Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003.

Published byLeonard Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003."— Presentation transcript:

1

2 1 Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003

3 Unicenter Architecture Class 2 Agenda Introduction WorldView Discovery Destination Port Customization From Port Selection DSM Routing Scenarios Different Architecture Reviews Enterprise Management CAM / CAFT, CCI, Event Management Unicenter Options ITRM covered separately

4 Unicenter Architecture Class 3 Objectives Deployment of working through a firewall will vary for different sites The architecture will be highly dependent on Level of risk accepted Rules dictated by the firewall administration. Rules governing blocking and unblocking of ports. This presentation walks through different scenarios. Scenarios selected covers most of the requirements dictated by different security administrations

5 Unicenter Architecture Class 4 Firewall Requirements Considerations for Firewall Reduce the number of ports to be unblocked Minimize port Contention Block UDP ports Minimize the number of hosts that requires ports to be unblocked Block traffic initiated from outside firewall

6 Unicenter Architecture Class 5 Need for Firewalls Exponential growth on Cyber Crime Hackers, cyber criminals, e-terrorists Problem caused by recent denial of service attacks, high-lighted the need for a resilient and secure DMZ environment. Secure Internet environments requires Firewalls

7 Unicenter Architecture Class 6 DoS Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation

8 Unicenter Architecture Class 7 What is a Firewall? In general terms a Firewall stops a fire from spreading An internet-Firewall acts more like a moat by preventing dangers from the internet spreading to your internal network It serves multiple purposes:- It restricts people to entering at a carefully controlled point It prevents attackers from getting close to other defenses It restricts people to leaving at a carefully controlled point The firewall typically sees all data flowing into or out of your network and so has the opportunity to ensure the traffic is acceptable

9 Unicenter Architecture Class 8 What can’t a Firewall do? Firewalls are not invulnerable It does not protect against people already inside It does not protect against connections which do not go through it It cannot protect against unknown ‘new’ threats Cannot provide complete protection against viruses Even the best defenses may be breached It works best if combined with other internal defenses (i.e. TNG Security, SSO etc) Considerably expensive (time and effort) Can cause considerable annoyance to authorized users

10 Unicenter Architecture Class 9 What can a Firewall do? A Firewall is a focus for security decisions a single checkpoint for all access - allows you to concentrate security measures at this point more efficient than spreading security measures through-out the organization secure (possibly more expensive) software and hardware at a single point will reduce overall costs A Firewall can enforce security policy Most services across the Internet are insecure - firewalls can see all access and so can enforce the agreed policies A Firewall can log internet activity misuses internally, attempted unsuccessful accesses, statistics etc A Firewall limits your exposure Firewalls can be used to reduce the impact of security breaches and by installing firewalls between departments the security risks can be greatly reduced

11 Unicenter Architecture Class 10 How do you configure a firewall? Firewalls can be configured in many different ways Firewalls can be viewed as the collection of techniques (I.e. packet filtering, proxy services, physical architecture etc) which are used to overcome different problems. The problems the firewall needs to overcome are dependant on the services which must be supplied, the level of risk which is acceptable and ultimately how much money can be spent. Firewall Architectures Dual Homed Host Architecture Screened Host Architecture Screened Subnet Architecture Combinations ….

12 Unicenter Architecture Class 11 Standard Firewall Configuration Interior Network (Secure) Perimeter Network (Not Secure) NT ServerWorkstation External Server External Network Exterior Router Interior Router Bastion Host (with Firewall software) NT Server NT Workstation

13 Unicenter Architecture Class 12 Testing Environment

14 Unicenter Architecture Class 13 Typical Client Requirements 1.Minimize ports 2.Restrict hosts for which ports are opened 3.Only allow initial access from within firewall to outside firewall 4.Allow port access only after another communication has occurred –Can overcome restriction number 3 –Requires you to know more about how Unicenter works and makes you dependant upon details

