Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005.

Published byBeverly Jones Modified over 9 years ago

Similar presentations

Presentation on theme: "Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005."— Presentation transcript:

1 Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005

2 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 2 Agenda -Introduction -Secured Remote MDB setup -Worldview Discovery -Configuring DIA for firewall -Managing CA Agents using DIA

3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 3 Objectives -Requirements of working through a firewall will vary for different sites -The architecture will be highly dependent on -Level of risk accepted -Rules dictated by the firewall administration. -Rules governing blocking and unblocking of ports. -This presentation walks through some common scenarios dictated by different security administrations

4 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 4 Firewall Requirements -Considerations for Firewall -Reduce the number of ports to be unblocked -Minimize port Contention -Block UDP ports -Minimize the number of hosts that requires ports to be unblocked -Block traffic initiated from outside firewall

5 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 5 Need for Firewalls -Exponential growth on Cyber Crime -Hackers, cyber criminals, e-terrorists -Problem caused by the denial of service attacks, high-lighted the need for a resilient and secure DMZ environment. -Secure Internet environments requires Firewalls

6 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 6 Perimeter vs. Host Firewalls -For this presentation we are only considering Perimeter firewalls. -There are several consideration for deploying host firewalls and will introduce complexities for r11 if the host firewalls rules are not consistent

7 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 7 Testing Environment DMZ Server dawya01v05 Secured Zone MDB Server = I14y204

8 Secured Remote MDB setup

9 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 9 Scenario #1 -We wish to deploy NSM in DMZ environment but want to use a MDB which resides in the secured zone - What are the considerations?

10 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 10 Ingres Client 19016 Firewall MDB DMZ NSM Install DMZ Secured Zone Ingres Server

11 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 11 DMZ NSM Install

12 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 12 DMZ Install NSM

13 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 13 Select Secured MDB Connection Fails as Ingres Client port not opened

14 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 14 Ingres Client Shows port 19016 is blocked.

15 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 15 Ingres Client -Ingres Client (Netserver) requires access to the MDB database residing on the Ingres Server -This requires Ingres Client port to be opened inbound -The port number will vary depending on Ingres Instance id. -The default Ingres Instance is EI -To translate the Ingres Instance id into the port number, click -Covert Ingres PortCovert Ingres Port -Converted Unix source to Windows. -Mdbport Instance NamePort II21064 EI19016 wv28336

16 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 16 Ingres Ports Unix Source ported to Windows

17 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 17 Install Process -Prior to NSM Install in DMZ, get secured MDB Server information including: -MDB server name and Ingres Install id -User ID and Password to connect to the remote MDB -For NSM, this will be nsmAdmin -For DSM, this will be ca-ITRM

18 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 18 Open Ingres Port Ingres Client communicates with the Ingres Server successfully with port opened

19 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 19 Ingres Client This shows Ingres port used to connect to the Ingres Server

20 World View Discovery

21 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 21 WV Discovery -Discovery Considerations -Initiate discovery from inside firewall -Initiate discovery from outside firewall but MDB inside Firewall -Temporary Unblock Ports for Auto Discovery -NAT implication

22 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 22 WV Discovery Initiated within Firewall dscvrbe –r.. MDB DMZDMZ SECUREDSECURED

23 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 23 WV Discovery Initiated within Firewall -Ping Sweep -ICMP and SNMP opened

24 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 24 WV Discovery Ping Sweep -Discovery initiated within Firewall -Pingsweep require ICMP port to be opened

25 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 25 WV Discovery Classification -SNMP (161) Required for Classification

26 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 26 WV Discovery Classification -Additional Ports may be required if “Check Additional Ports” selected

27 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 27 WV Discovery Initiated Outside Firewall Firewall dscvrbe –r.. MDB No UDP through Firewall Ingres 19016

28 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 28 WV Discovery Limited Unblocked -During the auto-discovery process objects are classified using SNMP therefore the SNMP port should be opened. -Once auto-discovery is complete the port can be closed. -It is also possible to run discovery outside the firewall then move the data via trix inside the firewall – this is NOT best practice and the customization is “more difficult than is apparent”

29 DIA

30 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 30 Scenario #3 -We wish to configure DIA in a Firewall environment to reduce the number of ports to be unblocked. - What are the considerations?

