Configuring Firewalls for SiteProtector Traffic

Similar documents
IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

IBM Proventia Management SiteProtector Installation Guide

RPC Over HTTP Install Windows Server 2003 Configure your Exchange 2003 front-end server as an RPC Proxy server

IBM Proventia Management SiteProtector Policies and Responses Configuration Guide

IBM Security SiteProtector System User Guide for Security Analysts

IBM Security SiteProtector System SP3001 Hardware Configuration Guide

Monitoring Windows Systems with WMI

High Availability Deployment

Analyzer Quick Start Guide

VMware Horizon View Deployment

IBM Security SiteProtector System SecureSync Guide

Realms and Identity Policies

C Number: C Passing Score: 800 Time Limit: 120 min File Version: 5.0. IBM C Questions & Answers

Installing and Configuring vcloud Connector

VII. Corente Services SSL Client

Active Directory in Networks Segmented by Firewalls

EventSentry Quickstart Guide

RSA NetWitness Logs. IBM ISS SiteProtector. Event Source Log Configuration Guide. Last Modified: Monday, May 22, 2017

IBM Proventia Network Mail Security System. Administrator Guide. Version 1.6. IBM Internet Security Systems

User Identity Sources

Managing External Identity Sources

Scalability Guidelines

Identity Firewall. About the Identity Firewall

Installing and Configuring vcloud Connector

SAM 8.0 SP2 Deployment at AWS. Version 1.0

Network Communication Requirements for SecureAuth IdP

IBM Internet Security Systems Proventia Management SiteProtector

Security in the Privileged Remote Access Appliance

Programmer s Guidelines for Writing a Third-Party Ticketing Plug-In

Using the Terminal Services Gateway Lesson 10

08 March 2017 NETOP HOST FOR ANDROID USER S GUIDE

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Virtual Recovery Assistant user s guide

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

The Bomgar Appliance in the Network

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Version Installation Guide. 1 Bocada Installation Guide

Immotec Systems, Inc. SQL Server 2008 Installation Document

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

Realms and Identity Policies

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Pre-Installation Checklist v5.0

Setup for Cisco Unified Communications Manager

PCoIP Connection Manager for Amazon WorkSpaces

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

User Identity Sources

BCPro Installation Instructions Code No. LIT Software Release 3.0 Issued September 2017

Using CSC SSM with Trend Micro Damage Cleanup Services

Secure ACS Database Replication Configuration Example

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Wave 5.0. Wave OpenVPN Server Guide for Wave 5.0

Collector Quick Start Guide

CheckPoint VPN-1/FireWall-1 Management I NG.

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Security in Bomgar Remote Support

STRM Log Manager Administration Guide

VMware Enterprise Systems Connector Installation and Configuration

The Privileged Remote Access Appliance in the Network

Host Identity Sources

Port Forwarding Setup (NB7)

Deployment Guide: Routing Mode with No DMZ

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Window Server Firewall Configuration

InControl 2 Software Appliance Setup Guide

Microsoft Installing, Configuring, and Administering Microsoft Exchange 2003 Server Implementing &Managing MS Exchange Server 2003

Immotec Systems, Inc. SQL Server 2008 Installation Document

RSA NetWitness Platform

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

ForeScout CounterACT. Configuration Guide. Version 1.2

Realms and Identity Policies

McAfee epo Deep Command

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Storage Manager 2018 R1. Installation Guide

Managing Authentication and Identity Services

Best Practice - Allow Aerohive Access Points Behind a CloudGen Firewall Access to Hive Manager NG

When starting the installation PKI Install will try to find a high port available for https connection.