15 Unicenter Architecture Class 14 Standard TNG Operation Unicenter will operate out-of-the-box through a firewall Details of the actual ports required are available – most of these can be configured - these ports must be opened through the firewall The standard “out-of-the-box” configuration does not aim to minimize the number of ports Components can be configured/deployed to minimize ports used Browsers can be directed to use minimum ports Options can be deployed to minimize ports used Use TCP/IP for SQL not default of named pipes

16 Unicenter Architecture Class 15 Unicenter Component Placement Unicenter Components can be placed anywhere Where is the firewall and what is it protecting - client issue? Following examples Agents only outside firewall Agents and DSM outside Firewall Monitor Through Firewall Discovery, EM and DSM

17 Unicenter Architecture Class 16 DSM TCP 1433 (SQL) WV Gateway Component Placement #1 - Agents outside FIREWALL UDP 6665 UDP 161, ICMP Ping FIREWALL Host A UDP 162 - Traps ABROWSER C:\> abrowser -c browser.SysAgtNT -h HostA ABROWSER C:\> abrowser -c browser.SysAgtNT -h HostA -@ dsmHost Common Services CORE Host Admin Host 3 Ports Open but one is SNMP (UDP 162) 3 Ports Open but one is SNMP (UDP 162)

18 Unicenter Architecture Class 17 Admin Host DSM TCP 1433 (SQL) WV Gateway Component Placement #2 - Agents & DSM outside FIREWALL UDP 161, ICMP Ping TCP 7774 FIREWALL UDP 162 - Traps ABROWSER C:\> abrowser -r -c browser.SysAgtNT -h HostA -@ dsmHost Common Services Host A Common Services CORE Host 2 Ports Open ….. one is SQL 2 Ports Open ….. one is SQL

19 Unicenter Architecture Class 18 Admin Host DSM Component Placement #3 - Monitoring Through a Firewall - Discovery, EM & DSM UDP 161, ICMP Ping TCP 7774 FIREWALL Host A UDP 162 - Traps ABROWSER Common Services CORE Host WV Gateway Common Services ABROWSER Enterprise Management Enterprise Management CCI TCP 7001 Auto- Discovery ICMP, UDP, Telnet, FTP EM Agent SQL 1433

20 19 World View Discovery

21 Unicenter Architecture Class 20 WV Discovery Discovery Considerations Initiate discovery from inside firewall Initiate discovery from outside firewall but CORE inside Firewall Temporary Unblock Ports for AutoDiscovery NAT implication

22 Unicenter Architecture Class 21 WV Discovery Initiated within Firewall dscvrbe –r.. CORE

23 Unicenter Architecture Class 22 WV Discovery Initiated within Firewall Ping Sweep

24 Unicenter Architecture Class 23 WV Discovery Ping Sweep Discovery initiated within Firewall Pingsweep

25 Unicenter Architecture Class 24 WV Discovery Classification SNMP (161) Required for Classification

26 Unicenter Architecture Class 25 WV Discovery Classification Additional Ports may be required if “Check Additional Ports” selected

27 Unicenter Architecture Class 26 WV Discovery Unicenter NSM

28 Unicenter Architecture Class 27 WV Discovery Initiated Outside Firewall Firewall dscvrbe –r.. CORE No UDP through Firewall SQL 1433

29 Unicenter Architecture Class 28 WV Discovery Limited Unblocking During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened. Once auto-discovery is complete the port can be closed. It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is not best practice and the customization is “more difficult than is apparent”

30 29 Destination PORT Customization

31 Unicenter Architecture Class 30 aws_orb Port Selection aws_orb binds to 7774 for 2.4 and above. 7770 for release 2.1

32 Unicenter Architecture Class 31 aws_orb 2.1 System If 7774 is blocked, retries the connection with 7770 incase the managed host is 2.1 system

33 Unicenter Architecture Class 32 orb to orb Connectivity Update quick.cfg to select orb port tng\services\config\aws_orb\quick.cfg defaults to 7774 No customization available for FROM port Selects first available TCP source port

