Many setup and configuration choices you make while using ipMonitor also affect the security of your ipMonitor installation. The purpose of this page is to provide a top down view of ipMonitor's various security features so you can determine which ones need to be implemented for your organization.

The need for secure network monitoring is clear:

• ipMonitor tests key resources such as operating systems, SQL databases, file servers, mail systems, commerce solutions and infrastructure equipment around-the-clock.
• The tests ipMonitor performs can include logging in to resources and generating synthetic transactions to measure quality of service.
• If unauthorized persons from within or outside of your organization were to gain access to your network monitoring solution many negative scenarios could unfold.
• Without the ability to send Alerts, it might take some time before the security breach would be discovered.

ipMonitor's Security Model is designed to:

• Provide security to the ipMonitor application itself and the critical data its stores internally.
• Provide a safe network monitoring environment through secure network monitoring techniques and standard practices.

ipMonitor's Security Model encompasses authentication, authorization, encryption and protection against intrusion. Options include:

• Secure Socket Layer
• Credentials
• Authentication Methods
• IP Address Filters
• User Accounts

Top of page

ipMonitor functions as a standalone HTTP/HTTPS server. It requires an SSL certificate to be installed before HTTPS communication can be enabled. SSL is used to:

• Provide secure login and communication over non-secure channels such as the Internet.
• Monitor resources that require SSL communication, such as the HTTPS Monitor and the ipMonitor Monitor.
• Enable Credentials that may be used over SSL.
• Perform SOAP transactions over SSL.

Although using SSL is optional, if a certificate has not been selected during the initial installation, ipMonitor will prompt to automatically generate a "self-signed" certificate and configure a secure web interface. The "self-signed" certificate will remain in use unless the assigned certificate is changed at a future date.

Refer to the About SSL Certificates section for more information regarding supported methods for acquiring SSL certificates.

Top of page

Credentials are at the heart of ipMonitor's security model. Credentials were implemented to solve a security weakness present in many network monitoring and management solutions.

Typically, network monitoring solutions execute all code, perform all monitoring, alerting and recovery actions, and perform any management capabilities using the account context the process or Service is installed under. In other words, network monitoring solutions support one account, which must be a network Administrator-level account in order to access resources throughout the network. This model is contrary to good security practices as it potentially exposes all the resources the Administrator account has access to.

ipMonitor solves this problem using its Credentials Manager. The Credentials Manager permits the ipMonitor Service to execute under the context of an account with least privileges, and then to impersonate accounts with elevated permissions when required by Monitors, Alerts and features accessing Windows file system objects or Services via the network.

The Credentials Manager also provides the following additional benefits:

• Credentials can be tailored to the exact authentication requirements of the target resource.
• A Credential can be reused to access any number of target resources. The ipMonitor Credentials Wizard automatically categorizes Credentials for reusability.
• Use of a Credential can be limited to the Administrator who created the Credential or other Administrators can be permitted to use it.

Usage Restrictions can be applied to individual Credentials. A Credential can be:

• Used over SSL
• Used with Digest Authentication Schemes
• Used with NTLM Authentication Schemes (Windows NT LAN Manager)
• Used with Windows Impersonation for use with RPC
• Used with Windows Impersonation to start an external process
• Used with ADO (ActiveX Data Objects)
• Used to encrypt data
• Transmitted in clear text

If SSL is not used to log in to ipMonitor, the Credentials Manager:

• Will permit only limited viewing of Credentials.
• Will not allow configuration or management to take place.
• Will not make account based information visible or accessible.

Note: ipMonitor maintains an internal data hive which it uses to store all sensitive data. RSA 512/1024 bit encryption is applied to the hive. Usage restrictions and display categories can be changed over HTTP, however, the Account, Password and Secret (for Radius) fields cannot be modified.

Refer to the About Credentials section for more information.

Top of page

Authentication is the act of validating a person's or client's identity. Typically, clients must present Credentials (a username/password pair) to identify themselves for authentication.

Although many of ipMonitor's Monitors are IP-based and don't require any Credentials (or Credentials are optional), many of ipMonitor's more advanced monitoring features require authentication to access network resources.

