# Security

VirtualMetric uses *Microsoft IIS Server* as its Web server, so *VirtualMetric Dashboard* and the *VirtualMetric API* can always be made up-to-date and secure via *Microsoft Update*. VirtualMetric also uses *Microsoft SQL Server* as its database server where it stores user, inventory, and monitoring data. As a result, you can use **Microsoft** authentication and encryption methods to make *Microsoft SQL Server* secure as well.

We put a lot of effort to make VirtualMetric suitable for enterprises and meet the requirements of their network and security policies. For example, VirtualMetric does not require an agent to connect to servers. This is a great advantage for enterprises because VirtualMetric does not touch any system files, does not require any registry changes, and does not load any DLLs or drivers to the monitored servers. This can help keep security scans simple as there are no system changes on your servers. Similarly, VirtualMetric connects to **Windows**, **VMware**, and **Linux** servers remotely to collect monitoring and inventory data, so we focus on making this remote connection as secure as possible.

Further details of these can be found in the relevant sections.

***

## Authentication

VirtualMetric allows you to use two different authentication methods to connect to servers: **Basic** and **Active Directory**.

* If you set up VirtualMetric on an Active Directory member server, you can start *VirtualMetric Collector* with a privileged account on Active Directory. By doing so, you can avoid the need to type any usernames/passwords to connect to servers in the same Active Directory.
* If you want to use Basic Authentication to connect servers, VirtualMetric uses the **Advanced Encryption Standard** or **AES** with a **128-bit** key to encrypt your passwords. This is one of the most secure encryption methods used in most modern encryption technologies, and is considered to be logically unbreakable.

|                                 | Password in Database? | Password Security |
| ------------------------------- | --------------------- | ----------------- |
| Active Directory Authentication | No                    | No                |
| Basic Authentication            | Yes                   | AES 128-bit       |

{% hint style="info" %}
We suggest you to prefer Active Directory Authentication if it's possible to use on your environment.
{% endhint %}

When you create a user to connect to *VirtualMetric API* or the *Dashboard*, we also encrypt your user passwords with **MD5** hashing. VirtualMetric Databases only contain **MD5** hashes of your passwords. When a user tries to log in to VirtualMetric, we only send an **MD5** hash over the network.

***

## Encryption

Communication between VirtualMetric and the monitored servers is encrypted at the protocol layer. When VirtualMetric connects to your servers, it uses the **SSL** protocol to protect your sensitive data from prying eyes.

| Platform | Secure Authentication | Encrypted Data Transfer | SSL Supported? |
| -------- | --------------------- | ----------------------- | -------------- |
| Windows  | ✓                     | ✓                       | ✓              |
| VMware   | ✓                     | ✓                       | ✓              |
| Linux    | ✓                     | ✓                       | ✓              |

***

## Connection Protocols

If you use Active Directory authentication for your Windows Servers, VirtualMetric uses *PowerShell Remoting* to connect to them. PowerShell Remoting is a solution to some of the security and consistency issues that IT professionals currently have to work around. It is built on Microsoft's implementation of the **Web Services for Management** (WSMan) protocol, and it uses the **Windows Remote Management** (WinRM) service to manage communication and authentication. This framework was designed to be a secure and reliable method for managing computers, and it is built on well-known standards like *Simple Object Access Protocol* (SOAP) and *Hypertext Transfer Protocol* (HTTP). The communication between VirtualMetric and the monitored server is encrypted at the protocol layer except when basic access authentication is used, which is intended for Hypertext Transfer Protocol Secure (HTTPS) sessions. Since we use WinRM, you can always configure WinRM security, change the encryption type, and set an SSL certificate to make communication even more secure.

For VMware Servers, VirtualMetric uses *VMware vSphere Web Services* to connect to the hosts. By default, VirtualMetric uses the **SSL** protocol to connect to VMware hosts, but you can always change this communication protocol as well.

For Linux Servers, VirtualMetric uses **SSH** to connect to the servers. You can use basic authentication or key-based authentication. VirtualMetric supports **RSA** and **DSA** private keys. You can also use pass phrase for your keys.

| Platform | Connection Protocol | Firewall Friendly? | Supported Protocols |
| -------- | ------------------- | ------------------ | ------------------- |
| Windows  | WS-Man              | ✓                  | HTTP / HTTPS        |
| VMware   | SOAP                | ✓                  | HTTP / HTTPS        |
| Linux    | SSH / SCP           | ✓                  | SSH / SCP           |

***

## Required Firewall Ports

VirtualMetric was designed to become a *firewall-friendly* monitoring solution. Many monitoring solutions on the market require RPC/DCOM/SNMP protocols to monitor servers. Because of their protocols, they usually require complex firewall configurations due to their dynamic port settings. VirtualMetric only uses the HTTP/HTTPS protocols to connect to Windows and VMWare servers. For Linux servers, VirtualMetric uses the *Secure Shell* (SSH) protocol, so you can easily configure the access via the firewall.

**Client Access to VirtualMetric Dashboard**

<div align="center"><figure><img src="https://3741708824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbhbshAPk7P4wdrLxisUn%2Fuploads%2FQq8tnzR0ILKP3VlbonVK%2Fimage.png?alt=media&#x26;token=ee10ddff-646d-4c61-8363-b085ea8a4729" alt=""><figcaption></figcaption></figure></div>

| Source | Destination             | Protocol | Ports  | Action |
| ------ | ----------------------- | -------- | ------ | ------ |
| Client | VirtualMetric Dashboard | TCP      | 80/443 | ALLOW  |
| Client | VirtualMetric API       | TCP      | 8080   | ALLOW  |

**Server Monitoring**

<div align="center"><figure><img src="https://3741708824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbhbshAPk7P4wdrLxisUn%2Fuploads%2FpMDwxc1XzKsQk3OdIK5n%2Fimage.png?alt=media&#x26;token=6a42fefa-bd37-4f75-8bdc-734d6a116129" alt=""><figcaption></figcaption></figure></div>

| Source                          | Destination           | Protocol | Ports     | Action |
| ------------------------------- | --------------------- | -------- | --------- | ------ |
| VirtualMetric Trigger           | VirtualMetric API     | TCP      | 8080      | ALLOW  |
| VirtualMetric Trigger           | Windows Server        | TCP      | 5985/5986 | ALLOW  |
| VirtualMetric Trigger           | VMware Server         | TCP      | 80/443    | ALLOW  |
| VirtualMetric Trigger           | Linux Server          | TCP      | 22        | ALLOW  |
| VirtualMetric Trigger           | Network Device        | UDP      | 161       | ALLOW  |
| Windows / VMware / Linux Server | VirtualMetric API     | TCP      | 8080      | ALLOW  |
| sFlow Endpoint                  | VirtualMetric Trigger | UDP      | 6343      | ALLOW  |
| NetFlow Endpoint                | VirtualMetric Trigger | UDP      | 2055      | ALLOW  |
| IPFIX Endpoint                  | VirtualMetric Trigger | UDP      | 4739      | ALLOW  |