Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1
Copyright Statement Copyright IBM Corporation 1994, 2010. IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America. All Rights Reserved.
Contents
About this publication . . . . . . . . v Chapter 1. Firewall Port Information. . . 1
Port Port Port Port information information information information for SiteProtector traffic . . . for Third Party Module traffic. for Active Directory integration for Internet access . . . . . . . . . . . . . 1 4 4 5 Configuring the Application Server for communication with NAT firewalls . . . . . . . 8 Restarting the Sensor Controller and Application Server services. . . . . . . . . . . . . . 8 Configuring the Agent Manager for communication through NAT firewalls . . . . . . . . . . . 9
Notices
. . . . . . . . . . . . . . 11
. . . . . . . . . . . . . 12
Trademarks .
iii
iv
Intended audience
This document assumes that you are familiar with the following: v Procedures for configuring firewalls v Routers, or any other devices that you use to block traffic on your network v Procedures for modifying system files such as Windows registries and properties files
Topics
Chapter 1, Firewall Port Information, on page 1 Chapter 2, Configuring Components for NAT Firewalls, on page 7
vi
TCP/IP ports
Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed.
Topics
Port information for SiteProtector traffic Port information for Third Party Module traffic on page 4 Port information for Active Directory integration on page 4 Port information for Internet access on page 5
Requirement
If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule.
Encryption Yes
Destination Ports 3988, 3989, 3994, 3996, 3997, 3998, 3999, 8093 3993 443 80 2998 389, 32682 2998, 8996 2998 2998, 3995 2998 3994 8998 1433, 445, 135, 1434 (UDP port not encrypted) 443 2998
Event Viewer ADS Appliance IBM ISS Web Site SP Server Databridges Active Directory Server Event Collector SecurityFusion module
Yes Yes None Yes None Yes Yes Yes Yes Yes Yes Yes
Agent Manager
Deployment Manager L/S X-Press Update Server Event Archiver Site DB HTTPS HTTPS JDBC/TDS/ Named Pipe, or RPS HTTPS
Yes Yes
Proventia Network L/S IDS prior to firmware release 1.0 Proventia Network IDS and Proventia Network IPS with firmware release 1.0 or later Proventia Network Enterprise Scanner External Ticketing Server SNMP Server SMTP Server Internet Scanner Network Sensor Server Sensor Third Party Module Remote Host IBM MSS Web site Desktop Agents (7.0 and earlier) Agent Manager
HTTPS
Yes
443
HTTPS Vendor Proprietary3 SNMP SMTP L/S L/S L/S L/S Windows RPC HTTPS HTTPS
Yes Yes None None Yes Yes Yes Yes None Yes Yes
443 1058, 10694 162 25 2998 2998 2998 2998 135 443 8082
Wire Protocol N/A HTTPS OLE DB/ RPC/ Named Pipe SNMP L/S L/S HTTPS L/S HTTPS L/S L/S L/S SNMP L/S L/S ODBC/ RPC/ Named Pipe HTTPS HTTPS HTTPS HTTPS HTTPS
Encryption None Yes Configurable None Yes Yes Yes Yes Yes Yes Yes Yes None Yes Yes Configurable Yes Yes Yes Yes Yes Yes Yes Yes Yes
Destination Ports ICMP 3994, 8093, 8443 1433, 135, 445, 1434 162 901-930 914 8997 912 3994 901-930 901-930 901-9305 162 901-930 901-930 1433, 135, 445, 1434 8443 3994 3995 3995 3994 3994 8085 3995 3995
Event Collector
Databridge Agent Manager Event Archiver Event Collector SP Server Internet Scanner Network Sensor Proventia Network IDS SNMP Server RealSecure Sensor Agent SecurityFusion module Site DB IBM MSS Event Server
Event Archiver
Proventia Network Enterprise Scanner Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, and Proventia Server SecurityFusion module
1. 2. 3. 4. 5.
The Wire Protocol abbreviation L/S refers to Leap / Score. Port 3268 is referenced from the Global Catalog. Vendor Proprietary means this is only specific to the vendor. Port 1069 is based upon the Remedy Web Site. Proventia Network IDS firmware releases earlier than 1.0 use destination ports 901 through 903.
6. All Proventia Agents and Desktop Agent release 7 or earlier communicating with the Agent Manager have the Command & Control option.
Requirement
If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: See the SiteProtector Third Party Module Guide available on the IBM ISS Web site.
Protocol Kerberos Secure Authentication Lightweight Directory Access Protocol (LDAP) Kerberos Passwords LDAP over SSL Microsoft Global Catalog Microsoft Global Catalog with LDAP/SSL
Requirement
If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified.
Important: IBM ISS recommends that you use secure protocols (SSL or HTTPS) to download updates from the Deployment Manager.
Topics
Configuring the Application Server for communication with NAT firewalls on page 8 Restarting the Sensor Controller and Application Server services on page 8 Configuring the Agent Manager for communication through NAT firewalls on page 9
Procedure
1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ 5. Use the following table to configure the registry keys:
Folder issSPAppService\Parameters issSPSenCtlService\Parameters Entry JVM Option Number 6 IPBind Change the... value data from the IP address to the DNS name value data from the IP address to the DNS name
Example: Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services.
Procedure
1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: v To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. v To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server.
Procedure
1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: \Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini 2. Open the file in a text editor. 3. Change the dcName to one of the following: v DNS name (the recommended option) v public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start.
10
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
11
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation SiteProtector Project Management C55A/74KB 6303 Barfield Rd., Atlanta, GA 30328 U.S.A Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at Copyright and trademark information at www.ibm.com/ legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
12