• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SiteProtector System: Configuring Firewalls for SiteProtector ...
 

SiteProtector System: Configuring Firewalls for SiteProtector ...

on

  • 1,994 views

 

Statistics

Views

Total Views
1,994
Views on SlideShare
1,994
Embed Views
0

Actions

Likes
0
Downloads
23
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SiteProtector System: Configuring Firewalls for SiteProtector ... SiteProtector System: Configuring Firewalls for SiteProtector ... Document Transcript

    • IBM Proventia® Management SiteProtector™ Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.0
    • IBM Proventia® Management SiteProtector™ Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.0
    • Copyright Statement © Copyright IBM Corporation 1994, 2009. IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America. All Rights Reserved.
    • Trademarks and disclaimer IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than IBM Internet Security Systems (IBM ISS). Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. IBM Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall IBM ISS be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if IBM Internet Security Systems has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by IBM Internet Security Systems. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM Internet Security Systems, and shall not be used for advertising or product endorsement purposes. Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents IBM Internet Security Systems, Inc. from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an e-mail with the topic name, link, and its behavior to mailto://support@iss.net. © Copyright IBM Corp. 1994, 2008 iii
    • iv SiteProtector System: Configuring Firewalls for SiteProtector Traffic
    • Contents Trademarks and disclaimer . . . . . . iii Configuring Components for NAT Firewalls . . . . 6 Configuring the Application Server for About this publication . . . . . . . . 1 communication with NAT firewalls . . . . . . 8 Restarting the Sensor Controller and Application Firewall Port Information . . . . . . . . . . 1 Server services. . . . . . . . . . . . . 8 Port information for SiteProtector traffic . . . . 2 Configuring the Agent Manager for Port information for Third Party Module traffic. . 5 communication through NAT firewalls . . . . 9 Port information for Active Directory integration . 5 Port information for Internet access . . . . . . 6 © Copyright IBM Corp. 1994, 2008 v
    • vi SiteProtector System: Configuring Firewalls for SiteProtector Traffic
    • About this publication SiteProtector™ cannot function properly if firewalls prevent components from communicating. This guide provides procedures for configuring network devices and SiteProtector components so that they can communicate through firewalls. Intended audience This document assumes that you are familiar with the following: v Procedures for configuring firewalls v Routers, or any other devices that you use to block traffic on your network v Procedures for modifying system files such as Windows® registries and properties files How to send your comments Your feedback is important in helping to provide the most accurate and highest quality information. Send your comments by e-mail to document@iss.net. Be sure to include the name of the book, the part number of the book, the version of SiteProtector, and if applicable, the specific location of the text that you are commenting on (for example, a page number or table number.) Topics “Firewall Port Information” “Configuring Components for NAT Firewalls” on page 6 Firewall Port Information If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewall so that the components or modules can communicate. This section includes background information and procedures for configuring firewall ports for different types of traffic. TCP/IP ports Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed. Where firewalls are typically located Firewalls can be placed anywhere on a network but are most commonly located between the following: v Console and the Application Server v Application Server and the agents v Agent Manager and Proventia® Desktop agents v Event Collector and agents v Application Server and the Internet v Application Server and a Third Party Module © Copyright IBM Corp. 1994, 2008 1
