Configuring Firewalls for SiteProtector Traffic

Transcription

1 IBM Proventia Management SiteProtector System Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 7, July 29, 2008 Overview SiteProtector cannot function properly if firewalls prevent components from communicating. This guide provides procedures for configuring network devices and SiteProtector components so that they can communicate through firewalls. Assumptions This document assumes that you are familiar with the following: procedures for configuring firewalls routers, or any other devices that you use to block traffic on your network procedures for modifying system files such as Windows registries and properties files Firewalls In this document, firewalls include devices that filter traffic, including packet filtering firewalls, routers, and VPNs. These firewalls may also use network address translation (NAT). Note: If your firewalls are not configured to block traffic, the procedures in this chapter might not apply to them. Task overview Table 1 provides a checklist to help you complete the tasks: Task Description 1 Configure your firewall so that the required ports are open. See Port Information for SiteProtector Traffic on page 4. Table 1: Task overview IBM Internet Security Systems 1

2 Configuring Firewalls for SiteProtector Traffic Task Description 2 If a firewall is between the Third Party Module and a Cisco or Checkpoint firewall or another SiteProtector component, then configure your firewall for Third Party Module traffic. See Port Information for Third Party Module Traffic on page 8. 3 If you are retrieving SiteProtector updates through the Internet, then configure your firewall rules for Internet access. See Port Information for Internet Access on page If a NAT firewall is between the Console and the Application Server, then configure the Application Server properties. See Configuring the Application Server for Communication with NAT Firewalls on page If a NAT firewall is between Proventia Desktop agents and the Agent Manager, then configure the Agent Manager properties. See Configuring the Agent Manager for Communication through NAT Firewalls on page 14. Table 1: Task overview (Continued) In this document This document contains the following sections: Section Page Firewall Port Information 3 Configuring Components for NAT Firewalls 11 2

3 SECTION A: Firewall Port Information If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewall so that the components or modules can communicate. This section includes background information and procedures for configuring firewall ports for different types of traffic. TCP/IP ports Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed. Where firewalls are typically located Firewalls can be placed anywhere on a network but are most commonly located between the following: Console and the Application Server Application Server and the agents Agent Manager and Proventia Desktop agents Event Collector and agents Application Server and the Internet Application Server and a Third Party Module In this section This section contains the following topics: Topic Page Port Information for SiteProtector Traffic 4 Port Information for Third Party Module Traffic 8 Port Information for Active Directory Integration 9 Port Information for Internet Access 10 3

4 Configuring Firewalls for SiteProtector Traffic Port Information for SiteProtector Traffic This topic provides information that can help you configure firewall rules that allow traffic between all SiteProtector components, except the Third Party Module. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule. Destination ports that must be open Destination ports use the TCP protocol unless otherwise indicated. Table 2 lists the destination ports that must be open to allow communication between each pair of SiteProtector components. Source Component Destination Component Wire Protocol SiteProtector Console SP Server HTTP/SP Server/RMI/ JRMP/JMS Encryption Destination Ports Yes 3988, 3989, 3994, 3996, 3997, 3998, 3999, 8093 Event Viewer N/A Yes 3993 ADS Appliance HTTP Yes 443 IBM ISS Web Site HTTP None 80 Table 2: Firewall ports that allow traffic between SiteProtector agents 4