34 Unicenter Architecture Class 33 Orb and Named Pipes By Default orb uses named pipes

35 Unicenter Architecture Class 34 Named pipes Remove Named pipe usage comment plugin awm_qikpipe_dll aws_orb22

36 Unicenter Architecture Class 35 orb to orb Connectivity abrowser -@ -r -c browser.SysAgtNT -h DAWYA01 - s admin Connects to Remote Orb

37 Unicenter Architecture Class 36 orb to orb Connectivity Orb to Orb introduces Heartbeat Can disable Heartbeat if required Can change frequency if required

38 Unicenter Architecture Class 37 aws_sadmin Port Selection CORE aws_dsm aws_snmp Managed host Aws_sadmin Traps from managed hosts, defaults to port 162 Manager issues SNMP requests to managed host. aws_sadmin binds to 6665 by default. Can be configured to use to different port 162 6665 Firewall

39 Unicenter Architecture Class 38 Aws_sadmin Port Configuration Configure the port that aws_sadmin binds for incoming SNMP requests Defaults to 6665 To change the default port, update aws_sadmin.cfg and add line SNMP_PORT xxxx where xxxx is the port aws_sadmin binds.

40 Unicenter Architecture Class 39 Aws_sadmin Port Configuration

41 Unicenter Architecture Class 40 aws_sadmin.cfg If aws_sadmin is changed to bind to a different port, ensure pollset reflects correct port

42 Unicenter Architecture Class 41 pollset pollset port must match aws_sadmin.cfg port

43 Unicenter Architecture Class 42 abrowser If aws_sadmin port changed, Agent view needs to be customized to use correct port

44 43 From PORT Customization

45 Unicenter Architecture Class 44 aws_snmp From Port Selection SNMP gateway sends it’s request on 6665 port and binds with the random source port. The agent then responds back on the random source port If random source port is not acceptable, then customize aws_snmp.cfg Specify from source port for aws_snmp Consider range to avoid port contention

46 Unicenter Architecture Class 45 aws_snmp From Port Selection %AgentWorks_Dir%\services\config\aws_snmp\aws_snmp.cfg Aws_snmp defaults to random source port

47 Unicenter Architecture Class 46 aws_snmp From Port Selection Aws_snmp customized to use port 8001-8002

48 Unicenter Architecture Class 47 aws_snmp From Port Selection aws_snmp sends request over 6665 (UDP) Agent responds back on 8001

49 Unicenter Architecture Class 48 Agentview (abrowser) From Port Selection Agentview sends it’s request on 6665 port and binds with the random source port. The agent then responds back on the random source port If random source port is not acceptable, then customize aws_snmp.cfg Specify from source port for abrowser Consider range to avoid port contention

50 Unicenter Architecture Class 49 Abrowser From Port Selection abrowser customized to use port 8011-8020

51 Unicenter Architecture Class 50 AgentView (abrowser) From Port Selection abrowser -c browser.SysAgtNT -h -s admin abrowser sends request over UDP port 6665 Agent Responds back on 8011

52 Unicenter Architecture Class 51 aws_sadmin From Port Selection aws_sadmin from port set to port 8000 For aws_sadmin (SNMP Administrator) you specify a single "from" port which is used when aws_sadmin sends traps to a manager

53 52 DSM Routing

54 Unicenter Architecture Class 53 DSM Routing -r Abrowser sends request on TCP port 7774 to Remote DSM on managed system Remote DSM talks to agent on UDP Port 6665 Configurable port (aws_sadmin.cfg) Agent replies back to Remote DSM on UDP port 8001 Configurable in aws_snmp.cfg SNMP_PORTSaws_sadmin8000 SNMP_PORTSaws_snmp8001-8002 SNMP_PORTSmibbrowse8003-8010 SNMP_PORTSabrowser8011-8020 SNMP_PORTSutilities8021-8030 Remote DSM on managed system replies back to abrowser via TCP port 7774 Customer only has to open TCP port 7774 (Uni 3.0 fix needed to not require port 9990)

