Hardening Guidelines

This section explains the recommended steps to secure your Flowmon deployment and reduce the potential attack surface. Flowmon is delivered as an appliance, including an operating system that is configured in a secure way respecting and reflecting a relevant subset of the CIS methodology. Each Flowmon release is tested for vulnerabilities. Following the recommendations outlined in this document will ensure that your Flowmon appliance is well secured.

Hardening guidelines

Measure	Description	Where to configure
WebGUI default password	Change the password for the admin user.	Configuration Center > System > User Settings
SSH console default password	Change the password for the flowmon user.	Log in to Flowmon using SSH (for example, using PuTTy) and run the sysconfig command to launch the interactive configuration utility
iDRAC default password	If your hardware-based Flowmon appliance is equipped with an iDRAC management interface, change the default user credentials.	Log in to the iDRAC management interface and change the login credentials.
Admin permissions	Do not create users with admin permissions unless it is necessary. Do not provide regular users access to the Configuration Center.	Configuration Center > System > User Settings
SNMP community string	The Flowmon appliance comes with preconfigured SNMPv2 with the community string "public". Change the community string. You can also switch to SNMPv3.	Configuration Center > System > System Settings > SNMP
Identity management	You can connect Flowmon to LDAP to avoid standalone user accounts and provide central authentication.	Configuration Center > System > System Settings > LDAP
SSL certificate	Flowmon comes with a self-signed certificate for secure access to the WebGUI. Replace the certificate for a trusted one that you generate using your certification authority.	Configuration Center > System > System Settings > Maintenance
Limit remote access	You can configure “Access restriction settings” to limit access to the management interface for predefined subnets to IP addresses.	Configuration Center > Remote Access
Web security headers	You can control additional security headers for the web-based user interface.	Configuration Center > System > System Settings > Maintenance
Regular updates	Enable regular update package downloads from services.flowmon.com. Enable notifications to inform administrators that a new package is available for installation. Keep your Flowmon up-to-date.	Configuration Center > Versions
Management VLANs	You can connect the Flowmon management interface to a dedicated management VLAN with restricted access.	Configured outside of the Flowmon system, depending on your environment.

Root access

The root access to Flowmon appliances is not provided to the customer and is kept only as a service account for Progress Software to provide technical support and maintenance. Any unauthorized modifications of the Flowmon appliance may negatively affect the functionality of the appliance and prevent future software updates. Only authorized support personnel may work with the appliance with root permissions. The root account itself is password protected and remote access is restricted. Therefore, the customer has full control over who has access to the root account. The following options are available for logging into the root account:

• the local console (requires physical access to the Flowmon appliance or access to the hypervisor hosting the Flowmon appliance),
• the iDRAC server management console (requires access to the iDRAC management console that is under full customer control),
• a privilege escalation (requires the use of sudo from the Command Line Interface (CLI) when the flowmon user is properly authenticated, access to the flowmon user is under full customer control).