1 / 60

CCI through Firewall

TNG 2.4. CCI through Firewall. Updated April 16, 2002. Objectives. CCI Considerations for deployment in DMZ or Internet environment Review different deployment options Review potential Risks , primarily Denial of Service (DOS) attacks. DoS.

marcie
Download Presentation

CCI through Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TNG 2.4 CCI through Firewall Updated April 16, 2002

  2. Objectives • CCI Considerations for deployment in DMZ or Internet environment • Review different deployment options • Review potential Risks , primarily Denial of Service (DOS) attacks

  3. DoS • Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation

  4. Agenda • CCI Introduction • CCI Layers • DoS • Different Deployment Options

  5. The need for CCI • Applications such as Workload, Tape, Security need to communicate with one another across various servers and platforms.

  6. The need for CCI • Inter-Process Communications (IPC) unique to each platform. • Network programming issues centralized. • Need for a standard method to allow applications to communicate with one another.

  7. The need for CCI • Allows applications on various platforms to communicate with applications on any other using the mechanism of CCI.

  8. CCI is available on... • UNIX • NT • AS/400 • OpenVMS • Tandem • OS/390

  9. What CCI does…. • Allows applications to communicate with one another without considering IPC / network programming issues. • Presents set of APIs that allow programmers to focus on what an application needs to do and forget about IPC / network programming issues.

  10. And what CCI does not do…. • Replace TCP/IP • Retrieve information from application databases • Replace FTP for file transfer • Perform security validation at login time • Manipulate the data

  11. CCI Layers • QUES Layer introduced the ability to connect at send time. • RMT Layer connects at CCI start up time. • RMT has auto-connect capability • Auto-connect capability can be disabled with configuration setting

  12. QUES Layer • Eliminates need for configuration files • New hosts may be brought into configuration with less effort • Removal of host from configuration does not affect other hosts • Connections between hosts are short lived • Bi-Directional CCI Initialization

  13. QUES Layer • Requires 7001 port to be unblocked bi-directional • CCI Initialization from DMZ and Private Network • Potential risk for Denial of Service Attacks • Syn Flooding • Etc • Port must be unblocked for the designated TNG servers and not for all hosts • No predefined source port

  14. QUES Layer • Transport mechanism • Connects with SYN Flag • Send Data • Disconnect • No persistent connection

  15. RMT Layer • Persistent Connection • Connection established at start up and remains open for duration of CCI • Preferred option in Firewall deployment • Configuration Issues • Alias – defaults to first 8 characters of hostname • New hosts may be brought in with Auto Connect Feature if no alias conflict

  16. RMT Layer • RMT connectivity • NT – Unix • Unix – Unix • NT – OS/390 • Unix – OS/390 RMT supported for Event and Workload discipline in NT –NT Environment. This support is only for Firewall Deployments and may come with some performance penalties

  17. RMT Layer • Port Usage • Source Port can be configured by environment settings • Destination port defaults to 1721 but can be configured

  18. DMZ DMZ Private Private DMZ Private Syn Three-way Handshaking SYN SYN/ACK ACK

  19. How SYN Flooding Works • A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet can be "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker may send many of these TCP SYNs to tie up as many resources as possible on the target computer to exhaust the resources • Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" non- existent IP address. • No response is received to the SYN-ACK. A default-configured Windows NT 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. This can be configured using registry changes BLOCK 7001 port except for designated TNG servers

  20. Firewall SYN Flood • Review Firewall solution to prevent Syn Flood attacks or DoS • Ensure, 7001 is only unblocked for the two TNG servers which requires CCI Connectivity • Review O/S Hot Fixes for DoS attacks

  21. CCI Ports – NT • Transporter • Quenetd • TCP destination port 7001 for NT to NT communication • CCI will attempt TCP connection first • If fails, will attempt RPC connection • If RPC fails, will then attempt, RMT daemon on 1721

  22. CCI • Transporter Service - QUES Layer • TCP 7001 • Change Transport Protocols settings to TCP to avoid attempts to open 7003 or 7004 • Transport Protocol defaults to ALL

  23. CCI Connection Attempts Transport Protocols set to ALL – 7001 ---> 7003 ---> 1721

  24. Testing Environment

  25. Testing Environment • CA Etrust Firewall • TNG 2.4 • No additional TNG fixes

  26. Deployment Options

  27. Deployment - Scenario 1 Client would like to forward Event exception Messages from DMZ but not willing to install SQL server in DMZ environment?