5 Port Information for SiteProtector Traffic Source Component Destination Component Wire Protocol Encryption SP Server Databridges L/S a Yes 2998 Destination Ports Active Directory Server LDAP None 389, 3268 b Event Collector HTTP/L/S Yes 2998, 8996 SecurityFusion module L/S Yes 2998 Agent Manager L/S/HTTP Yes 2998, 3995 Deployment Manager X-Press Update Server L/S Yes 2998 HTTP Yes 3994 Desktop Agents (7.0 and earlier) Event Archiver HTTP Yes 8998 Site DB Proventia Network MFS External Ticketing Server JDBC/TDS/ Named Pipe, or RPS Yes 1433, 445, 135, 1434 (UDP port not encrypted) HTTP Yes 443 Vendor Yes 1058, 1069 d Proprietary c SNMP Server SNMP None 162 SMTP Server SMTP None 25 Internet Scanner L/S Yes 2998 Network Sensor L/S Yes 2998 Server Sensor L/S Yes 2998 Proventia Nework IDS Third Party Module Remote Host L/S Yes 2998 e L/S Yes 2998 Windows RPC None 135 IBM MSS Web site HTTP Yes 443 Agent Manager HTTP Yes 8082 Agent Manager Desktop Agent N/A None ICMP SP Server HTTP Yes 3994 Site DB OLE DB/ RPC/ Named Pipe Configurable 1433, 135, 445, 1434 SNMP Server SNMP None 162 Table 2: Firewall ports that allow traffic between SiteProtector agents (Continued) 5

6 Configuring Firewalls for SiteProtector Traffic Source Component Event Collector Databridge L/S Yes Agent Manager L/S Yes 914 Event Archiver HTTP Yes 8997 Event Collector L/S Yes 912 SP Server HTTP Yes 3994 Internet Scanner L/S Yes Network Sensor L/S Yes Proventia Network IDS L/S Yes f SNMP Server SNMP None 162 RealSecure Sensor Agent SecurityFusion module Site DB IBM MSS Event Server L/S Yes L/S Yes ODBC/ RPC/ Named Pipe Configurable 1433, 135, 445, 1434 HTTP Yes 8443 Event Archiver SP Server HTTP Yes 3994 Agent Manager HTTP Yes 3995 Web Console SP Server HTTP Yes 3994 Web Browser Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, and Proventia Server Destination Component Deployment Manager HTTP Yes 3994 Agent Manager HTTP Yes 8085 Agent Manager g HTTP Yes 3995 SecurityFusion module Event Collector L/S Yes 950 Site DB Wire Protocol ODBC/ RPC/ Named Pipe Encryption Configurable 1433, 135, 445, 1434 Proventia Server IPS Agent Manager HTTP Yes 3995 Proventia Desktop Agent Manager HTTP Yes 3995 Destination Ports Event Viewer Service SP Server RMI/JRMP Yes 3989, 3988 Table 2: Firewall ports that allow traffic between SiteProtector agents (Continued) 6

7 Port Information for SiteProtector Traffic Source Component Destination Component Wire Protocol Encryption Update Server Agent Manager HTTP Yes 3995 IBM ISS Website HTTP Yes 443 Destination Ports Table 2: Firewall ports that allow traffic between SiteProtector agents (Continued) a. The Wire Protocol abbreviation L/S refers to Leap / Score. b. Port 3268 is referenced from the Global Catalog. c. Vendor Proprietary means this is only specific to the vendor. d. Port 1069 is based upon the Remedy Web Site. e. Proventia Network IPS FW 1.0 and higher uses destination port 443. f. Destination ports are only used for Proventia Network IDS prior to FW 1.0. g. All Proventia Agents and Desktop Agent 7 and earlier communicating with the Agent Manager contains the Command & Control. 7

8 Configuring Firewalls for SiteProtector Traffic Port Information for Third Party Module Traffic You may be required to configure the firewall to allow traffic if a firewall is located between the Third Party Module (TPM) and either of the following: a CheckPoint or Cisco firewall another SiteProtector component Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: See the SiteProtector Third Party Module Guide available on the IBM ISS Web site. Destination ports that must be open Table 3 lists the destination ports that must be open to allow communication between SiteProtector components and the TPM: Source Component Destination Component Destination Ports Cisco Secure PIX Sensor Controller 2998/tcp Event Collector /tcp Third Party Module 514/udp Event Archiver SP Server 3994 Sensor Controller Third Party Module 2998/tcp Event Collector Third Party Module /tcp Table 3: Firewall ports that allow traffic between Third Party Module and other components 8

