1.35k likes | 1.57k Views
Making Unicenter talk through a Firewall. Unicenter NSM Revised August 11 2003. Agenda. Introduction WorldView Discovery Destination Port Customization From Port Selection DSM Routing Scenarios Different Architecture Reviews Enterprise Management CAM / CAFT , CCI , Event Management
E N D
Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003
Agenda • Introduction • WorldView Discovery • Destination Port Customization • From Port Selection • DSM Routing • Scenarios • Different Architecture Reviews • Enterprise Management • CAM / CAFT , CCI , Event Management • Unicenter Options • ITRM covered separately
Objectives • Deployment of working through a firewall will vary for different sites • The architecture will be highly dependent on • Level of risk accepted • Rules dictated by the firewall administration. • Rules governing blocking and unblocking of ports. • This presentation walks through different scenarios. • Scenarios selected covers most of the requirements dictated by different security administrations
Firewall Requirements • Considerations for Firewall • Reduce the number of ports to be unblocked • Minimize port Contention • Block UDP ports • Minimize the number of hosts that requires ports to be unblocked • Block traffic initiated from outside firewall
Need for Firewalls • Exponential growth on Cyber Crime • Hackers, cyber criminals, e-terrorists • Problem caused by recent denial of service attacks, high-lighted the need for a resilient and secure DMZ environment. • Secure Internet environments requires Firewalls
DoS • Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation
What is a Firewall? • In general terms a Firewall stops a fire from spreading • An internet-Firewall acts more like a moat by preventing dangers from the internet spreading to your internal network • It serves multiple purposes:- • It restricts people to entering at a carefully controlled point • It prevents attackers from getting close to other defenses • It restricts people to leaving at a carefully controlled point • The firewall typically sees all data flowing into or out of your network and so has the opportunity to ensure the traffic is acceptable
What can’t a Firewall do? • Firewalls are not invulnerable • It does not protect against people already inside • It does not protect against connections which do not go through it • It cannot protect against unknown ‘new’ threats • Cannot provide complete protection against viruses • Even the best defenses may be breached • It works best if combined with other internal defenses (i.e. TNG Security, SSO etc) • Considerably expensive (time and effort) • Can cause considerable annoyance to authorized users
What can a Firewall do? • A Firewall is a focus for security decisions • a single checkpoint for all access - allows you to concentrate security measures at this point • more efficient than spreading security measures through-out the organization • secure (possibly more expensive) software and hardware at a single point will reduce overall costs • A Firewall can enforce security policy • Most services across the Internet are insecure - firewalls can see all access and so can enforce the agreed policies • A Firewall can log internet activity • misuses internally, attempted unsuccessful accesses, statistics etc • A Firewall limits your exposure • Firewalls can be used to reduce the impact of security breaches and by installing firewalls between departments the security risks can be greatly reduced
How do you configure a firewall? • Firewalls can be configured in many different ways • Firewalls can be viewed as the collection of techniques (I.e. packet filtering, proxy services, physical architecture etc) which are used to overcome different problems. • The problems the firewall needs to overcome are dependant on the services which must be supplied, the level of risk which is acceptable and ultimately how much money can be spent. • Firewall Architectures • Dual Homed Host Architecture • Screened Host Architecture • Screened Subnet Architecture • Combinations ….
Standard Firewall Configuration External Server External Network Bastion Host (with Firewall software) Exterior Router Perimeter Network (Not Secure) Interior Router Interior Network (Secure) NT Workstation NT Workstation Workstation NT Server NT Server
Typical Client Requirements • Minimize ports • Restrict hosts for which ports are opened • Only allow initial access from within firewall to outside firewall • Allow port access only after another communication has occurred • Can overcome restriction number 3 • Requires you to know more about how Unicenter works and makes you dependant upon details
Standard TNG Operation • Unicenter will operate out-of-the-box through a firewall • Details of the actual ports required are available – most of these can be configured - these ports must be opened through the firewall • The standard “out-of-the-box” configuration does not aim to minimize the number of ports • Components can be configured/deployed to minimize ports used • Browsers can be directed to use minimum ports • Options can be deployed to minimize ports used • Use TCP/IP for SQL not default of named pipes