55 Unicenter Architecture Class 54 Managed System CORE DSM OS 7774 Firewall Worldview EM Obrowser Abrowser DSM OS 7774 Responds back on source port Agentview without DSM Routing Binds to first available port 6665 UDP 6665 Responds back on source port

56 Unicenter Architecture Class 55 AgentView without DSM Routing UDP call from abrowser machine to managed Host

57 Unicenter Architecture Class 56 COR Managed System DSM OS 7774 Firewall Worldview EM Obrowse Abrowse DSM OS 7774 Responds back on source port Agentview with DSM Routing Binds to first available port UDP 6665

58 Unicenter Architecture Class 57 abrowser -@ Outside_DSMip -c browser.SysAgtUnix -h agenthost -s public abrowser –r -@ Outside_DSMip -c browser.SysAgtUnix -h agenthost -s public -r for dsm routing e.g abrowser -r -@ RMTDSM -c browser.SysAgtNT -h ukslsag02 -s admin where RMTDSM - remote dsm ukslsag02 - Agent managed by RMTDSM abrowser issued from dawya01 which is inside the firewall nodeview -@ Outside_DSM_host -target agenthost@dsmhost Remote DSM Nodeview / Agentview syntax for Remote DSM

59 Unicenter Architecture Class 58 AgentView Menus Update Policy to default –r for dsm routing

60 Unicenter Architecture Class 59 ViewAgent WorldView Menu Add -r for dsm routing

61 60 Architecture Reviews

62 Unicenter Architecture Class 61 Client has a requirement to deploy agent technology in DMZ environment but wish to customize the port numbers that are to be unblocked? Scenario #1

63 Unicenter Architecture Class 62 Scenario #1 Solution Customize ports by updating %agentworks_dir\services\config\aws_snmp\aws_snmp.cfg %agentworks_dir\services\config\aws_sadmin\aws_sadmin.cfg %agentworks_dir\services\config\aws_orb\aws_orb.cfg

64 Unicenter Architecture Class 63 Client has a requirement to deploy agent technology in DMZ environment but has concerns of opening UDP ports. How can Agent Technology be deployed in DMZ environment without the requirement to unblock UDP ports? Scenario #2

65 Unicenter Architecture Class 64 Standard Deployment What are the UDP issues with the standard deployment? DSM discovers Agents by sending UDP requests to SNMP or 6665 port Agents send the alerts over UDP port Agentview (abrowser) will send it’s request on 6665 port and with the pre selected TCP source ports. The agent then responds back on the source port

66 Unicenter Architecture Class 65 Standard Deployment Agent send traps over UDP port 162 Requires 162 to be unblocked

67 Unicenter Architecture Class 66 Standard Deployment SNMP Trap

68 Unicenter Architecture Class 67 Standard Deployment AgentView abrowser -c browser.SysAgtNT -h -s admin Destination UDP port = 6665 Source Port = 8011

69 Unicenter Architecture Class 68 Solution Set up a Remote DSM to control the DMZ Agents and funnel all of their UDP traffic through the DSM via TCP Port 7774. Devices in the DMZ managed by the remote dsm. Agents send the SNMP traps to remote dsm All UDP traffic within the DMZ environment aws_dsm and aws_wvgate require access to CORE thus SQL port must also be opened Benefits 1 TCP Port + SQL Port

70 Unicenter Architecture Class 69 Admin Host DSM TCP 1433 (SQL) WV Gateway Solution #2 UDP 161, ICMP Ping TCP 7774 FIREWALL Host A UDP 162 - Traps ABROWSER C:\> abrowser -@ dsmHost -r -c browser.SysAgtNT -h HostA Common Services CORE Host 2 Ports Open ….. one is SQL 2 Ports Open ….. one is SQL

