent cross-domain loading of data by default.
Because
has Flash widgets embedded in the UI, you must manage the cross-domain data loading to secure the system. Using a cross-domain policy file, enable Flash to permit or deny content from particular domains.Custom fields
With custom fields, users can extract sensitive or confidential information from the traffic. Security users must be careful while enabling the use of custom fields.
For more information, see the Custom-fields section.
SSL encryption
Only users with Security-level access can upload and delete stored decryption (SSL) keys. Uploaded keys cannot be viewed or downloaded.
BMC recommends that you review the confidentiality policy when adding new keys, because the new services might not be visible before the policy is reviewed.
For more information, see the Handling-encrypted-traffic section.
Network monitoring
Capture ports on the
must be connected to either a network tap or mirror/span port on a network switch. The capture ports operate in promiscuous mode only. They do not have any IP networking capabilities and cannot inject traffic into monitored networks.The use of the network taps or mirror/span ports prevents traffic injection into monitored networks. Therefore, the system can be securely connected to external/DMZ networks, assuring that monitored networks are not affected by the presence of this type of traffic capture device.
Default protocols and port configuration
The table below explains the default configuration of protocols and port for different services.
Service | Port | Protocol | Flow | Function | Default state | Notes |
|---|---|---|---|---|---|---|
HTTPS | 443 | TCP | Inbound | Management UI | Enabled | Hardened Apache/Tomcat |
HTTP | 80 | TCP | Inbound | Redirect to 443 for UI | Enabled | Hardened Apache/Tomcat |
SSH (CLI) | 22 | TCP | Inbound | Initial configuration | Disabled | Only SSHv2 supported |
SNMP | 161 | UDP | Inbound | SNMP Polling | Disabled | v1/v2/v3 supported, port can be changed |
SMTP | 25 | TCP | Outbound | Email alerts/reports | Disabled | Port can be changed; |
Syslog | 154 | UDP | Outbound | System events | Disabled |
|
NTP | 123 | TCP/UDP | Outbound | Time sync | Disabled |
|
Related topics