Unicenter Component Placement • Unicenter Components can be placed anywhere • Where is the firewall and what is it protecting - client issue? • Following examples • Agents only outside firewall • Agents and DSM outside Firewall • Monitor Through Firewall Discovery , EM and DSM
Component Placement #1 - Agents outside FIREWALL C:\> abrowser -c browser.SysAgtNT -h HostA -@ dsmHost ABROWSER C:\> abrowser -c browser.SysAgtNT -h HostA ABROWSER CORE Host Admin Host TCP 1433 (SQL) WV Gateway DSM 3 Ports Open but one is SNMP (UDP 162) Common Services UDP 161, ICMP Ping UDP 162 - Traps UDP 6665 FIREWALL Host A Common Services
Component Placement #2 - Agents & DSM outside FIREWALL ABROWSER C:\> abrowser -r -c browser.SysAgtNT -h HostA -@ dsmHost Admin Host ABROWSER Host A Common Services CORE Host TCP 1433 (SQL) TCP 7774 FIREWALL WV Gateway DSM 2 Ports Open ….. one is SQL Common Services UDP 162 - Traps UDP 161, ICMP Ping
Admin Host ABROWSER Component Placement #3 - Monitoring Through a Firewall - Discovery, EM & DSM Auto- Discovery ABROWSER Enterprise Management CORE Host CCI Common Services SQL 1433 ICMP, UDP, Telnet, FTP TCP 7774 FIREWALL TCP 7001 Enterprise Management DSM WV Gateway Common Services CCI UDP 162 - Traps UDP 161, ICMP Ping Host A CCI Common Services EM Agent
WV Discovery • Discovery Considerations • Initiate discovery from inside firewall • Initiate discovery from outside firewall but CORE inside Firewall • Temporary Unblock Ports for AutoDiscovery • NAT implication
WV DiscoveryInitiated within Firewall dscvrbe –r .. CORE
WV DiscoveryInitiated within Firewall • Ping Sweep
WV DiscoveryPing Sweep • Discovery initiated within Firewall • Pingsweep
WV DiscoveryClassification • SNMP (161) Required for Classification
WV DiscoveryClassification • Additional Ports may be required if “Check Additional Ports” selected
WV DiscoveryInitiated Outside Firewall Firewall No UDP through Firewall CORE SQL 1433 dscvrbe –r ..
WV Discovery LimitedUnblocking • During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened. • Once auto-discovery is complete the port can be closed. • It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is not best practice and the customization is “more difficult than is apparent”
aws_orbPort Selection aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1
aws_orb2.1 System • If 7774 is blocked, retries the connection with 7770 incase the managed host is 2.1 system
orb to orbConnectivity • Update quick.cfg to select orb port • tng\services\config\aws_orb\quick.cfg • defaults to 7774 • No customization available for FROM port • Selects first available TCP source port
Orb and Named Pipes • By Default orb uses named pipes
Named pipes • Remove Named pipe usage • comment plugin awm_qikpipe_dll aws_orb22
orb to orbConnectivity • abrowser -@ <remotedsm> -r -c browser.SysAgtNT -h DAWYA01 -s admin Connects to Remote Orb
orb to orbConnectivity • Orb to Orb introduces Heartbeat • Can disable Heartbeat if required • Can change frequency if required
aws_sadminPort Selection Aws_sadmin Managed host Firewall aws_dsm aws_snmp 6665 162 CORE Manager issues SNMP requests to managed host. aws_sadmin binds to 6665 by default. Can be configured to use to different port Traps from managed hosts , defaults to port 162
Aws_sadminPort Configuration • Configure the port that aws_sadmin binds for incoming SNMP requests • Defaults to 6665 • To change the default port, update aws_sadmin.cfg and add line SNMP_PORT xxxx where xxxx is the port aws_sadmin binds.
aws_sadmin.cfg • If aws_sadmin is changed to bind to a different port, ensure pollset reflects correct port
pollset • pollset port must match aws_sadmin.cfg port
abrowser • If aws_sadmin port changed, Agent view needs to be customized to use correct port
aws_snmpFrom Port Selection • SNMP gateway sends it’s request on 6665 port and binds with the random source port. • The agent then responds back on the random source port • If random source port is not acceptable, then customize aws_snmp.cfg • Specify from source port for aws_snmp • Consider range to avoid port contention
aws_snmpFrom Port Selection %AgentWorks_Dir%\services\config\aws_snmp\aws_snmp.cfg • Aws_snmp defaults to random source port
aws_snmpFrom PortSelection Aws_snmp customized to use port 8001-8002
aws_snmpFrom Port Selection • aws_snmp sends request over 6665 (UDP) • Agent responds back on 8001
Agentview (abrowser)From Port Selection • Agentview sends it’s request on 6665 port and binds with the random source port. • The agent then responds back on the random source port • If random source port is not acceptable, then customize aws_snmp.cfg • Specify from source port for abrowser • Consider range to avoid port contention
AbrowserFrom Port Selection abrowser customized to use port 8011-8020
AgentView (abrowser)From Port Selection • abrowser -c browser.SysAgtNT -h <agenthost> -s admin • abrowser sends request over UDP port 6665 • Agent Responds back on 8011