LabTech Ignite Installation

Cisco VPN Software Client Installation Guide for RTP2 Beta-Test

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Security, Internet Access, and Communication Ports

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

Manually Open Ports Internet Connection Firewall Windows 7

SNMP Agent Setup. Simple Network Management Protocol Support. SNMP Basics

bs^ir^qfkd=obcib`qflk= prfqb=clo=u

APAR PO06620 Installation Instructions

The Privileged Access Appliance in the Network

Sophos Mobile SaaS startup guide. Product version: 7.1

How to Configure a Remote Management Tunnel for an F-Series Firewall

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

Device Management Basics

Security, Internet Access, and Communication Ports

UDP Director Virtual Edition

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Step-by-Step Configuration

ecopy ShareScan v4.2 for ecopy ScanStation Pre-Installation Checklist

IBM IBM Internet Security Systems Technical Test V1. Download Full Version :

FUJITSU Cloud Service S5 Setup and Configuration of the FTP Service under Windows 2008/2012 Server

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

Transcription:

IBM Proventia Management SiteProtector System Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 7, July 29, 2008 Overview SiteProtector cannot function properly if firewalls prevent components from communicating. This guide provides procedures for configuring network devices and SiteProtector components so that they can communicate through firewalls. Assumptions This document assumes that you are familiar with the following: procedures for configuring firewalls routers, or any other devices that you use to block traffic on your network procedures for modifying system files such as Windows registries and properties files Firewalls In this document, firewalls include devices that filter traffic, including packet filtering firewalls, routers, and VPNs. These firewalls may also use network address translation (NAT). Note: If your firewalls are not configured to block traffic, the procedures in this chapter might not apply to them. Task overview Table 1 provides a checklist to help you complete the tasks: Task Description 1 Configure your firewall so that the required ports are open. See Port Information for SiteProtector Traffic on page 4. Table 1: Task overview IBM Internet Security Systems 1

Configuring Firewalls for SiteProtector Traffic Task Description 2 If a firewall is between the Third Party Module and a Cisco or Checkpoint firewall or another SiteProtector component, then configure your firewall for Third Party Module traffic. See Port Information for Third Party Module Traffic on page 8. 3 If you are retrieving SiteProtector updates through the Internet, then configure your firewall rules for Internet access. See Port Information for Internet Access on page 10. 4 If a NAT firewall is between the Console and the Application Server, then configure the Application Server properties. See Configuring the Application Server for Communication with NAT Firewalls on page 12. 5 If a NAT firewall is between Proventia Desktop agents and the Agent Manager, then configure the Agent Manager properties. See Configuring the Agent Manager for Communication through NAT Firewalls on page 14. Table 1: Task overview (Continued) In this document This document contains the following sections: Section Page Firewall Port Information 3 Configuring Components for NAT Firewalls 11 2

SECTION A: Firewall Port Information If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewall so that the components or modules can communicate. This section includes background information and procedures for configuring firewall ports for different types of traffic. TCP/IP ports Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed. Where firewalls are typically located Firewalls can be placed anywhere on a network but are most commonly located between the following: Console and the Application Server Application Server and the agents Agent Manager and Proventia Desktop agents Event Collector and agents Application Server and the Internet Application Server and a Third Party Module In this section This section contains the following topics: Topic Page Port Information for SiteProtector Traffic 4 Port Information for Third Party Module Traffic 8 Port Information for Active Directory Integration 9 Port Information for Internet Access 10 3

Configuring Firewalls for SiteProtector Traffic Port Information for SiteProtector Traffic This topic provides information that can help you configure firewall rules that allow traffic between all SiteProtector components, except the Third Party Module. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule. Destination ports that must be open Destination ports use the TCP protocol unless otherwise indicated. Table 2 lists the destination ports that must be open to allow communication between each pair of SiteProtector components. Source Component Destination Component Wire Protocol SiteProtector Console SP Server HTTP/SP Server/RMI/ JRMP/JMS Encryption Destination Ports Yes 3988, 3989, 3994, 3996, 3997, 3998, 3999, 8093 Event Viewer N/A Yes 3993 ADS Appliance HTTP Yes 443 IBM ISS Web Site HTTP None 80 Table 2: Firewall ports that allow traffic between SiteProtector agents 4

