2018-06-13 10:35:00 UTC

How do you plan for a security review for infrastructure monitoring software?


Is it required in your company to conduct a security review before purchasing an infrastructure monitoring solution? What are the common materials you use in the review? Do you have any tips or advice for the community? Any pitfalls to watch out for?

Guest
77 Answers
author avatar
User

I would start focussing on the used acounts and their privileges, other components aren't that interresting security wise. But the used accounts are probably over privileged as my experience has showed my before.

2018-06-18 14:18:38 UTC
author avatar
Top 5LeaderboardReal User

Although in our company we didn't require to conduct a security review before choosing an infrastructure monitoring solution, we have particularly look about the authentication method. Talking about user's accounts, groups and permissions.
One tip we have used, was to look for a monitoring solution that can interface with an existing entreprise authentication server (LDAP Server). In other that users could directly log in this purchased solution with their entreprise accounts.
So we have no more need to invest in creating a new secure users database and simply focus on creating users permissions depending on employees category.

2020-03-09 17:13:37 UTC
author avatar
Real User

The documentation MUST indicate that the standard security configuration is DENY EVERYTHING and grant permissions based on multiple conditions (IP, user, schedule, ...).
The BD with which it is compatible must be able to be encrypted.
Compatible with iso 27000.
The trial must pass several security tests before being included as an option to choose.

2018-06-21 00:48:49 UTC
author avatar
Real User

My company does not require a security review per se, although we do incorporate security measures to protect our network. For example, if your monitoring system is public facing, you'd want to lock it down so that only the IP ranges and TCP/UDP port ranges necessary for you to monitor what you want to monitor are allowed in. If you are doing only active monitoring, then you don't really need to allow any establishment of connections from outside. If you are using SNMP traps, or an agent that pushes info to the monitoring services, the respective IPs and ports need to be allowed in. You can do this with a firewall like iptables. Security by obscurity is also still a helpful thing. Default port numbers, etc. are low-hanging fruit for bots and things that scour the internet for easy victims. You can also use something like fail2ban, which creates a blacklist of IPs who repeat failed logins. It is also helpful to ask the vendor which versions of software they use. It is possible they use an older version, which is not as secure as using one that is regularly updated with security patches. For example, do they use mySql? Which version? What about the OS? Is it a version still supported?

2018-06-19 00:07:52 UTC
author avatar
User

IT security is an ongoing exercise, with some sporadic penetration testing. SOC should be closely coupled to NOC, especially in terms of log management, traffic capture and analysis (for heuristics/forensics), connectivity/management, DNS security, WAF, etc.
So it's more than security review before deploying NOC, it's rather complete integration with due proper design and planning.

2018-06-18 14:56:47 UTC
author avatar
User

Security is always important, the first thing you review is if you start using monitoring is do you need this on-premise or from the cloud.

With on-premise you follow your own security rules however important are the following questions:

-How is the monitoring data stored in the database?
-Are the DB fips enabled?
-How are agents sending data, is the data encrypted?
-What kind of data is sent between customer systems and monitoring server?
-Does the monitoring software using security policies or for example integrate with LDAP or active directory?

Today you have many tools for infra monitoring we deliver monitoring from the cloud and using a VPN/IPSec tunnel between the customer and the systems in our cloud.

Also, we have customers doing a security check on our servers and we using patent recognition to check if our systems have no security leaks. Second, we using local gateways at the customer to collect the data we need and only the local gateway has a connection with our servers. Using this technology we have only one connection between datacenter and gateway and this connection is monitored all the time as well only 2 ports are open in the firewall.

Important is what are you using for infrastructure monitoring and how is it connected, what kind of interface is it web or client/server from the client to the monitoring server.

2020-03-11 12:33:16 UTC
author avatar
Top 5LeaderboardConsultant

security review for infrastructure monitoring software are limited to,
1. Software layer for venerability.
2. User privileges.

2018-06-19 06:52:19 UTC
Find out what your peers are saying about Zabbix, Paessler AG, Centreon and others in IT Infrastructure Monitoring. Updated: March 2020.
405,659 professionals have used our research since 2012.