1 / 134

Making Unicenter talk through a Firewall

Making Unicenter talk through a Firewall. Unicenter NSM Revised August 11 2003. Agenda. Introduction WorldView Discovery Destination Port Customization From Port Selection DSM Routing Scenarios Different Architecture Reviews Enterprise Management CAM / CAFT , CCI , Event Management

kiele
Télécharger la présentation

Making Unicenter talk through a Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003

  2. Agenda • Introduction • WorldView Discovery • Destination Port Customization • From Port Selection • DSM Routing • Scenarios • Different Architecture Reviews • Enterprise Management • CAM / CAFT , CCI , Event Management • Unicenter Options • ITRM covered separately

  3. Objectives • Deployment of working through a firewall will vary for different sites • The architecture will be highly dependent on • Level of risk accepted • Rules dictated by the firewall administration. • Rules governing blocking and unblocking of ports. • This presentation walks through different scenarios. • Scenarios selected covers most of the requirements dictated by different security administrations

  4. Firewall Requirements • Considerations for Firewall • Reduce the number of ports to be unblocked • Minimize port Contention • Block UDP ports • Minimize the number of hosts that requires ports to be unblocked • Block traffic initiated from outside firewall

  5. Need for Firewalls • Exponential growth on Cyber Crime • Hackers, cyber criminals, e-terrorists • Problem caused by recent denial of service attacks, high-lighted the need for a resilient and secure DMZ environment. • Secure Internet environments requires Firewalls

  6. DoS • Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation

  7. What is a Firewall? • In general terms a Firewall stops a fire from spreading • An internet-Firewall acts more like a moat by preventing dangers from the internet spreading to your internal network • It serves multiple purposes:- • It restricts people to entering at a carefully controlled point • It prevents attackers from getting close to other defenses • It restricts people to leaving at a carefully controlled point • The firewall typically sees all data flowing into or out of your network and so has the opportunity to ensure the traffic is acceptable

  8. What can’t a Firewall do? • Firewalls are not invulnerable • It does not protect against people already inside • It does not protect against connections which do not go through it • It cannot protect against unknown ‘new’ threats • Cannot provide complete protection against viruses • Even the best defenses may be breached • It works best if combined with other internal defenses (i.e. TNG Security, SSO etc) • Considerably expensive (time and effort) • Can cause considerable annoyance to authorized users

  9. What can a Firewall do? • A Firewall is a focus for security decisions • a single checkpoint for all access - allows you to concentrate security measures at this point • more efficient than spreading security measures through-out the organization • secure (possibly more expensive) software and hardware at a single point will reduce overall costs • A Firewall can enforce security policy • Most services across the Internet are insecure - firewalls can see all access and so can enforce the agreed policies • A Firewall can log internet activity • misuses internally, attempted unsuccessful accesses, statistics etc • A Firewall limits your exposure • Firewalls can be used to reduce the impact of security breaches and by installing firewalls between departments the security risks can be greatly reduced

  10. How do you configure a firewall? • Firewalls can be configured in many different ways • Firewalls can be viewed as the collection of techniques (I.e. packet filtering, proxy services, physical architecture etc) which are used to overcome different problems. • The problems the firewall needs to overcome are dependant on the services which must be supplied, the level of risk which is acceptable and ultimately how much money can be spent. • Firewall Architectures • Dual Homed Host Architecture • Screened Host Architecture • Screened Subnet Architecture • Combinations ….

  11. Standard Firewall Configuration External Server External Network Bastion Host (with Firewall software) Exterior Router Perimeter Network (Not Secure) Interior Router Interior Network (Secure) NT Workstation NT Workstation Workstation NT Server NT Server

  12. Testing Environment

  13. Typical Client Requirements • Minimize ports • Restrict hosts for which ports are opened • Only allow initial access from within firewall to outside firewall • Allow port access only after another communication has occurred • Can overcome restriction number 3 • Requires you to know more about how Unicenter works and makes you dependant upon details

  14. Standard TNG Operation • Unicenter will operate out-of-the-box through a firewall • Details of the actual ports required are available – most of these can be configured - these ports must be opened through the firewall • The standard “out-of-the-box” configuration does not aim to minimize the number of ports • Components can be configured/deployed to minimize ports used • Browsers can be directed to use minimum ports • Options can be deployed to minimize ports used • Use TCP/IP for SQL not default of named pipes

  15. Unicenter Component Placement • Unicenter Components can be placed anywhere • Where is the firewall and what is it protecting - client issue? • Following examples • Agents only outside firewall • Agents and DSM outside Firewall • Monitor Through Firewall Discovery , EM and DSM

  16. Component Placement #1 - Agents outside FIREWALL C:\> abrowser -c browser.SysAgtNT -h HostA -@ dsmHost ABROWSER C:\> abrowser -c browser.SysAgtNT -h HostA ABROWSER CORE Host Admin Host TCP 1433 (SQL) WV Gateway DSM 3 Ports Open but one is SNMP (UDP 162) Common Services UDP 161, ICMP Ping UDP 162 - Traps UDP 6665 FIREWALL Host A Common Services