71 Unicenter Architecture Class 70 OS COR Worldview EM Obrowse & Abrowse Managed System Inside DMZ DSM Firewall Server B Server A CORE Remote DSM need access to CORE Running remote aws_wvgate does not eliminate the need for SQL Port. DSM still requires access to CORE

72 Unicenter Architecture Class 71 Scenario #3 Client has a requirement to deploy agent technology DSM outside the firewall but wants to use a Central Core which resides inside the firewall. Firewall administration has concerns about SQL intrusion and will not open up SQL port. How can aws_wvgate be configured to use a Central CORE without opening a SQL port ?

73 Unicenter Architecture Class 72 Solution #3 Install wvdbt where the CORE resides Remote aws_dsm accesses CORE via ORB (port 7774) aws_wvgate accesses CORE via ORB Check for inform remote option to optimize heartbeat Benefit No requirement to open up SQL port

74 Unicenter Architecture Class 73 Firewall NT Common Object Repository Aws_orb aws_store aws_snmp aws_dsm Aws_wvgate Aws_orb wvdbt Note: Multiple DSMs can connect to the same remote wvdbt instance running against a single CORE. aws_dsm uses wvplugin may take about 8 RCBs on CORE server. This restricts, approx maximum of about 120 Remote DSM connection. 7774

75 Unicenter Architecture Class 74 Client is using DSM routing but does not wish to open port 7774 for all hosts that are required to respond to abrowser requests? How can this be minimized? Scenario #4

76 Unicenter Architecture Class 75 Requirements To restrict 7774 to be unblocked just for local DSM Placing abrowser directly on remote DSM requires 7774 to be opened for the host that issues abrowser requests

77 Unicenter Architecture Class 76 COR Managed System localDSM OS 7774 Firewall Obrowser Abrowser remoteDSM OS 7774 Responds back on source port Agentview RemoteDSM orb Binds to first available port UDP 6665 abrowser -@ DAWYA01S -r -c browser.SysAgtNT -h RGT40.ca.com-s admin 7774 to be opened for all hosts that issues abrowser. RGT40 EWB_NTS_03dawya01s adminhost

78 Unicenter Architecture Class 77 Agentview From adminhost

79 Unicenter Architecture Class 78 CORE Managed System localDSM OS 7774 Firewall Windows TERMINAL SERVER obrowser Abrowser remteDSM OS 7774 UDP 6665 7774 abrowser -@ EWB_NTS_03 -r -c browser.SysAgtNT -h RGT40.ca.com@DAWYA01S -s admin 7774 to be unblocked for local dsm and WTS Windows Terminal Server Streamline Requests from Terminal Server Terminal Client

80 Unicenter Architecture Class 79 How to walk through Firewall for a typical FM site? What are the considerations? Scenario #5

81 Unicenter Architecture Class 80 Scenario #5 Client Firewall FM Firewall FM Firewall Client siteDMZ site Service Center CORE Windows Terminal Server DSM NAT Terminal Client Bridge Critical Objects

82 Unicenter Architecture Class 81 Scenario #5 Windows Terminal Server eliminates the need to open Visualizing / browser ports for many hosts Nodeview / Agent View / 2d Maps all accessed via Terminal Server Requires Terminal Services Client 3389 port to be opened Critical Objects Bridged from Client site to DMZ environment

83 Unicenter Architecture Class 82 Scenario #5 Critical Events forwarded from Client site to FM site. Requires CCI port to be unblocked Event Console launched via Terminal Services Client

84 Unicenter Architecture Class 83 Scenario #5 To avoid NAT issues, run world view discovery from client site. This will have pre Natted address Avoids conflict with gwipflt.dat Use name melding option to distinguish bridge objects

85 Unicenter Architecture Class 84 Firewall Administrator insists on single directional unblocking of ports. All outbound ports opened but block all inbound ports. All network requests should be initiated from within the firewall zone. No network traffic should be initiated from DMZ zone How can this be accomplished? Scenario #6