    • Topics “Port information for SiteProtector traffic” “Port information for Third Party Module traffic” on page 5 “Port information for Active Directory integration” on page 5 “Port information for Internet access” on page 6 Port information for SiteProtector traffic This topic provides information that can help you configure firewall rules that allow traffic between all SiteProtector components, except the Third Party Module. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule. Destination ports that must be open Destination ports use the TCP protocol unless otherwise indicated. The following table lists the destination ports that must be open to allow communication between each pair of SiteProtector components. Source Destination Destination Component Component Wire Protocol Encryption Ports SiteProtector SP Server HTTP/SP Yes 3988, 3989, 3994, Console Server/RMI/ 3996, 3997, 3998, JRMP/JMS 3999, 8093 Event Viewer N/A Yes 3993 ADS Appliance HTTP Yes 443 ® IBM ISS Web HTTP None 80 Site 2 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
    • Source Destination Destination Component Component Wire Protocol Encryption Ports 1 SP Server Databridges L/S Yes 2998 Active Directory LDAP None 389, 32682 Server Event Collector HTTP/L/S Yes 2998, 8996 ™ SecurityFusion L/S Yes 2998 module Agent Manager L/S/HTTP Yes 2998, 3995 Deployment L/S Yes 2998 Manager X-Press Update HTTP Yes 3994 Server Event Archiver HTTP Yes 8998 Site DB JDBC/TDS/ Yes 1433, 445, 135, Named Pipe, or 1434 (UDP port RPS not encrypted) Proventia HTTP Yes 443 Network MFS External Vendor Yes 1058, 10694 Ticketing Server Proprietary3 SNMP Server SNMP None 162 SMTP Server SMTP None 25 Internet L/S Yes 2998 Scanner® Network Sensor L/S Yes 2998 Server Sensor L/S Yes 2998 Proventia L/S Yes 29985 Nework IDS Third Party L/S Yes 2998 Module Remote Host Windows RPC None 135 IBM MSS Web HTTP Yes 443 site Desktop Agents Agent Manager HTTP Yes 8082 (7.0 and earlier) Agent Manager Desktop Agent N/A None ICMP SP Server HTTP Yes 3994, 8093, 8443 Site DB OLE DB/ RPC/ Configurable 1433, 135, 445, Named Pipe 1434 SNMP Server SNMP None 162 About this publication 3
    • Source Destination Destination Component Component Wire Protocol Encryption Ports Event Collector Databridge L/S Yes 901-930 Agent Manager L/S Yes 914 Event Archiver HTTP Yes 8997 Event Collector L/S Yes 912 SP Server HTTP Yes 3994 Internet Scanner L/S Yes 901-930 Network Sensor L/S Yes 901-930 Proventia L/S Yes 901-9306 Network IDS SNMP Server SNMP None 162 ® RealSecure L/S Yes 901-930 Sensor Agent SecurityFusion L/S Yes 901-930 module Site DB ODBC/ RPC/ Configurable 1433, 135, 445, Named Pipe 1434 IBM MSS Event HTTP Yes 8443 Server Event Archiver SP Server HTTP Yes 3994 Agent Manager HTTP Yes 3995 Event Archiver Agent Manager HTTP Yes 3995 Importer Web Console SP Server HTTP Yes 3994 Web Browser Deployment HTTP Yes 3994 Manager Agent Manager HTTP Yes 8085 7 Proventia Agent Manager HTTP Yes 3995 Network IDS, Proventia Network IPS, Proventia Network MFS, and Proventia Server SecurityFusion Event Collector L/S Yes 950 module Site DB ODBC/ RPC/ Configurable 1433, 135, 445, Named Pipe 1434 Proventia Server Agent Manager HTTP Yes 3995 IPS Proventia Agent Manager HTTP Yes 3995 Desktop Event Viewer SP Server RMI/JRMP Yes 3989, 3988 Service Update Server Agent Manager HTTP Yes 3995 IBM ISS Website HTTP Yes 443 4 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
    • 1. The Wire Protocol abbreviation L/S refers to Leap / Score. 2. Port 3268 is referenced from the Global Catalog. 3. Vendor Proprietary means this is only specific to the vendor. 4. Port 1069 is based upon the Remedy Web Site. 5. Proventia Network IPS FW 1.0 and higher uses destination port 443. 6. Destination ports 901-903 are only used for Proventia Network IDS prior to FW 1.0. 7. All Proventia Agents and Desktop Agent 7 and earlier communicating with the Agent Manager contains the Command & Control. Port information for Third Party Module traffic You may be required to configure the firewall to allow traffic if a firewall is located between the Third Party Module (TPM) and either of the following: v a CheckPoint or Cisco firewall v another SiteProtector component Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: See the SiteProtector Third Party Module Guide available on the IBM ISS Web site. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and the TPM: Source Component Destination Component Destination Ports Cisco Secure PIX Sensor Controller 2998/tcp Event Collector 901-931/tcp Third Party Module 514/udp ™ Event Archiver SP Server 3994 Sensor Controller Third Party Module 2998/tcp Event Collector Third Party Module 901-931/tcp Port information for Active Directory integration To integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate with Active Directory over certain ports. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and Active Directory: Protocol TCP Port Kerberos Secure Authentication 88 About this publication 5