  17. Component Placement #2 - Agents & DSM outside FIREWALL ABROWSER C:\> abrowser -r -c browser.SysAgtNT -h HostA -@ dsmHost Admin Host ABROWSER Host A Common Services CORE Host TCP 1433 (SQL) TCP 7774 FIREWALL WV Gateway DSM 2 Ports Open ….. one is SQL Common Services UDP 162 - Traps UDP 161, ICMP Ping

  18. Admin Host ABROWSER Component Placement #3 - Monitoring Through a Firewall - Discovery, EM & DSM Auto- Discovery ABROWSER Enterprise Management CORE Host CCI Common Services SQL 1433 ICMP, UDP, Telnet, FTP TCP 7774 FIREWALL TCP 7001 Enterprise Management DSM WV Gateway Common Services CCI UDP 162 - Traps UDP 161, ICMP Ping Host A CCI Common Services EM Agent

  19. World View Discovery

  20. WV Discovery • Discovery Considerations • Initiate discovery from inside firewall • Initiate discovery from outside firewall but CORE inside Firewall • Temporary Unblock Ports for AutoDiscovery • NAT implication

  21. WV DiscoveryInitiated within Firewall dscvrbe –r .. CORE

  22. WV DiscoveryInitiated within Firewall • Ping Sweep

  23. WV DiscoveryPing Sweep • Discovery initiated within Firewall • Pingsweep

  24. WV DiscoveryClassification • SNMP (161) Required for Classification

  25. WV DiscoveryClassification • Additional Ports may be required if “Check Additional Ports” selected

  26. WV DiscoveryUnicenter NSM

  27. WV DiscoveryInitiated Outside Firewall Firewall No UDP through Firewall CORE SQL 1433 dscvrbe –r ..

  28. WV Discovery LimitedUnblocking • During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened. • Once auto-discovery is complete the port can be closed. • It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is not best practice and the customization is “more difficult than is apparent”

  29. DestinationPORT Customization

  30. aws_orbPort Selection aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1

  31. aws_orb2.1 System • If 7774 is blocked, retries the connection with 7770 incase the managed host is 2.1 system

  32. orb to orbConnectivity • Update quick.cfg to select orb port • tng\services\config\aws_orb\quick.cfg • defaults to 7774 • No customization available for FROM port • Selects first available TCP source port

  33. Orb and Named Pipes • By Default orb uses named pipes

  34. Named pipes • Remove Named pipe usage • comment plugin awm_qikpipe_dll aws_orb22

  35. orb to orbConnectivity • abrowser -@ <remotedsm> -r -c browser.SysAgtNT -h DAWYA01 -s admin Connects to Remote Orb

  36. orb to orbConnectivity • Orb to Orb introduces Heartbeat • Can disable Heartbeat if required • Can change frequency if required

  37. aws_sadminPort Selection Aws_sadmin Managed host Firewall aws_dsm aws_snmp 6665 162 CORE Manager issues SNMP requests to managed host. aws_sadmin binds to 6665 by default. Can be configured to use to different port Traps from managed hosts , defaults to port 162

  38. Aws_sadminPort Configuration • Configure the port that aws_sadmin binds for incoming SNMP requests • Defaults to 6665 • To change the default port, update aws_sadmin.cfg and add line SNMP_PORT xxxx where xxxx is the port aws_sadmin binds.

  39. Aws_sadminPort Configuration

  40. aws_sadmin.cfg • If aws_sadmin is changed to bind to a different port, ensure pollset reflects correct port

  41. pollset • pollset port must match aws_sadmin.cfg port

  42. abrowser • If aws_sadmin port changed, Agent view needs to be customized to use correct port

  43. From PORT Customization

  44. aws_snmpFrom Port Selection • SNMP gateway sends it’s request on 6665 port and binds with the random source port. • The agent then responds back on the random source port • If random source port is not acceptable, then customize aws_snmp.cfg • Specify from source port for aws_snmp • Consider range to avoid port contention

  45. aws_snmpFrom Port Selection %AgentWorks_Dir%\services\config\aws_snmp\aws_snmp.cfg • Aws_snmp defaults to random source port

  46. aws_snmpFrom PortSelection Aws_snmp customized to use port 8001-8002

  47. aws_snmpFrom Port Selection • aws_snmp sends request over 6665 (UDP) • Agent responds back on 8001

  48. Agentview (abrowser)From Port Selection • Agentview sends it’s request on 6665 port and binds with the random source port. • The agent then responds back on the random source port • If random source port is not acceptable, then customize aws_snmp.cfg • Specify from source port for abrowser • Consider range to avoid port contention

  49. AbrowserFrom Port Selection abrowser customized to use port 8011-8020

  50. AgentView (abrowser)From Port Selection • abrowser -c browser.SysAgtNT -h <agenthost> -s admin • abrowser sends request over UDP port 6665 • Agent Responds back on 8011

More Related