86 Unicenter Architecture Class 85 Single Directional Unblocking CORE PRIVATE DSMDMZ DSM SQL Port must be bi directional

87 Unicenter Architecture Class 86 Single Directional Unblocking Firewall Rules Unblock SQL for bi directional

88 Unicenter Architecture Class 87 Obrowser / Abrowser Private  DMZ zone Nodeview / Agentview works fine if initiated from inside firewall

89 Unicenter Architecture Class 88 Obrowser / Abrowser DMZ  Private zone Nodeview / AgentView requests denied if initiated from DMZ zone. 7774 and 7770 Denied

90 Unicenter Architecture Class 89 Single Directional Unblocking If unblocking SQL port is not accepted then review “Bridge Through Firewall” presentation

91 Unicenter Architecture Class 90 Clients wish to minimize the number of ports to be un-blocked to 1? How can VPN tunneling feature be used to accomplish this? Scenario #7

92 Unicenter Architecture Class 91 VPN Tunnelling Main concept is to tunnel all DMZ requests via tunnel

93 Unicenter Architecture Class 92 Scenario 7# Working with VPN DMZ Server encrypted unencrypted encrypted Firewall Unicenter Server Port xxx Route DMZ Server traffic via VPN tunnel Host A Common Services

94 Unicenter Architecture Class 93 We wish to deploy Windows Terminal Server outside firewall and wish to connect via Terminal Services Client from inside the firewall. This is to reduce different ports to be opened for visualization? How can we configure this? Scenario #8

95 Unicenter Architecture Class 94 Scenario 8# wvdbt Remote DSM and Remote aws_wvgate connects to central core using wvdbt Agent Views and NodeViews issued from Terminal Services Client. TS Client traffic encrypted and requires 3389 to be unblocked for all TS Clients WVDBT requires orb connection and thus 7774 port to be opened for the server where CORE resides

96 Unicenter Architecture Class 95 Abrowser, NodeView and Event Console issued via WTS Scenario 8# wvdbt WTS encrypted Firewall Terminal Services Client TCP 3389 Host A Common Services Remote DSM CORE Central DSM TCP 7774 2 Ports Open Remote DSM access CORE via wvdbt 2 Ports Open Remote DSM access CORE via wvdbt Port 7774 to be opened for Central DSM only wvdbt access core via wvdbt 6665/7774

97 Unicenter Architecture Class 96 Encrypted Traffic TS Client Port 3389 Encrypted traffic

98 Unicenter Architecture Class 97 Scenario 8# SQL Remote DSM and Remote aws_wvgate connects to central core using SQL Agent View and NodeView issued from Terminal Services Client. TS Client traffic encrypted and requires 3389 to be unblocked for all TS Clients SQL port 1413 needs to be unblocked for remote dsm server

99 Unicenter Architecture Class 98 Windows Terminal Services Client TCP 1433 (SQL) Scenario 8# SQL UDP 161, ICMP Ping TCP 3389 FIREWALL UDP 162 - Traps ABROWSER NodeView DSM WV Gateway Common Services Host A Common Services CORE DSM 2 Ports Open ….. SQL to be opened for just Central DSM 2 Ports Open ….. SQL to be opened for just Central DSM WTS abrowser and Nodeview issued via WTS

100 Unicenter Architecture Class 99 Solution #8 TS Client Denials TS Client port 3389 must be unblocked

101 Unicenter Architecture Class 100 Scenario 8# Local Catalog The global catalog resides outside the firewall. No CAM port required unless namespace inside firewall is selected

102 Unicenter Architecture Class 101 Firewall Solution #8 Local Catalog TS Clients WTS Global Catalog 3389 DSM WV Gateway Common Services Host A Common Services Event Console, Agent View, qbrowser

