Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sales Kickoff - ARCserve

Published byColin Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "Sales Kickoff - ARCserve"— Presentation transcript:

1 Sales Kickoff - ARCserve
4/21/2017 5:15:15 AM CCI through Firewall r11 December r11 presented created

2 Objectives CCI Considerations for NSM r11 deployment in DMZ
Review different deployment options Review potential Risks , primarily Denial of Service (DOS) attacks

3 DoS Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation

4 Agenda CCI Introduction CCI Layers DoS Different Deployment Options

5 The need for CCI Applications, such as Job Management Agent, Event Management, etc., need to communicate with one another across various servers and platforms.

6 The need for CCI Allows applications on various platforms to communicate with applications on any other using the mechanism of CCI.

7 CCI is available on... UNIX NT AS/400 OpenVMS Tandem OS/390

8 What CCI does…. Allows applications to communicate with one another without considering IPC / network programming issues. Presents set of APIs that allow programmers to focus on what an application needs to do and forget about IPC / network programming issues.

9 CCI Layers QUES Layer introduced the ability to connect at send time.
RMT Layer connects at CCI start up time. RMT has auto-connect capability Auto-connect capability can be disabled with configuration setting

10 QUES Layer Eliminates need for configuration files
New hosts may be brought into configuration with less effort Removal of host from configuration does not affect other hosts Connections between hosts are short lived Bi-Directional CCI Initialization

11 Sales Kickoff - ARCserve
4/21/2017 5:15:15 AM QUES Layer Requires 7001 port to be unblocked bi-directional CCI Initialization from DMZ and Private Network Potential risk for Denial of Service Attacks Syn Flooding Etc Port must be unblocked for the designated NSM servers and not for all hosts No predefined source port

12 QUES Layer Transport mechanism Connects with SYN Flag Send Data
Disconnect No persistent connection

13 RMT Layer Persistent Connection
Connection established at start up and remains open for duration of CCI Preferred option in Firewall deployment New hosts may be brought in with Auto Connect Feature

14 RMT Layer Port Usage Source Port can be configured by environment settings Destination port defaults to 1721 but can be configured

15 Syn Three-way Handshaking
DMZ Private SYN/ACK DMZ Private ACK DMZ Private

16 How SYN Flooding Works A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet can be "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker may send many of these TCP SYNs to tie up as many resources as possible on the target computer to exhaust the resources Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" non- existent IP address. No response is received to the SYN-ACK. A default-configured Windows NT 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. This can be configured using registry changes BLOCK 7001 port except for designated NSM servers

17 Firewall SYN Flood Review Firewall solution to prevent Syn Flood attacks or DoS Ensure, 7001 is only unblocked for the two NSM servers which requires CCI Connectivity

18 CCI Ports – Windows Transporter Quenetd
TCP destination port 7001 for Windows to Windows communication CCI will attempt TCP connection first If fails, will then attempt, RMT daemon on 1721

19 CCI Transporter Service - QUES Layer TCP 7001
Verify Transport Protocols settings to TCP to avoid attempts to open 7003 or 7004 Transport Protocol defaults to TCP

20 Firewall Setup Secured DMZ

21 Testing Environment

22 Deployment Options

23 Scenario 1 We want to forward Event exception messages from DMZ without installing the Ingres Client in the DMZ environment How can we configure this?

24 Deployment - Scenario 1 Install Event Agent
Set Event Agent Proxy Node to NSM server inside the firewall Open up CCI 7001 port bi-directional.

25 DMZ Event DSB Event Agent Proxy Node
Specify the node name of Central Server Event Manager DSB refreshed from Central Server

26 DMZ Event DSB If proxy node not required, then local dsb can be pushed to DMZ by other means

27 Sales Kickoff - ARCserve
4/21/2017 5:15:15 AM Windows -> Windows MDB Secured Zone DSM wvdbt Common Services EVT TCP 7001 TCP 7001 FIREWALL Common Services DSM EVT DMZ 7001 Unblocked both directions – CCI may be initiated from DMZ

28 Scenario 2 We want to open CCI port for outbound traffic only and prevent CCI initialization from taking place in the DMZ How can we configure this?