  28. Deployment - Scenario 1 • Install Event Agent • Set Event Agent Proxy Node to TNG server inside the firewall • Open up 7001 port in both directions • Set Transport Protocol configuration setting to TCP

  29. DMZ Event DSB • Event Agent Proxy Node • Specify the node name of Central Server Event Manager • DSB refreshed from Central Server

  30. DMZ Event DSB • If proxy node not required, then local dsb can be pushed to DMZ by other means

  31. CORE DSM wvdbt EVT OPRDB Common Services DSM EVT Common Services NT -> NT Private Network CORE TRANSPORT PROTOCOLS = TCP TCP 7001 TCP 7001 FIREWALL DMZ 7001 Unblocked both directions – CCI may be initiated from DMZ TRANSPORT PROTOCOLS = TCP

  32. Deployment - Scenario 2 Client would like Event Messages from DMZ but not willing to unblock CCI 7001 for Inbound traffic . Thus stop CCI Initialization to take place from DMZ.

  33. Deployment - Scenario 2 • Install Event Management in DMZ • Block 7001 for inbound and outbound traffic • Unblock Agent Technology port 7774 • For exception messages to be forwarded to TNG server inside the firewall, generate a trap and forward it local DSM

  34. Deployment - Scenario 2 • Update local DSM policy to listen for user generated Event Traps • From the local dsm policy write trap messages to remote host • Update %AGENTWORKS_DIR%\services\config\aws_nsm\aws_nsm.cfg • Set wtotargethost and wtotargetaddress

  35. DSM Remote Host

  36. Deployment Scenario 2 NT -> NT CORE DSM wvdbt EVT OPRDB Common Services DSM EVT Common Services Private Network CORE TCP 7774 FIREWALL CCI Connectivity not required through firewall DMZ CATRAP

  37. Deployment - Scenario 3 Client would prefer persistent connection and wish to open CCI port just for outbound traffic ? Thus prevents CCI Initialization to take place from DMZ

  38. Deployment - Scenario 3 • RMT daemon provides persistent connection • Customize ccirmtd.rc and ccirmtd.prf to start up connection from private network • Add the NT servers to RMTHOSTNAME entries

  39. NT – NT RemoteRMTHOSTS Add NT node to RMTHOSTS settings

  40. NT – NT RemoteRMTHOSTS • Update RMTHOSTS on both NT nodes. • If only one updated, the other NT node will still use QUES layer. For example • RMTHOSTS entry on WLA node not updated to use RMT layer for WLM • WLM RMTHOSTS entry updated to use RMT layer for WLA. • All requests from WLM to WLA will use RMT. • Jobterm from WLM will use QUES layer

  41. NT – NT RemotePrivate ccirmtd.rc Add NT node to ccirmtd.rc to prevent potential first autoConnect attempt failure. The CCIRMTD.rc in the private network must be updated to startup RMT connection

  42. NT – NT RemoteDMZ ccirmtd.rc • CCIRMTD.rc file on the DMZ must have entry with nostart and retry=0 (no retry). • This is to prevent CCI initialization from DMZ environment

  43. NT – NT RemoteSource Port • To pre-define source port for RMT connection, add environment variable CAI_CCI_PORT1 • Set this on both NT nodes

  44. CORE DSM wvdbt EVT OPRDB Common Services DSM EVT Common Services NT -> NT Remote Private Network CORE FIREWALL TCP 1721 NT DMZ 7001 Blocked - Persistent Connection and traffic initiated from Private network

  45. Deployment - Scenario 4 Client would like to use QUES Layer but wish to block 7001 port from DMZ to private network. What are the implications?

  46. DMZ -> Private • Execute cawto in DMZ environment to send message to Private network • Cawto [<private>] Sending message from DMZ to Private • Message will be denied by Firewall • Exception messages cannot be forwarded from DMZ to Private Network

  47. DMZ -> Private with 7001 Blocked

  48. Deployment - Scenario 5 Client would like to introduce user encryption for CCI traffic and also wish to implement host authentication.

  49. Deployment - Scenario 5 • Implement CCI Encryption exit • cauemcc2.dll • Can validate remote hosts and reject cci buffer • User encryption not valid for heterogeneous environment

  50. Deployment Scenario – 5Host Authentication

More Related