Data Center RUM Documentation

Skip to end of metadata
Go to start of metadata

Data Center RUM (DC RUM) is a monitoring system composed of several components communicating with each other. Some of these components are responsible for monitoring network traffic and must be placed within your network infrastructure. These components have default security settings for communicating with each other and for monitoring.

 All of the components are designed to run on either MS Windows or Red Hat Enterprise Linux operating systems. For more information on supported operating system versions, see OS and SQL supported versions in DC RUM.

Default security settings

The following network ports are used for communication between various DC RUM components within a particular deployment variant:

DC RUM Deployment 1DC RUM Deployment 2
DC RUM Deployment 3DC RUM Deployment 4

For the complete list of network ports and protocols used in DC RUM deployments, see Network Ports and Protocols.

MS Windows components

Some components can operate on the same machine, where the security of the operating system on that machine applies to all DC RUM components installed on the machine. For example, the Central Analysis Server (CAS) report server can coexist with the RUM Console and Central Security Server (CSS) on the same Windows machine and use the same physical hardware. In such scenarios, a system-wide security implementation covers multiple DC RUM components (see deployments 3 and 4).

  • Central Analysis Server (CAS Report Server)
  • Advanced Diagnostics Server (ADS Report Server)
  • RUM Console (operates on the server-client model, but both server and client are consolidated into one inseparable RUM Console entity)
  • Central Security Server (CSS)
  • Microsoft SQL Server (Database Server)

All of the Windows-based components use a database to store their configuration,

Red Hat Enterprise Linux components

The Agentless Monitoring Device (AMD) is a passive network probe that analyzes network traffic forwarded to it. The AMD is non-intrusive – it does not alter or affect the monitored network traffic in any way and it is transparent to the servers and clients communicating over the network.

There are two AMD variants: Classic AMD and High Speed AMD. The following are default Classic and High Speed AMD security characteristics:

  • The AMD operating system protocol stack has no access to packets received through the passive sniffing interfaces, and it does not use the sniffing interfaces to send any packets. As a result, no packet forwarding through the sniffing interfaces takes place.
  • The AMD does not open connections to send data out. An explicit connection has to be established to get data out of the AMD.
  • The AMD uses the root account only to load the drivers. The monitoring process uses a standard compuware user account. (Release 12.4.11 and higher)
  • The AMD accepts incoming connections via the HTTPS port and the SSH port. The HTTPS port is used for transferring measurement data to the report server (CAS and ADS) and the SSH port is used for maintenance tasks (console login). All communications with the external world occurs over secure channels.
  • A set of default compiler libraries necessary for driver recompilation are loaded to the AMD during installation in order to recompile drivers used by the monitoring NICs should the need arise.
  • System security is not controlled by AMD setup tools. The tcpwrappers library is not used to limit access to network services, a full firewall implementation is recommended.
    To permit the AMD to operate fully and to communicate with the report server, you must ensure that certain network ports are open in the firewall. Check the Network Ports Opened for DCRUM topic to find out which ports should be open.

    Note that system tools or third-party software must be used to configure this functionality. For most networks, it may not be sufficient to use the Security Level Configuration Tool provided by Red Hat.

Default monitoring security

After it is configured and running, the AMD device operates on a copy of the monitored network traffic obtained through network TAPs or switch port SPANs, and then sends metrics to a report server (or report server farm) for analysis, aggregation, and presentation of the collected metrics.

  • The AMD does not process the monitored traffic; it is not an in-line device.
  • All packets are present in the AMD’s RAM, but the typical analysis is limited to first few request and response packets. The remaining packets are counted and tracked, but the payload is not read. It is possible to analyze the full payload, but to meet security requirements you can configure it to analyze only packet headers. The analysis scope is defined during the analysis configuration phase.
  • By default, the AMD allows all packets to enter the network adapter driver’s buffers. After the analysis is completed, packets remain in memory until the memory is freed up and returned to the available memory pool. The AMD analysis process uses proprietary memory management to achieve best performance.
    Depending on the buffer sizes and traffic intensity, as soon as driver buffers are reloaded with new packets, the old packets are overwritten with no trace left of the old packets.
  • Measured traffic is processed in AMD memory and only the results of the analysis are saved. Results are the metrics and the measurement identification attributes such as server and client IP addresses, ports, application names, and user and transaction names (if so configured).
  • DC RUM does not store full information on client transactions, and it controls user access to the information through access rights management. DC RUM does not store the information. However, if configured to do so it can be stored in a single irreversibly masked form. As a result, there is no threat of a malicious user escalating access rights to acquire sensitive information stored in the system.

 

Operating System Security

Icon

Since the AMD monitoring software operates on Red Hat Enterprise Linux, the AMD as a system is susceptible to the default operating system security settings. For example, ports 22 (SSH) and 123 (NTP) may be open and used as a result of separate operating system security settings.

During fresh installations of the AMD monitoring software, the installation script will turn off the following system services that potentially affect the AMD performance.

Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7

apmd, auditd, avahi-daemon, bluetooth, cups, exim, firstboot, gpm, hidd, ip6tables, iptables, irqbalance, isdn, mdmonitor, mdmpd, netdump, netfs, pcmcia, rawdevices, rhnsd, saslauthd, sendmail, smartd, xfs, xinetd, kdump, NetworkManager

auditd, avahi-daemon, bluetooth, cups, gpm, irqbalance, nfs, saslauthd, sendmail, sm-client, smartd, xinetd, NetworkManager

You can avoid turning off these services by adding a parameter to the upgrade/installation file:

This option will leave the listed services on however, they will be listed during the installation process. For example:

  • No labels