1 / 21

Tivoli and Firewall

Tivoli and Firewall. Mike Hau, GRT EMEA haum@uk.ibm.com. Tivoli and Firewall Notes. TFST multiple firewalls little system requirements not transparent to TME. Tivoli Firewall Security Toolbox (TFST).

alexis
Download Presentation

Tivoli and Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tivoli and Firewall Mike Hau, GRT EMEA haum@uk.ibm.com

  2. Tivoli and Firewall Notes • TFST • multiple firewalls • little system requirements • not transparent to TME

  3. Tivoli Firewall Security Toolbox (TFST) • TFST (also known as Firewall Proxies) enables Tivoli endpoints to communicate with Tivoli gateways in a firewall-friendly manner. • Ports consolidation • Multi-segmented DMZ support • Bi-directional and uni-directional • Non-TME TEC adapter support • TFST provides four components • Endpoint-Proxy and Gateway-Proxy • Relay Agent • Event Sink

  4. Firewall Proxies • Motivation • Endpoint Communication Protocol (ECP) is a Tivoli-proprietary protocol, requires specific ports to be enabled • Customers require the use of a single port, transparent to the underlying applications • Some customers require control in which connections are being formed • Solution • Proxies will be put between the Gateway and its Endpoints • Gateway-Proxy acts like a Gateway to its Endpoints • Endpoint-Proxy acts like an Endpoint to its Gateway • Full communication control between the two Proxies

  5. Downcall pr 9495 9494 * upcall * Default ECP behavior Gateway Endpoint Upcaller

  6. downcall downcall downcall 7171 EP Proxy GW Proxy 7070 9065 upcall upcall upcall ECP behavior with Proxies pr 9495 9494 * Gateway Endpoint * Upcaller Secure Less Secure

  7. Base concepts TME Gateway The TME Gateway believes that the TMAs are the ones impersonated by the EPP. EPP DB The EPP intercepts all the logging-in TMAs and replicates their behaviour towards the TME Gateway. The EPP is a statefull components. It stores all the TMAs info in its database. Endpoint Proxy Firewall The proxies embeeds the ECP packets in a proprietory protocol which tunnel the firewall. Gateway Proxy The GWP accepts connections from TMAs, validates the packt type (ECP) and uploads it up the chain. It also forwards packets received from the EPP to the target TMA. Upcaller Endpoint The TMA believes that hte Gateway Proxy is its actual TME Gateway.

  8. The EPP intercepts all the logging-in TMAs and stores their key info in the EPP database. Each TMA attached to the chain will be emulated by the EPP towards the TME Gateway. The Endpoint Manager sees the TMA with the IP address of the EPP plus a port established by the EPP when the TMA logs-in. The TMA label remains unchanged. Each TMF operation (downcalls, TMF-based applications) which uses the TMA label to identify the TMA is not affected by the proxies presence. Operations that requires the use of the TMA IP address and port (TMA web pages) must use the address and port generated by the EPP. Endpoint Proxy TME Gateway TMA1 TMA2 TMA3 EPP DB Endpoint Proxy Firewall Gateway Proxy TMA1 TMA2 TMA3

  9. Communication security Proxies allow connections from known peers only. Any other peer connection is refused. ECP packets validated. Non-ECP packets rejected Proxy behavior on validation failure: Drop connection Log message generated TCP/IP timeout prevents DoS connect attacks Max session option prevents DoS overload attacks General security Processes run as unprivileged user Proxy does not spawn any child processes NT/W2K Must be Administrator to install the proxy services File/directory permissions control access Proxy runs as Windows service Unix File/directory permissions control access Processes launched via init Proxy Security

  10. The Relay add-on • Allows traversal of multi-segmented DMZs by creating hops between GWP and EPP • Connection direction can be defined (I.e. inbound connections) EP Proxy Firewall GW Relay Proxy Firewall GW Relay Proxy Firewall GW Proxy