31 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 31 DNA Ports 11501 11502 11503 Firewall MDB DIA DIA UKB SECUREDSECURED DMZDMZ DMZ Server DNA Data Ports 11502 11504

32 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 32 Requirements Recap -From DMZ, connect to the UKB in the secured zone -DNA from DMZ will be reporting to the secured zone UKB -This will enable MCC and other GUI to communicate with DNA cells in DMZ -DIA ports will be blocked inbound with the exception of data port -DIA ports unblocked for all outbound traffic

33 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 33 Configuration -Identify the potential candidate for UKB proxy in the secured zone. -In our case, the most suitable candidate is the MDB server we wish to connect from DMZ -For performance reason, this should NOT be Master UKB -Determine if SRV is defined in the DNS in DMZ environment. In most cases, this should not be the case and it is not required for DMZ -If SRV is defined then additional DIA inbound ports may need to be opened

34 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 34 UKB Proxy -In the secured zone, update ukb.cfg for the server that will be designated as UKBProxy -Once updated, restart DIA service to pick up the UKBProxy settings

35 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 35 Secured Zone: Update ukb.cfg Set PROXY_UKB to Yes

36 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 36 DMZ Server -Verify DMZ Server is pingable from Secured zone -This should be the real hostname of DMZ Server -DIA ports are opened for outbound traffic. The port numbers are configurable in ukb.cfg and dna.cfg files -Activate DMZ Server using diatools from the secured zone -Verify the DMZ DNAs are registered correctly

37 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 37 Secured: Active DMZ DNA 1.Launch diatool from the secured zone which is designated as UKBProxy 2.Activate DMZ DNA

38 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 38 Secured: Active DMZ DNA Enter DMZServer Hostname

39 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 39 Secured: Active DMZ DNA Activation Complete

40 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 40 DMZ -Verify the DNA is activated correctly and reporting to the UKBProxy in Secured zone -Review ukb.dat file on the DMZServer

41 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 41 DMZ - Verification This points to Secured Zone UKB, which is correct

42 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 42 Alternative Activation using Command Line -If GUI interface is not desirable, then DNA can also be activated using the following command -C:\Program Files\CA\SharedComponents\CCS\DIA\dia\dna\bin\autoactivatedna.bat

43 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 43 Secured Zone – UKB Proxy

44 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 44 Secured Zone: UKB This shows DNA has been activated for DMZ server DMZ DNA Local DNA

45 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 45 DNA Registration Port - 11501 Outbound Traffic

46 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 46 DMZServer  UKBProxy Inbound Traffic responding via the active connection

47 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 47 DNA RMIPORT - 11502 Outbound Traffic

48 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 48 DMZServer  Secured : Port 11504

49 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 49 DIA Ports

50 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 50 UKB 11503 Port -This port is used by consumers, such as UMP, to communicate with UKB

51 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 51 Conclusion -DIA / DNA blocked for DMZ inbound traffic with the exception of cgene, data ports 11502 and 11504 -DIA from secured zone determines which DMZ ports are blocked and plugs a hole to eliminate the need to unblock DIA inbound registration ports

52 Managing CA Agents using DIA

53 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 53 Scenario #4 -We wish to deploy CA Agents in DMZ -What are the considerations for CA Agents in DMZ to communicate to DSM in the secured zone?