103 Unicenter Architecture Class 102 Scenario 8# Global Catalog The Global Catalog resides inside firewall. When UE is launched from WTS, it syncs catalog and requires CAM port to be unblocked TNDREPUPLISH, pings the Global catalog server and may require ICMP to be opened CAM should be configured to connect via TCP port

104 Unicenter Architecture Class 103 Firewall Solution #8 Global Catalog TS Clients CORE WTS Local Catalog 3389 DSM WV Gateway Common Services Host A Common Services Event Console, Agent View, qbrowser CORE Global Catalog cam 4105

105 Unicenter Architecture Class 104 CAM Denial UDP Port CAM not configured to use TCP

106 Unicenter Architecture Class 105 Solution #8 cam.cfg \TND\CA_APPSW\framework\cam.cfg This forces specified server to use TCP port and not default UDP

107 Unicenter Architecture Class 106 Scenario 8# Namespace inside Firewall Access to nodeview, agentview inside Firewall is required; Launched from UE Requires TCP 7774 orb port to be unblocked Requires UDP 6665 port to be unblocked for host inside firewall

108 Unicenter Architecture Class 107 Firewall Solution #8 NameSpace inside Firewall CORE WTS Local Catalog DSM WV Gateway Common Services Host A Common Services Event Console, Agent View, qbrowser CORE Global Catalog 4105 DSM WV Gateway Common Services Host A Common Services 6665 7774 TS Clients

109 Unicenter Architecture Class 108 Node View from UE Requires orb port 7774

110 Unicenter Architecture Class 109 Node View from UE Requires orb port 7774

111 Unicenter Architecture Class 110 Unblock Orb 7774

112 Unicenter Architecture Class 111 Node View from UE 7774 Unblocked

113 Unicenter Architecture Class 112 Agent View from UE

114 Unicenter Architecture Class 113 Agent View from UE Agent Technology Service Control Port required. No DSM Routing

115 Unicenter Architecture Class 114 Agent View from UE UDP Port to be opened

116 Unicenter Architecture Class 115 Scenario 8# 2dMap inside Firewall 2dMap launched from UE accesses CORE inside firewall WV Plugin requires CAM port to be unblocked No SQL port required for 2dmap accessed via wv plugin

117 Unicenter Architecture Class 116 Firewall Solution #8 2dMap inside Firewall CORE WTS Local Catalog CORE Global Catalog 4105 CORE local Catalog wvplugin TS Clients SQL Port Not Required

118 Unicenter Architecture Class 117 Architecture Reviews Recap Customize from ports by updating aws_snmp.cfg If UDP traffic is to be blocked, install remote dsm outside the firewall If SQL port is to be blocked, then review wvdbt implementation If bi-directional blocking is not accepted then review Scenario #5 If encryption with minimal number of ports to be unblocked is required, then review Scenario #7

119 Unicenter Architecture Class 118 Our Firewall Administrator wish to change the orb port 8774 for DMZ server. Orb port for other hosts will remain as default port 7774 Is this possible? Scenario #9

120 Unicenter Architecture Class 119 Multiple Orb Binds To support TNG 2.1 release, it permits binding to multiple ports, 7774 and 7770. If unable to bind first port, it will then bind with other ports specified. Do not use this option unless show stopper requirements as the feature was not intended to be exploited in the nature, though it works

121 Unicenter Architecture Class 120 Firewall Solution #8 Multiple Orb Ports CORE Central Server Aws_orb CORE Aws_orb 8774 ManagedSystem Aws_orb 7774 ManagedSystem Aws_orb ManagedSystem Aws_orb ManagedSystem Aws_orb 7774

122 Unicenter Architecture Class 121 Multiple Orb Ports First PLUGIN statement must be the one that is widely used port. If it cannot bind the first port specified, it then attempt to bind to the second port

123 122 CAM/CAFT

124 Unicenter Architecture Class 123 Cam/caft Default port assignments cam.cfg udp_port = number tcp_port = number cas_port = number spx_port = number

