making r11 agent technology talk through a firewall l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Making r11 Agent Technology talk through a Firewall PowerPoint Presentation
Download Presentation
Making r11 Agent Technology talk through a Firewall

Loading in 2 Seconds...

play fullscreen
1 / 71

Making r11 Agent Technology talk through a Firewall - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Making r11 Agent Technology talk through a Firewall. Last Updated 12/19/2005. Agenda. Introduction Secured Remote MDB setup Worldview Discovery Configuring DIA for firewall Managing CA Agents using DIA. Objectives . Requirements of working through a firewall will vary for different sites

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Making r11 Agent Technology talk through a Firewall' - qiana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • Introduction
  • Secured Remote MDB setup
  • Worldview Discovery
  • Configuring DIA for firewall
  • Managing CA Agents using DIA
objectives
Objectives
  • Requirements of working through a firewall will vary for different sites
  • The architecture will be highly dependent on
    • Level of risk accepted
    • Rules dictated by the firewall administration.
    • Rules governing blocking and unblocking of ports.
  • This presentation walks through some common scenarios dictated by different security administrations
firewall requirements
Firewall Requirements
  • Considerations for Firewall
    • Reduce the number of ports to be unblocked
    • Minimize port Contention
    • Block UDP ports
    • Minimize the number of hosts that requires ports to be unblocked
    • Block traffic initiated from outside firewall
need for firewalls
Need for Firewalls
  • Exponential growth on Cyber Crime
    • Hackers, cyber criminals, e-terrorists
  • Problem caused by the denial of service attacks, high-lighted the need for a resilient and secure DMZ environment.
  • Secure Internet environments requires Firewalls
perimeter vs host firewalls
Perimeter vs. Host Firewalls
  • For this presentation we are only considering Perimeter firewalls.
  • There are several consideration for deploying host firewalls and will introduce complexities for r11 if the host firewalls rules are not consistent
testing environment
Testing Environment

DMZ Server

dawya01v05

Secured Zone

MDB Server = I14y204

scenario 1
Scenario #1
  • We wish to deploy NSM in DMZ environment but want to use a MDB which resides in the secured zone
  • What are the considerations?
slide10

DMZ NSM Install

MDB

Firewall

Ingres Client

Ingres Server

19016

DMZ

Secured Zone

select secured mdb
Select Secured MDB

Connection Fails as Ingres Client port not opened

ingres client
Ingres Client

Shows port 19016 is blocked.

ingres client15
Ingres Client
  • Ingres Client (Netserver) requires access to the MDB database residing on the Ingres Server
  • This requires Ingres Client port to be opened inbound
  • The port number will vary depending on Ingres Instance id.
  • The default Ingres Instance is EI
  • To translate the Ingres Instance id into the port number, click
    • Covert Ingres Port
  • Converted Unix source to Windows.
    • Mdbport <instanceid>
ingres ports
Ingres Ports

Unix Source ported to Windows

install process
Install Process
  • Prior to NSM Install in DMZ , get secured MDB Server information including:
    • MDB server name and Ingres Install id
    • User ID and Password to connect to the remote MDB
        • For NSM, this will be nsmAdmin
        • For DSM, this will be ca-ITRM
open ingres port
Open Ingres Port

Ingres Client communicates with the Ingres Server successfully with port opened

ingres client19
Ingres Client

This shows Ingres port used to connect to the Ingres Server

wv discovery
WV Discovery
  • Discovery Considerations
    • Initiate discovery from inside firewall
    • Initiate discovery from outside firewall but MDB inside Firewall
    • Temporary Unblock Ports for Auto Discovery
    • NAT implication
wv discovery initiated within firewall
WV DiscoveryInitiated within Firewall

SECURED

dscvrbe –r ..

DMZ

MDB

wv discovery initiated within firewall23
WV DiscoveryInitiated within Firewall
  • Ping Sweep
  • ICMP and SNMP opened
wv discovery ping sweep
WV DiscoveryPing Sweep
  • Discovery initiated within Firewall
    • Pingsweep require ICMP port to be opened
wv discovery classification
WV DiscoveryClassification
  • SNMP (161) Required for Classification
wv discovery classification26
WV DiscoveryClassification
  • Additional Ports may be required if “Check Additional Ports” selected
wv discovery initiated outside firewall

Firewall

WV DiscoveryInitiated Outside Firewall

No UDP through Firewall

MDB

Ingres

19016

dscvrbe –r ..

wv discovery limited unblocked
WV Discovery Limited Unblocked
  • During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened.
  • Once auto-discovery is complete the port can be closed.
  • It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is NOT best practice and the customization is “more difficult than is apparent”
scenario 3
Scenario #3
  • We wish to configure DIA in a Firewall environment to reduce the number of ports to be unblocked.
  • What are the considerations?
slide31