54 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 54 DNA Ports 11501 11502 11503 9990 Firewall MDB DIA Aws_dsm SECUREDSECURED DMZDMZ CA Agents DNA Data Ports 11502 11504

55 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 55 Agent Communication - Configuration -Configuration file -%AGENTWORKS_DIR\SERVICES\CONFIG\ atservices.ini -Section [SNMP] -Parameter ‚UseSnmp‘ -‚0‘ – DIA only -‚1‘ – SNMP only -‚2‘ – DIA to CA-Agents (Enterprise OID 791), SNMP otherwise -‚3‘ – can do both DIA or SNMP depending on target machine

56 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 56 Agent SNMP DNA UseSnmp = 1UseSnmp = 0UseSnmp = 2 AWS_SADMIN DSM Communication - Architecture Managed Node AWS_ORB AWS_AGTGATE AWS_SNMP DSM AWS_ORB AWS_AGTGATE Manager DIA installed UseSnmp = 3 DIA ActiveDIA Not Active CA-Agent (791) Non-CA-Agent CA-Agent (791) Non-CA-AgentAgent

57 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 57 USESNMP Settings -If non CA Agents are to be monitored then aws_dsm should be installed in the DMZ. -If only CA agents are to be monitored reporting to the secured DSM, then set usesnmp to 0.

58 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 58 Default UseSnmp Default Setting of UseSNMP. Change it to UseSNMP=0 to force DNA communication

59 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 59 Cgene -With useSNMP set to 0, Agent Technology will communicate with the DSM via DIA ports. -This will result in cgene send and receive requests between secured zone DSM and CA Agents running in DMZ. -Requires ports 11502 and 11504 to be opened inbound

60 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 60 Cgene send and receive test -To verify Agent Technolgy can communicate with DSM via DIA, run cgene tests -Setup cgene receive request on the secured zone -Send cgene send to the secured zone DSM from the managed node.

61 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 61 Cgene Send and Receive Tests

62 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 62 DSM View -CA Agents Discovered correctly without the need to open UDP ports inbound

63 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 63 Nodeview from Secured Zone

64 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 64 Traps via DIA -Traps communication via DIA

65 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 65 MCC from Secured Zone

66 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 66 Agents Events via MCC

67 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 67 Port 9990 -DMZ aws_orb binds to 9990 for DIA communications

68 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 68 Port 9990 -DIA aws_orb communication via 9990 -aws_dsm and tools sending requests via port 9990

69 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 69 SNMP Traps -If UseSNMP is set to 3, it will generate SNMP traps

70 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 70 Conclusion -If configured correctly, then DMZ CA Agents can be managed by the secured aws_dsm without unblocking UDP inbound ports

71 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. 71 Questions and Answers Any questions?

Download ppt "Making r11 Agent Technology talk through a Firewall Last Updated 12/19/2005."

Similar presentations

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
The CA MDB Revised May 16 2006. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
Client Connectivity Pertemuan 5 Matakuliah: T0413 Tahun: 2009.

Client Connectivity Pertemuan 5 Matakuliah: T0413 Tahun: 2009.
Understanding wvdbt RCBs - Unicenter NSM Release 3.1 Latest Revision - September 10, 2006.

Understanding wvdbt RCBs - Unicenter NSM Release 3.1 Latest Revision - September 10, 2006.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Unicenter Desktop and Server Management Architectural Options -Latest Revision 10/27/05.

Unicenter Desktop and Server Management Architectural Options -Latest Revision 10/27/05.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Unicenter Desktop & Server Management Scaling Options - SQL -Latest Revision June 29 2006 -Read the notes pages.

Unicenter Desktop & Server Management Scaling Options - SQL -Latest Revision June Read the notes pages.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
1 Making Unicenter talk through a Firewall Unicenter NSM Revised August 11 2003.

1 Making Unicenter talk through a Firewall Unicenter NSM Revised August
Unicenter NSM r11 Windows -SNMP Polling Analysis.

Unicenter NSM r11 Windows -SNMP Polling Analysis.
MDB Install Overview for Federated and Shared MDBs Revised June 19, 2006.

MDB Install Overview for Federated and Shared MDBs Revised June 19, 2006.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google