125 Unicenter Architecture Class 124 Cam/caft On startup, checks for etc/services for camudp and camtcp If not found, then defaults to 4104 (UDP) and 4105 (TCP) Then checks for cam.cfg for any override cas_port and spx_port available for certain platforms Some api’s do not read config file, thus etc/services should be changed

126 125 CCI

127 Unicenter Architecture Class 126 CCI Review “CCI through Firewall” presentation for detailed information

128 127 Event Management

129 Unicenter Architecture Class 128 Event Agent Can be customized to use DSB without the need for sql database Agent Technology provides function to send messages to remote Event Management This eliminates the need for Event Management running Not best practice as it limits lot of functionality

130 Unicenter Architecture Class 129 DSM to Remote Event Management Update aws_nsm.cfg dsm message sent over to remote via orb

131 130 Options

132 Unicenter Architecture Class 131 Virus Signature Downloads AVO Signature Download Ethernet Workstation AVO Client PC AVO Client Workstation AVO Client Workstation AVO Client FIREWALL NBSESSION NBDATAGRAM Workstation AVO Domain Server NT Workstation AVO Master Download Server Encryption CA Web Site FTP NBSESSION NBDATAGRAM Anti Virus Option - AVO

133 Unicenter Architecture Class 132 Advanced Storage Option - ASO Unicenter TNG / ASO Manager Unicenter TNG / ASO Replicator (NT) Unicenter TNG / ASO Backup Server Central DB Mainframe backup Unicenter TNG / ASO Windows NT Backup Server ASO Manager Client Agents NT, Novell, OS/2 TCP 6050 TCP 6051 TCP 6050 TCP 6051 Client Agents UNIX

134 Unicenter Architecture Class 133 ProductComponentPort Used Unicenter TNGWV Tools to CORETCP 1433 (SQL) DSM to CORETCP 7774 WV Tools to AgentsUDP 6665 Auto-discoveryICMP (Ping), UDP (161) Enterprise ManagementTCP 7001 Agent to DSMUDP 162 Remote Control OptionManager to AgentTCP 799 Software Delivery OptionAdmin GUI to Enterprise DatabaseTCP 1433 (SQL) Admin GUI to Local ServerTCP 1433 (SQL) Enterprise Database to Local ServerDTO (TCP 4101) Local Server and AgentShare UDP 138 (nbsession) TCP 139 (nbdatagram) Asset Management OptionAdmin GUI to AMO Enterprise DataTCP 1433 (SQL) Engine to AMO Enterprise DatabaseTCP 1433 (SQL) Sector to EngineShare or RPC Agent to ClientShare or RPC Summary of Ports by Product

135 Unicenter Architecture Class 134 continued Summary of Ports by Product ProductComponentPort Used Advanced Help DeskServer and ClientTCP 2100 PerformanceManager to AgentTCP 4101 Share Anti-Virus OptionVirus Signature Database HostTCP 21 (FTP) to CA Virus Signature Web Server Agent to Virus Signature MachineFTP (for period signature down-load) Agent Alerts to Alert ManagerNetBUI (Over TCP) Advanced Storage OptionAdmin to Backup Manager TCP 6050, 6051 Agent(Client) to Backup Manager NT, Novell, OS/2TCP 6050 UnixTCP 6051 Replicator NTTCP 6060 Replicator to Backup Manager NTTCP 6050 Data Transport OptionManager and Agent (CAM)TCP 4104, 4105, 4905

Download ppt "1 Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
1 Insight into World View Tunneling See Doc in TNG Getting Started Guide Appendix G Revised August 14 th 2003.

1 Insight into World View Tunneling See Doc in TNG Getting Started Guide Appendix G Revised August 14 th 2003.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Unicenter Desktop & Server Management Network Challenges -Latest Revision 11/28/2005.

Unicenter Desktop & Server Management Network Challenges -Latest Revision 11/28/2005.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google