Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005.

Slides:



Advertisements
Similar presentations
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Advertisements

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
Client Connectivity Pertemuan 5 Matakuliah: T0413 Tahun: 2009.
Understanding wvdbt RCBs - Unicenter NSM Release 3.1 Latest Revision - September 10, 2006.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Unicenter Desktop and Server Management Architectural Options -Latest Revision 10/27/05.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Unicenter Desktop & Server Management Scaling Options - SQL -Latest Revision June Read the notes pages.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Lesson 19: Configuring Windows Firewall
1 Making Unicenter talk through a Firewall Unicenter NSM Revised August
Unicenter NSM r11 Windows -SNMP Polling Analysis.
MDB Install Overview for Federated and Shared MDBs Revised June 19, 2006.
1 Enabling Secure Internet Access with ISA Server.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Unicenter Desktop & Server Management Network Challenges -Latest Revision 11/28/2005.
Port Scanning.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Highly Available Unicenter Solutions -A High Level Summary Draft – Last Revised June 9, 2006.
Best Practices for Implementing Unicenter Service Desk r11.x in an HA MSCS Environment - Part 3: HA Primary Server Revised January 02, 2009 Although this.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
ADMINISTRATION HANDS-ON. Page 2 About the Hands-On This hands-on section is structured in a way, that it allows you to work independently, but still giving.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Hands-on Networking Fundamentals
Sales Kickoff - ARCserve
Migration to NSM r11. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong.
CCI through Firewall TNG 2.4 Updated April 16, 2002.
Best Practices for Implementing Unicenter Asset Portfolio Management r11.2 in an HA MSCS Environment - Part 2 – Unicenter Asset Management Portfolio Draft.
Chapter 6: Packet Filtering
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Confidential Configuring Attendant Console.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Unicenter Desktop & Server Management Components & Communication -Latest Revision 12/09/2005.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Deploying non-HA NSM Components in a Microsoft Cluster Environment -Unicenter NSM Release 11.1 SP1 -Last Revision October 30, 2007.
Job Management Option (WLM) Scalability Tests r11 December
MDB Connectivity Scalability Tests r11 October 25 th
Best Practices for Implementing Unicenter NSM r11.1 in an HA MSCS Environment Part II -Last Revision April 24, 2006.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
R11 Management Command Center Scalability Tests Revised July
Getting Started with OPC.NET OPC.NET Software Client Interface Client Base Server Base OPC Wrapper OPC COM Server Server Interface WCF Alternate.
R11 Event Management Scalability Tests -. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
Oracle Data Integrator Agents. 8-2 Understanding Agents.
Lesson 11: Configuring and Maintaining Network Security
Best Practices for Implementing Unicenter Asset Portfolio Management r11.2 in an HA MSCS Environment -Part I: Installing UAPM Optional Components Draft.
Unicenter NSM Repository Bridge 3.1 -> r11. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos.
Firewalls Group 11Group 12 Bryan Chapman Richard Dillard Rohan Bansal Huang Chen Peijie Shen.
Retina Network Security Scanner
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Module 10: Windows Firewall and Caching Fundamentals.
Best Practices for Implementing Unicenter NSM r11.1 in an HA MSCS Environment Part I -Last Revision April 24, 2006.
Unicenter NSM Debugging Tips & Tricks -Release r11.
Federated MDBs with Multiple SQL Instances Last Revision Date: September 6, 2006.
Best Practices for Implementing Unicenter NSM r11 in an HA MSCS Environment Part I -Last Revision April 24, 2006.
MCC through Firewall Last Updated 12/19/05. CAM © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and.
Best Practices for Implementing Unicenter NSM r11 in an HA MSCS Environment Part II -Last Revision April 24, 2006.
Best Practices for Implementing Unicenter Service Desk r11.1 in an HA MSCS Environment -Part II: Installing non-HA Primary Server Connecting to an HA MDB.
Bridge through Firewall Revised August 8th Objectives  Run Bridge through the firewall but block SQL port 1433 for inbound traffic. There should.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
CITA 352 Chapter 5 Port Scanning.
Configuring Attendant Console
Presentation transcript:

Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 2 Agenda -Introduction -Secured Remote MDB setup -Worldview Discovery -Configuring DIA for firewall -Managing CA Agents using DIA

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 3 Objectives -Requirements of working through a firewall will vary for different sites -The architecture will be highly dependent on -Level of risk accepted -Rules dictated by the firewall administration. -Rules governing blocking and unblocking of ports. -This presentation walks through some common scenarios dictated by different security administrations

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 4 Firewall Requirements -Considerations for Firewall -Reduce the number of ports to be unblocked -Minimize port Contention -Block UDP ports -Minimize the number of hosts that requires ports to be unblocked -Block traffic initiated from outside firewall

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 5 Need for Firewalls -Exponential growth on Cyber Crime -Hackers, cyber criminals, e-terrorists -Problem caused by the denial of service attacks, high-lighted the need for a resilient and secure DMZ environment. -Secure Internet environments requires Firewalls

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 6 Perimeter vs. Host Firewalls -For this presentation we are only considering Perimeter firewalls. -There are several consideration for deploying host firewalls and will introduce complexities for r11 if the host firewalls rules are not consistent

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 7 Testing Environment DMZ Server dawya01v05 Secured Zone MDB Server = I14y204

Secured Remote MDB setup

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 9 Scenario #1 -We wish to deploy NSM in DMZ environment but want to use a MDB which resides in the secured zone - What are the considerations?

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 10 Ingres Client Firewall MDB DMZ NSM Install DMZ Secured Zone Ingres Server

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 11 DMZ NSM Install

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 12 DMZ Install NSM

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 13 Select Secured MDB Connection Fails as Ingres Client port not opened

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 14 Ingres Client Shows port is blocked.

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 15 Ingres Client -Ingres Client (Netserver) requires access to the MDB database residing on the Ingres Server -This requires Ingres Client port to be opened inbound -The port number will vary depending on Ingres Instance id. -The default Ingres Instance is EI -To translate the Ingres Instance id into the port number, click -Covert Ingres PortCovert Ingres Port -Converted Unix source to Windows. -Mdbport Instance NamePort II21064 EI19016 wv28336

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 16 Ingres Ports Unix Source ported to Windows

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 17 Install Process -Prior to NSM Install in DMZ, get secured MDB Server information including: -MDB server name and Ingres Install id -User ID and Password to connect to the remote MDB -For NSM, this will be nsmAdmin -For DSM, this will be ca-ITRM

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 18 Open Ingres Port Ingres Client communicates with the Ingres Server successfully with port opened

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 19 Ingres Client This shows Ingres port used to connect to the Ingres Server

World View Discovery

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 21 WV Discovery -Discovery Considerations -Initiate discovery from inside firewall -Initiate discovery from outside firewall but MDB inside Firewall -Temporary Unblock Ports for Auto Discovery -NAT implication

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 22 WV Discovery Initiated within Firewall dscvrbe –r.. MDB DMZDMZ SECUREDSECURED

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 23 WV Discovery Initiated within Firewall -Ping Sweep -ICMP and SNMP opened

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 24 WV Discovery Ping Sweep -Discovery initiated within Firewall -Pingsweep require ICMP port to be opened

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 25 WV Discovery Classification -SNMP (161) Required for Classification

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 26 WV Discovery Classification -Additional Ports may be required if “Check Additional Ports” selected

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 27 WV Discovery Initiated Outside Firewall Firewall dscvrbe –r.. MDB No UDP through Firewall Ingres 19016

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 28 WV Discovery Limited Unblocked -During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened. -Once auto-discovery is complete the port can be closed. -It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is NOT best practice and the customization is “more difficult than is apparent”

DIA

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 30 Scenario #3 -We wish to configure DIA in a Firewall environment to reduce the number of ports to be unblocked. - What are the considerations?

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 31 DNA Ports Firewall MDB DIA DIA UKB SECUREDSECURED DMZDMZ DMZ Server DNA Data Ports

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 32 Requirements Recap -From DMZ, connect to the UKB in the secured zone -DNA from DMZ will be reporting to the secured zone UKB -This will enable MCC and other GUI to communicate with DNA cells in DMZ -DIA ports will be blocked inbound with the exception of data port -DIA ports unblocked for all outbound traffic

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 33 Configuration -Identify the potential candidate for UKB proxy in the secured zone. -In our case, the most suitable candidate is the MDB server we wish to connect from DMZ -For performance reason, this should NOT be Master UKB -Determine if SRV is defined in the DNS in DMZ environment. In most cases, this should not be the case and it is not required for DMZ -If SRV is defined then additional DIA inbound ports may need to be opened

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 34 UKB Proxy -In the secured zone, update ukb.cfg for the server that will be designated as UKBProxy -Once updated, restart DIA service to pick up the UKBProxy settings

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 35 Secured Zone: Update ukb.cfg Set PROXY_UKB to Yes

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 36 DMZ Server -Verify DMZ Server is pingable from Secured zone -This should be the real hostname of DMZ Server -DIA ports are opened for outbound traffic. The port numbers are configurable in ukb.cfg and dna.cfg files -Activate DMZ Server using diatools from the secured zone -Verify the DMZ DNAs are registered correctly

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 37 Secured: Active DMZ DNA 1.Launch diatool from the secured zone which is designated as UKBProxy 2.Activate DMZ DNA

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 38 Secured: Active DMZ DNA Enter DMZServer Hostname

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 39 Secured: Active DMZ DNA Activation Complete

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 40 DMZ -Verify the DNA is activated correctly and reporting to the UKBProxy in Secured zone -Review ukb.dat file on the DMZServer

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 41 DMZ - Verification This points to Secured Zone UKB, which is correct

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 42 Alternative Activation using Command Line -If GUI interface is not desirable, then DNA can also be activated using the following command -C:\Program Files\CA\SharedComponents\CCS\DIA\dia\dna\bin\autoactivatedna.bat

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 43 Secured Zone – UKB Proxy

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 44 Secured Zone: UKB This shows DNA has been activated for DMZ server DMZ DNA Local DNA

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 45 DNA Registration Port Outbound Traffic

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 46 DMZServer  UKBProxy Inbound Traffic responding via the active connection

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 47 DNA RMIPORT Outbound Traffic

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 48 DMZServer  Secured : Port 11504

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 49 DIA Ports

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 50 UKB Port -This port is used by consumers, such as UMP, to communicate with UKB

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 51 Conclusion -DIA / DNA blocked for DMZ inbound traffic with the exception of cgene, data ports and DIA from secured zone determines which DMZ ports are blocked and plugs a hole to eliminate the need to unblock DIA inbound registration ports

Managing CA Agents using DIA

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 53 Scenario #4 -We wish to deploy CA Agents in DMZ -What are the considerations for CA Agents in DMZ to communicate to DSM in the secured zone?

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 54 DNA Ports Firewall MDB DIA Aws_dsm SECUREDSECURED DMZDMZ CA Agents DNA Data Ports

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 55 Agent Communication - Configuration -Configuration file -%AGENTWORKS_DIR\SERVICES\CONFIG\ atservices.ini -Section [SNMP] -Parameter ‚UseSnmp‘ -‚0‘ – DIA only -‚1‘ – SNMP only -‚2‘ – DIA to CA-Agents (Enterprise OID 791), SNMP otherwise -‚3‘ – can do both DIA or SNMP depending on target machine

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 56 Agent SNMP DNA UseSnmp = 1UseSnmp = 0UseSnmp = 2 AWS_SADMIN DSM Communication - Architecture Managed Node AWS_ORB AWS_AGTGATE AWS_SNMP DSM AWS_ORB AWS_AGTGATE Manager DIA installed UseSnmp = 3 DIA ActiveDIA Not Active CA-Agent (791) Non-CA-Agent CA-Agent (791) Non-CA-AgentAgent

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 57 USESNMP Settings -If non CA Agents are to be monitored then aws_dsm should be installed in the DMZ. -If only CA agents are to be monitored reporting to the secured DSM, then set usesnmp to 0.

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 58 Default UseSnmp Default Setting of UseSNMP. Change it to UseSNMP=0 to force DNA communication

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 59 Cgene -With useSNMP set to 0, Agent Technology will communicate with the DSM via DIA ports. -This will result in cgene send and receive requests between secured zone DSM and CA Agents running in DMZ. -Requires ports and to be opened inbound

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 60 Cgene send and receive test -To verify Agent Technolgy can communicate with DSM via DIA, run cgene tests -Setup cgene receive request on the secured zone -Send cgene send to the secured zone DSM from the managed node.

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 61 Cgene Send and Receive Tests

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 62 DSM View -CA Agents Discovered correctly without the need to open UDP ports inbound

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 63 Nodeview from Secured Zone

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 64 Traps via DIA -Traps communication via DIA

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 65 MCC from Secured Zone

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 66 Agents Events via MCC

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 67 Port DMZ aws_orb binds to 9990 for DIA communications

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 68 Port DIA aws_orb communication via aws_dsm and tools sending requests via port 9990

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 69 SNMP Traps -If UseSNMP is set to 3, it will generate SNMP traps

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 70 Conclusion -If configured correctly, then DMZ CA Agents can be managed by the secured aws_dsm without unblocking UDP inbound ports

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 71 Questions and Answers Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.