9 Port Information for Active Directory Integration Port Information for Active Directory Integration To integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate with Active Directory over certain ports. Destination ports that must be open Table 4 lists the destination ports that must be open to allow communication between SiteProtector components and Active Directory: Protocol TCP Port Kerberos Secure Authentication 88 Lightweight Directory Access Protocol (LDAP) 389 Kerberos Passwords 464 LDAP over SSL 636 Microsoft Global Catalog 3268 Microsoft Global Catalog with LDAP/SSL 3269 Table 4: Ports that allow communication between SiteProtector Sensor Controller and Active Directory 9

10 Configuring Firewalls for SiteProtector Traffic Port Information for Internet Access If you download SiteProtector updates from the Internet, then you may need to reconfigure your firewall rules to allow this communication. This topic gives a procedure for configuring firewall rules for Internet access. Reference: Refer to your firewall documentation for specific instructions. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Destination ports that must be open Table lists the destination ports that must be open to allow communication between SiteProtector components and the IBM ISS Download Center. Protocol Destination Address Destination Port SSL or HTTPS xpu.iss.net 443 SSL or HTTPS SSL or HTTPS download.iss.net 443 HTTP iss.net 80 Table 5: Ports allowing traffic between Application Server and the Internet Important: IBM ISS recommends that you use secure protocols (SSL or HTTPS) to download updates from the Deployment Manager. 10

11 SECTION B: Configuring Components for NAT Firewalls Overview If your SiteProtector components are located behind firewalls that use NAT or other types of address translation, you may be required to perform additional configuration tasks so that SiteProtector components can communicate. Problems with using NAT with SiteProtector By default, some SiteProtector components are configured to use private IP addresses to communicate with other components. NAT firewalls typically block components that use private IP addresses. How to enable NAT communication To correct NAT communication problems, you must configure SiteProtector components to use either a public IP address or a fully qualified domain name. Common NAT firewall locations NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. You may experience communication problems if firewalls are located between the following: remote consoles and the Application Server remote Proventia Desktop agents and the Agent Manager In this section This section contains the following topics: Topic Page Configuring the Application Server for Communication with NAT Firewalls 12 Restarting the Sensor Controller and Application Server Services 13 Configuring the Agent Manager for Communication through NAT Firewalls 14 11

12 Configuring Firewalls for SiteProtector Traffic Configuring the Application Server for Communication with NAT Firewalls This topic explains how to configure the Application Server to communicate with NAT firewalls. Important: Perform the procedure in this topic only if a NAT firewall is between the Application Server and the Console. Reference: For more information on stopping and restarting the application services, see Restarting the Sensor Controller and Application Server Services on page 13. Procedure To configure the Application Server for NAT: 1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ 5. Use the following table to configure the registry keys: Folder Entry Change the... issspappservice\parameters JVM Option Number 6 value data from the IP address to the DNS name issspsenctlservice\parameters IPBind value data from the IP address to the DNS name Example Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services. 12

13 Restarting the Sensor Controller and Application Server Services Restarting the Sensor Controller and Application Server Services After you have configured the Application Server to communicate with NAT, you must restart the Sensor Controller and Application Server services to put the changes into effect. Procedure To stop or restart the Sensor Controller and the Application Server services: 1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server. 13

14 Configuring Firewalls for SiteProtector Traffic Configuring the Agent Manager for Communication through NAT Firewalls Perform the procedure in this topic only if a NAT firewall is between the Agent Manager and Proventia Desktop agents. This procedure configures the Agent Manager so that it can communicate with NAT firewalls. Important prerequisite You must perform this procedure before you generate agent builds. Otherwise, agents cannot communicate with the Agent Manager, and you will be forced to regenerate agent builds. Procedure To configure the Agent Manager for NAT: 1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: \Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini 2. Open the file in a text editor. 3. Change the dcname to one of the following: DNS name (the recommended option) public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start. 14