The Credentials Manager permits authentication method(s) to be defined for individual Credentials, which are in turn applied to Monitors, Alerts and features that require access to network resources:

• May be used over SSL
  ipMonitor will perform authentication if the Secure Sockets Layer (SSL) encryption method is being used.
• May be used with Digest Authentication Schemes
  Digest authentication is a challenge/response mechanism that is based on the principle of a shared secret (data) known to both the client and server. When challenged, the client (ipMonitor) creates a digest (hash) containing its secret key and password, which it sends to the server. If the server's independently created digest matches, the server authenticates the client.

  Note: Although Digest Authentication does not send passwords in clear text, unless SSL is used Digest Authentication is only a moderate improvement over Basic Authentication, as there is nothing to prevent recording of communications between the client and server.

• May be used with Windows Authentication Schemes
  In a Windows networking environment, authentication methods consist of two protocols: NTLM or Kerberos v5 (depending on the Windows Operating Systems involved). Both NTLM and Kerberos v5 are encrypted authentication protocols. Kerberos v5 is the default authentication mechanism for the Windows 2000, XP and 2003 platforms.
• May be used with Windows Impersonation for use with RPC
  RPC (Remote Procedure Call) is a programming interface that allows one program to use the services of another program on a remote machine. This Usage Restriction option allows the ipMonitor Service to impersonate the security context of a separate Account before carrying out the RPC call.
• May be used with Windows Impersonation to start an external process
  This Usage Restriction option allows the ipMonitor Service to impersonate the security context of a separate Account before launching an external application or script.
• May be used with ADO (ActiveX Data Objects)
  ADO is a programming interface from Microsoft that provides a standardized interface to many different databases and data sources. OLE DB Providers written by Microsoft and other vendors are used to connect to different types of data sources through one standardized interface.
• May be used to encrypt data
  This Usage Restriction option allows ipMonitor to encrypt and export the Credentials Database when used to archive configuration data within the Internal Maintenance feature.

• May be transmitted in clear text
  Using Basic Authentication, the username and password information is sent over the network encoded using Base64 encoding. Unless used over SSL, Basic Authentication is inherently insecure because Base64 can be easily decoded. Basic Authentication essentially sends the username and password as plain text.

Refer to the Credentials Manager section for information regarding how to create Credentials.

Top of page

For added security, access to the ipMonitor web interface can be restricted to specific IP addresses or ranges of IP addresses.

Using IP address ranges allows you to explicitly grant or deny access to a specific organization or entity:

• If access is denied, ipMonitor will deny access to any users coming from those IP addresses.
• If access is granted, ipMonitor will communicate only with those IP addresses and ranges of IP addresses in this IP Access Filters list.

Note: IP Access restrictions cannot be configured for individual portions of the ipMonitor application.

Refer to the Communications: Lockout section for information regarding how to grant or deny access to IP addresses.

Top of page

ipMonitor maintains a detailed User Account system to control which features users can access. Three classes of accounts exist within ipMonitor: Administrator, User and Guest accounts.

Administrator accounts:

• Have full access to all ipMonitor features.
• Can create, edit and delete User accounts.
• Are the only account type that has permission to access and administrate Credentials.
• Cannot be deleted until they are demoted to a general User Account.

Each User Account has its own List, Read, Write, Create, Delete and Attributes settings, which Administrators can apply to:

• Real-time Statistics
• Recent Activity
• Historic Reports
• Monitors
• Monitor Filters
• Groups
• Notifications
• Logs
• Tools
• Maintenance
• Report Generators
• Server Settings

Strong Passwords can be enabled system-wide to help ensure system security. When Strong Passwords are enforced, the following rules apply:

• One or more lowercase characters
• One or more uppercase characters
• One or more numeric characters
• One or more non-alphanumeric characters
• 6 or more characters in total

Note: ipMonitor Accounts are proprietary; they are not Windows accounts.

Note: ipMonitor maintains an internal data hive which it uses to store all sensitive data. RSA 512/1024 bit encryption is applied to the hive.

Refer to the Accounts section for information regarding how to create and configure Accounts.

Top of page