  11. The proxy components can be inter-connected like a tree where the root component is the Endpoint Proxy (EPP), the leaves are the Gateway Proxies (GWP) and inter-mediate nodes are the relays (R). Each node in the tree can have more than one child node - e.g. EPP can be attached to one or more GWP/R. Each node in the tree can have just one parent - e.g. GWP / R can be attached to just one EPP. The EPP can be attached to just one Tivoli gateway Several TMAs can be attached to one GWP. TMA Proxy & Relay Topology Endpoint Gateway EPP Firewall GWP R R Firewall GWP R GWP Firewall GWP GWP GWP

  12. Resilience - Gateway-Proxy Failover • Two places of resilience: Up-stream (Endpoint) and Down-stream (Endpoint Proxy) • Up-stream / Endpoint • Similar to Gateway failover (-g option or wep set interfaces, but not the select_gateway_policy) • Down-stream / Endpoint Proxy • Instead of a single GWP, a group of GWPs can be configured (using the file proxy.grp)

  13. Gateway Proxy Fail-over • Several Gateway Proxies can be put in fail-over mode. This means that when a TMA is unreachable because its GWP is down, an alternative GWPs can be used to reach that TMA. • The GWP fail-over must be configured in the proxy.grp file • The proxy.grp file contains groups of Gateway Proxies that can be used the fail-over must be applied. TME Gateway EPP DB Endpoint Proxy Firewall Gateway Proxy Gateway Proxy TMA

  14. Multi-homed configuration Subnet A Tivoli Gateway A machine, that has more than one network interface and address, it is known as a multihomed host. Multihomed hosts might need to connect to one component in one subnet and another component in another subnet. For example, an endpoint proxy machine might connect to a Tivoli gateway in one subnet and relays or gateway proxies in another subnet. Endpoint Proxy NIC in Subnet A NIC in Subnet B Firewall Gateway Proxy Subnet B

  15. Multi-home communication • Multi-homed systems supported • More secure because admin net traffic can be separated from other net traffic • Proxy can act as a router/firewall between networks • Endpoint Proxy can listen on one interface for Gateway Proxy traffic and another for Gateway traffic • Relay can listen on one interface for children traffic and another for parent traffic • Gateway Proxy can listen on one interface for Endpoint Proxy traffic and another for TMA traffic

  16. Tivoli and Firewall Notes - NAT • If only few MNs or gateways are behind a NAT firewall • Do you want to configure the whole TME environment for NAT? • What impact will this have on your DNS servers? • Is name resolution good/robust throughout the whole environment? • Endpoints are not always included in DNS.

  17. NAT - One or two MNs/gateways … • Alternative solution is NOT using “allow_NAT TRUE” • Only viable if static NAT is being used • Update odlist with NAT’d address of MN behind firewall • Restart this MN with “oserv –h <TMR server name>” • Updates the MNs odb.adj with NAT’d address of TMR server • “odadmin set_iom_by_name TRUE” is still necessary • DNS not needed for endpoint communications • Gateway will be using real IP address to contact endpoints • SGP script should pass hostname, not IP address of endpoints

  18. NAT and Endpoints • TME to Endpoint • Endpoint can only be located via hostname held by Epmgr • CLI “odadmin set_allow_NAT TRUE” • Gateway converts NAT’d IP address of endpoint to hostname • Gateway passes the endpoint hostname to the Epmgr • Epmgr stores the endpoint hostname* • Endpoint IP address is resolved at gateway during a downcall • CLI “wepmgr ep_hostname_resolution 0|1” • Epmgr may be in a different DNS zone from gateway • added to stop hostname resolution at Epmgr in log files and method execution • “1” is the default – enables hostname resolution

  19. Dynamic NAT with endpoints • Connections only allowed from within/behind the firewall • That usually means from the gateway to the endpoint • Availability products cannot work in this environment • Must use TFST to use availability products • Configure TFST for uni-directional communications • Connection established from gateway to endpoint • TFST Event Sink necessary for collection and forwarding of events

  20. Tivoli and Firewall Notes • SPBDT and a Gateway • strong authentication and encryption (up to 3DES) • additional Managed Nodes in DMZ • Care must be taken to ensure required processes not shutdown • Tec_ui_server on a gateway that is not the TEC server

  21. Tivoli and Firewall Notes Allow_proxy_upcall • easy to deploy – just set option on the Endpoint • not all applications support this feature • Current defect as described in APAR IY63010 • Endpoint patch due November 2004

More Related