    • Protocol TCP Port Lightweight Directory Access Protocol 389 (LDAP) Kerberos Passwords 464 LDAP over SSL 636 ® Microsoft Global Catalog 3268 Microsoft Global Catalog with LDAP/SSL 3269 Port information for Internet access If you download SiteProtector updates from the Internet, then you may need to reconfigure your firewall rules to allow this communication. This topic gives a procedure for configuring firewall rules for Internet access. Reference: Refer to your firewall documentation for specific instructions. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and the IBM ISS Download Center. Protocol Destination Address Destination Port SSL or HTTPS xpu.iss.net 443 SSL or HTTPS www.iss.net 443 SSL or HTTPS download.iss.net 443 HTTP iss.net 80 Important: IBM ISS recommends that you use secure protocols (SSL or HTTPS) to download updates from the Deployment Manager. Configuring Components for NAT Firewalls If your SiteProtector components are located behind firewalls that use NAT or other types of address translation, you may be required to perform additional configuration tasks so that SiteProtector components can communicate. Problems with using NAT with SiteProtector By default, some SiteProtector components are configured to use private IP addresses to communicate with other components. NAT firewalls typically block components that use private IP addresses. 6 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
    • How to enable NAT communication To correct NAT communication problems, you must configure SiteProtector components to use either a public IP address or a fully qualified domain name. Common NAT firewall locations NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. You may experience communication problems if firewalls are located between the following: v Remote consoles and the Application Server v Remote Proventia Desktop agents and the Agent Manager Topics “Configuring the Application Server for communication with NAT firewalls” on page 8 “Restarting the Sensor Controller and Application Server services” on page 8 “Configuring the Agent Manager for communication through NAT firewalls” on page 9 About this publication 7
    • Configuring the Application Server for communication with NAT firewalls This topic explains how to configure the Application Server to communicate with NAT firewalls. About this task Important: Perform the procedure in this topic only if a NAT firewall is between the Application Server and the Console. Reference: For more information on stopping and restarting the application services, see “Restarting the Sensor Controller and Application Server services.” Procedure 1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINESystemCurrentControlSetServices 5. Use the following table to configure the registry keys: Folder Entry Change the... issSPAppServiceParameters JVM Option Number 6 value data from the IP address to the DNS name issSPSenCtlService IPBind value data from the IP Parameters address to the DNS name Example: —Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services. Restarting the Sensor Controller and Application Server services This topic explains how to stop or restart the Sensor Controller and the Application Server services. About this task After you have configured the Application Server to communicate with NAT, you must restart the Sensor Controller and Application Server services to put the changes into effect. Procedure 1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings → Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: 8 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
    • v To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. v To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server. Configuring the Agent Manager for communication through NAT firewalls Perform the procedure in this topic only if a NAT firewall is between the Agent Manager and Proventia Desktop agents. This procedure configures the Agent Manager so that it can communicate with NAT firewalls. Before you begin You must perform this procedure before you generate agent builds. Otherwise, agents cannot communicate with the Agent Manager, and you will be forced to regenerate agent builds. Procedure 1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: Program FilesISSSiteProtectorAgentManagerrsspdc.ini 2. Open the file in a text editor. 3. Change the dcName to one of the following: v DNS name (the recommended option) v public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start. About this publication 9
    • Printed in USA