Port Information for SiteProtector Traffic Source Component Destination Component Wire Protocol Encryption SP Server Databridges L/S a Yes 2998 Destination Ports Active Directory Server LDAP None 389, 3268 b Event Collector HTTP/L/S Yes 2998, 8996 SecurityFusion module L/S Yes 2998 Agent Manager L/S/HTTP Yes 2998, 3995 Deployment Manager X-Press Update Server L/S Yes 2998 HTTP Yes 3994 Desktop Agents (7.0 and earlier) Event Archiver HTTP Yes 8998 Site DB Proventia Network MFS External Ticketing Server JDBC/TDS/ Named Pipe, or RPS Yes 1433, 445, 135, 1434 (UDP port not encrypted) HTTP Yes 443 Vendor Yes 1058, 1069 d Proprietary c SNMP Server SNMP None 162 SMTP Server SMTP None 25 Internet Scanner L/S Yes 2998 Network Sensor L/S Yes 2998 Server Sensor L/S Yes 2998 Proventia Nework IDS Third Party Module Remote Host L/S Yes 2998 e L/S Yes 2998 Windows RPC None 135 IBM MSS Web site HTTP Yes 443 Agent Manager HTTP Yes 8082 Agent Manager Desktop Agent N/A None ICMP SP Server HTTP Yes 3994 Site DB OLE DB/ RPC/ Named Pipe Configurable 1433, 135, 445, 1434 SNMP Server SNMP None 162 Table 2: Firewall ports that allow traffic between SiteProtector agents (Continued) 5

Configuring Firewalls for SiteProtector Traffic Source Component Event Collector Databridge L/S Yes 901-930 Agent Manager L/S Yes 914 Event Archiver HTTP Yes 8997 Event Collector L/S Yes 912 SP Server HTTP Yes 3994 Internet Scanner L/S Yes 901-930 Network Sensor L/S Yes 901-930 Proventia Network IDS L/S Yes 901-930 f SNMP Server SNMP None 162 RealSecure Sensor Agent SecurityFusion module Site DB IBM MSS Event Server L/S Yes 901-930 L/S Yes 901-930 ODBC/ RPC/ Named Pipe Configurable 1433, 135, 445, 1434 HTTP Yes 8443 Event Archiver SP Server HTTP Yes 3994 Agent Manager HTTP Yes 3995 Web Console SP Server HTTP Yes 3994 Web Browser Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, and Proventia Server Destination Component Deployment Manager HTTP Yes 3994 Agent Manager HTTP Yes 8085 Agent Manager g HTTP Yes 3995 SecurityFusion module Event Collector L/S Yes 950 Site DB Wire Protocol ODBC/ RPC/ Named Pipe Encryption Configurable 1433, 135, 445, 1434 Proventia Server IPS Agent Manager HTTP Yes 3995 Proventia Desktop Agent Manager HTTP Yes 3995 Destination Ports Event Viewer Service SP Server RMI/JRMP Yes 3989, 3988 Table 2: Firewall ports that allow traffic between SiteProtector agents (Continued) 6

Port Information for SiteProtector Traffic Source Component Destination Component Wire Protocol Encryption Update Server Agent Manager HTTP Yes 3995 IBM ISS Website HTTP Yes 443 Destination Ports Table 2: Firewall ports that allow traffic between SiteProtector agents (Continued) a. The Wire Protocol abbreviation L/S refers to Leap / Score. b. Port 3268 is referenced from the Global Catalog. c. Vendor Proprietary means this is only specific to the vendor. d. Port 1069 is based upon the Remedy Web Site. e. Proventia Network IPS FW 1.0 and higher uses destination port 443. f. Destination ports 901-903 are only used for Proventia Network IDS prior to FW 1.0. g. All Proventia Agents and Desktop Agent 7 and earlier communicating with the Agent Manager contains the Command & Control. 7

Configuring Firewalls for SiteProtector Traffic Port Information for Third Party Module Traffic You may be required to configure the firewall to allow traffic if a firewall is located between the Third Party Module (TPM) and either of the following: a CheckPoint or Cisco firewall another SiteProtector component Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: See the SiteProtector Third Party Module Guide available on the IBM ISS Web site. Destination ports that must be open Table 3 lists the destination ports that must be open to allow communication between SiteProtector components and the TPM: Source Component Destination Component Destination Ports Cisco Secure PIX Sensor Controller 2998/tcp Event Collector 901-931/tcp Third Party Module 514/udp Event Archiver SP Server 3994 Sensor Controller Third Party Module 2998/tcp Event Collector Third Party Module 901-931/tcp Table 3: Firewall ports that allow traffic between Third Party Module and other components 8