DIA

MDB

Firewall

DNA Ports

11501

11502

11503

SECURED

DMZ

DIA UKB

DMZ Server

DNA

Data Ports

11502

11504

requirements recap
Requirements Recap
  • From DMZ, connect to the UKB in the secured zone
    • DNA from DMZ will be reporting to the secured zone UKB
  • This will enable MCC and other GUI to communicate with DNA cells in DMZ
  • DIA ports will be blocked inbound with the exception of data port
  • DIA ports unblocked for all outbound traffic
configuration
Configuration
  • Identify the potential candidate for UKB proxy in the secured zone.
    • In our case, the most suitable candidate is the MDB server we wish to connect from DMZ
    • For performance reason, this should NOT be Master UKB
  • Determine if SRV is defined in the DNS in DMZ environment. In most cases, this should not be the case and it is not required for DMZ
    • If SRV is defined then additional DIA inbound ports may need to be opened
ukb proxy
UKB Proxy
  • In the secured zone, update ukb.cfg for the server that will be designated as UKBProxy
  • Once updated, restart DIA service to pick up the UKBProxy settings
secured zone update ukb cfg
Secured Zone: Update ukb.cfg

Set PROXY_UKB to Yes

dmz server
DMZ Server
  • Verify DMZ Server is pingable from Secured zone
    • This should be the real hostname of DMZ Server
  • DIA ports are opened for outbound traffic. The port numbers are configurable in ukb.cfg and dna.cfg files
  • Activate DMZ Server using diatools from the secured zone
  • Verify the DMZ DNAs are registered correctly
secured active dmz dna
Secured: Active DMZ DNA
  • Launch diatool from the secured zone which is designated as UKBProxy
  • Activate DMZ DNA
secured active dmz dna38
Secured: Active DMZ DNA

Enter DMZServer Hostname

secured active dmz dna39
Secured: Active DMZ DNA

Activation Complete

slide40
DMZ
  • Verify the DNA is activated correctly and reporting to the UKBProxy in Secured zone
  • Review ukb.dat file on the DMZServer
dmz verification
DMZ - Verification

This points to Secured Zone UKB, which is correct

alternative activation using command line
Alternative Activation using Command Line
  • If GUI interface is not desirable, then DNA can also be activated using the following command
    • C:\Program Files\CA\SharedComponents\CCS\DIA\dia\dna\bin\autoactivatedna.bat
secured zone ukb
Secured Zone: UKB

DMZ DNA

Local DNA

This shows DNA has been activated for DMZ server

dmzserver ukbproxy
DMZServer  UKBProxy

Inbound Traffic responding via the active connection

dna rmiport 11502
DNA RMIPORT - 11502

Outbound Traffic

ukb 11503 port
UKB 11503 Port
  • This port is used by consumers, such as UMP, to communicate with UKB
conclusion
Conclusion
  • DIA / DNA blocked for DMZ inbound traffic with the exception of cgene, data ports 11502 and 11504
  • DIA from secured zone determines which DMZ ports are blocked and plugs a hole to eliminate the need to unblock DIA inbound registration ports
scenario 4
Scenario #4
  • We wish to deploy CA Agents in DMZ
  • What are the considerations for CA Agents in DMZ to communicate to DSM in the secured zone?
slide54

DIA

MDB

Firewall

DNA Ports

11501

11502

11503

9990

SECURED

DMZ

Aws_dsm

CA Agents

DNA

Data Ports

11502

11504

agent communication configuration
Agent Communication - Configuration
  • Configuration file
    • %AGENTWORKS_DIR\SERVICES\CONFIG\

atservices.ini

  • Section [SNMP]
  • Parameter ‚UseSnmp‘
    • ‚0‘ – DIA only
    • ‚1‘ – SNMP only
    • ‚2‘ – DIA to CA-Agents (Enterprise OID 791), SNMP otherwise
    • ‚3‘ – can do both DIA or SNMP depending on target machine
slide56

DSM Communication - Architecture

Manager

DIA installed

Managed Node

DIA Not Active

DIA Active

DNA

AWS_AGTGATE

AWS_AGTGATE

AWS_ORB

SNMP

AWS_SNMP

AWS_SADMIN

AWS_ORB

CA-Agent

(791)

Non-CA-Agent

CA-Agent

(791)

Agent

Non-CA-Agent

Agent

UseSnmp = 2

UseSnmp = 0

UseSnmp = 1

UseSnmp = 3

DSM

usesnmp settings
USESNMP Settings
  • If non CA Agents are to be monitored then aws_dsm should be installed in the DMZ.
  • If only CA agents are to be monitored reporting to the secured DSM, then set usesnmp to 0.
default usesnmp
Default UseSnmp

Default Setting of UseSNMP. Change it to UseSNMP=0 to force DNA communication

cgene
Cgene
  • With useSNMP set to 0, Agent Technology will communicate with the DSM via DIA ports.
  • This will result in cgene send and receive requests between secured zone DSM and CA Agents running in DMZ.
  • Requires ports 11502 and 11504 to be opened inbound
cgene send and receive test
Cgene send and receive test
  • To verify Agent Technolgy can communicate with DSM via DIA, run cgene tests
  • Setup cgene receive request on the secured zone
  • Send cgene send to the secured zone DSM from the managed node.
dsm view
DSM View
  • CA Agents Discovered correctly without the need to open UDP ports inbound
traps via dia
Traps via DIA
  • Traps communication via DIA
port 9990
Port 9990
  • DMZ aws_orb binds to 9990 for DIA communications
port 999068
Port 9990
  • DIA aws_orb communication via 9990
  • aws_dsm and tools sending requests via port 9990
snmp traps
SNMP Traps
  • If UseSNMP is set to 3, it will generate SNMP traps
conclusion70
Conclusion
  • If configured correctly, then DMZ CA Agents can be managed by the secured aws_dsm without unblocking UDP inbound ports
questions and answers
Questions and Answers

Any questions?