29 Scenario 2 RMT daemon provides persistent connection
Customize ccirmtd.rc to start up connection from secured network Add the Windows servers to RMTHOSTNAME entries

30 Windows – Windows Remote RMTHOSTS
Sales Kickoff - ARCserve 4/21/2017 5:15:15 AM Windows – Windows Remote RMTHOSTS Secured Node DMZ Add Windows node to RMTHOSTS settings for DMZ and secured servers

31 Windows – Windows Remote RMTHOSTS
Update RMTHOSTS on both Windows nodes. If only one node is updated, the other Windows node will use the QUES layer. For example: RMTHOSTS entry on DMZ node not updated to use RMT layer for secured zone node Secured server RMTHOSTS entry updated to use RMT layer for DMZ node. All requests from secured to DMZ will use RMT. Events from DMZ to secured will use QUES layer. This port would be blocked. It will then attempt to use RMT port.

32 ccirmtd.rc location ccirmtd.rc must reside in ca_appsw directory - NOT caiuser directory (as in previous releases)

33 Windows – Windows Remote Secured ccirmtd.rc
Sales Kickoff - ARCserve 4/21/2017 5:15:15 AM Windows – Windows Remote Secured ccirmtd.rc Add Windows node to ccirmtd.rc to prevent potential first autoConnect attempt failure. The CCIRMTD.rc in the secured network must be updated to startup RMT connection

34 Windows – Windows Remote DMZ ccirmtd.rc
CCIRMTD.rc file on the DMZ must have entry with nostart and retry=0 (no retry). This prevents CCI initialization from DMZ environment

35 Windows – Windows Remote Source Port
To pre-define source port for RMT connection, add environment variable CAI_CCI_PORT1

36 Source Port

37 Inbound CAM port Blocked

38 CAM Inbound CAM inbound traffic denied if CAM not initiated from secured zone

39 Sales Kickoff - ARCserve
4/21/2017 5:15:15 AM Windows -> Windows Remote Secured Network MDB DSM wvdbt Common Services EVT FIREWALL TCP 1721 Common Services DSM EVT 7001 Blocked - Persistent Connection and traffic initiated from Private network DMZ Note that –r cannot go at the end of the line – it must be at begin of parameters

40 DMZ -> Secured

41 Deployment - Scenario 3 Client would like to use QUES Layer but wish to block 7001 port from DMZ to private network. What are the implications?

42 DMZ -> Secured Execute cawto in DMZ environment to send message to Private network Cawto [<secured>] Sending message from DMZ to Private Message will be denied by Firewall Exception messages cannot be forwarded from DMZ to secured network

43 DMZ -> Private with 7001 Blocked

44 Summary For Windows – Windows, use Ques Layer with 7001 unblocked for the selected NSM servers only. CCI Initialization from DMZ and Secured environment For Windows – Windows , configure RMT layer to avoid by-directional unblocking of ports For Windows –> Unix or UNIX -> Windows (including Linux) , RMT layer provides persistent connection

45 Sales Kickoff - ARCserve
4/21/2017 5:15:15 AM Questions and Answers Any questions?

Download ppt "Sales Kickoff - ARCserve"

Similar presentations

The CA MDB Revised May 16 2006. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CCNA – Network Fundamentals

CCNA – Network Fundamentals
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Unicenter Desktop and Server Management Architectural Options -Latest Revision 10/27/05.

Unicenter Desktop and Server Management Architectural Options -Latest Revision 10/27/05.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Unicenter NSM r11 Windows -SNMP Polling Analysis.

Unicenter NSM r11 Windows -SNMP Polling Analysis.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Unicenter Desktop & Server Management Network Challenges -Latest Revision 11/28/2005.

Unicenter Desktop & Server Management Network Challenges -Latest Revision 11/28/2005.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Highly Available Unicenter Solutions -A High Level Summary Draft – Last Revised June 9, 2006.

Highly Available Unicenter Solutions -A High Level Summary Draft – Last Revised June 9, 2006.

Similar presentations

Ads by Google