Port Information for Active Directory Integration Port Information for Active Directory Integration To integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate with Active Directory over certain ports. Destination ports that must be open Table 4 lists the destination ports that must be open to allow communication between SiteProtector components and Active Directory: Protocol TCP Port Kerberos Secure Authentication 88 Lightweight Directory Access Protocol (LDAP) 389 Kerberos Passwords 464 LDAP over SSL 636 Microsoft Global Catalog 3268 Microsoft Global Catalog with LDAP/SSL 3269 Table 4: Ports that allow communication between SiteProtector Sensor Controller and Active Directory 9

Configuring Firewalls for SiteProtector Traffic Port Information for Internet Access If you download SiteProtector updates from the Internet, then you may need to reconfigure your firewall rules to allow this communication. This topic gives a procedure for configuring firewall rules for Internet access. Reference: Refer to your firewall documentation for specific instructions. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Destination ports that must be open Table lists the destination ports that must be open to allow communication between SiteProtector components and the IBM ISS Download Center. Protocol Destination Address Destination Port SSL or HTTPS xpu.iss.net 443 SSL or HTTPS www.iss.net 443 SSL or HTTPS download.iss.net 443 HTTP iss.net 80 Table 5: Ports allowing traffic between Application Server and the Internet Important: IBM ISS recommends that you use secure protocols (SSL or HTTPS) to download updates from the Deployment Manager. 10

SECTION B: Configuring Components for NAT Firewalls Overview If your SiteProtector components are located behind firewalls that use NAT or other types of address translation, you may be required to perform additional configuration tasks so that SiteProtector components can communicate. Problems with using NAT with SiteProtector By default, some SiteProtector components are configured to use private IP addresses to communicate with other components. NAT firewalls typically block components that use private IP addresses. How to enable NAT communication To correct NAT communication problems, you must configure SiteProtector components to use either a public IP address or a fully qualified domain name. Common NAT firewall locations NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. You may experience communication problems if firewalls are located between the following: remote consoles and the Application Server remote Proventia Desktop agents and the Agent Manager In this section This section contains the following topics: Topic Page Configuring the Application Server for Communication with NAT Firewalls 12 Restarting the Sensor Controller and Application Server Services 13 Configuring the Agent Manager for Communication through NAT Firewalls 14 11

Configuring Firewalls for SiteProtector Traffic Configuring the Application Server for Communication with NAT Firewalls This topic explains how to configure the Application Server to communicate with NAT firewalls. Important: Perform the procedure in this topic only if a NAT firewall is between the Application Server and the Console. Reference: For more information on stopping and restarting the application services, see Restarting the Sensor Controller and Application Server Services on page 13. Procedure To configure the Application Server for NAT: 1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ 5. Use the following table to configure the registry keys: Folder Entry Change the... issspappservice\parameters JVM Option Number 6 value data from the IP address to the DNS name issspsenctlservice\parameters IPBind value data from the IP address to the DNS name Example Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services. 12

Restarting the Sensor Controller and Application Server Services Restarting the Sensor Controller and Application Server Services After you have configured the Application Server to communicate with NAT, you must restart the Sensor Controller and Application Server services to put the changes into effect. Procedure To stop or restart the Sensor Controller and the Application Server services: 1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server. 13

Configuring Firewalls for SiteProtector Traffic Configuring the Agent Manager for Communication through NAT Firewalls Perform the procedure in this topic only if a NAT firewall is between the Agent Manager and Proventia Desktop agents. This procedure configures the Agent Manager so that it can communicate with NAT firewalls. Important prerequisite You must perform this procedure before you generate agent builds. Otherwise, agents cannot communicate with the Agent Manager, and you will be forced to regenerate agent builds. Procedure To configure the Agent Manager for NAT: 1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: \Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini 2. Open the file in a text editor. 3. Change the dcname to one of the following: DNS name (the recommended option) public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback