IBM Proventia Management SiteProtector Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1
Copyright Statement Copyright IBM Corporation 1994, 2010. IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America. All Rights Reserved.
Contents About this publication........ v Chapter 1. Firewall Port Information... 1 Port information for SiteProtector traffic..... 1 Port information for Third Party Module traffic... 4 Port information for Active Directory integration.. 4 Port information for Internet access....... 5 Chapter 2. Configuring Components for NAT Firewalls............ 7 Configuring the Application Server for communication with NAT firewalls....... 8 Restarting the Sensor Controller and Application Server services.............. 8 Configuring the Agent Manager for communication through NAT firewalls........... 9 Notices.............. 11 Trademarks.............. 12 Copyright IBM Corp. 1994, 2010 iii
iv SiteProtector System: Configuring Firewalls for SiteProtector Traffic
About this publication SiteProtector cannot function properly if firewalls prevent components from communicating. This guide provides procedures for configuring network devices and SiteProtector components so that they can communicate through firewalls. Intended audience This document assumes that you are familiar with the following: v Procedures for configuring firewalls v Routers, or any other devices that you use to block traffic on your network v Procedures for modifying system files such as Windows registries and properties files How to send your comments Your feedback is important in helping to provide the most accurate and highest quality information. Send your comments by e-mail to document@iss.net. Be sure to include the name of the book, the part number of the book, the version of SiteProtector, and if applicable, the specific location of the text that you are commenting on (for example, a page number or table number.) Topics Chapter 1, Firewall Port Information, on page 1 Chapter 2, Configuring Components for NAT Firewalls, on page 7 Copyright IBM Corp. 1994, 2010 v
vi SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Chapter 1. Firewall Port Information If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewalls so that the components or modules can communicate with each other. This section includes background information and procedures for configuring firewall ports for different types of traffic. TCP/IP ports Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed. Where firewalls are typically located Firewalls can be placed anywhere on a network but are most commonly located between the following: v Console and the Application Server v Application Server and the agents v Agent Manager and Proventia Desktop agents v Event Collector and agents v Application Server and the Internet v Application Server and a Third Party Module Topics Port information for SiteProtector traffic Port information for Third Party Module traffic on page 4 Port information for Active Directory integration on page 4 Port information for Internet access on page 5 Port information for SiteProtector traffic This topic provides information that can help you configure firewall rules that allow traffic between all SiteProtector components, except the Third Party Module. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule. Destination ports that must be open Destination ports use the TCP protocol unless otherwise indicated. The following table lists the destination ports that must be open to allow communication between each pair of SiteProtector components. Copyright IBM Corp. 1994, 2010 1
Source Component Destination Component Wire Protocol Encryption Destination Ports SiteProtector Console SP Server HTTP/SP Server/RMI/ JRMP/JMS Yes 3988, 3989, 3994, 3996, 3997, 3998, 3999, 8093 Event Viewer N/A Yes 3993 ADS Appliance HTTPS Yes 443 IBM ISS Web Site HTTPS None 80 SP Server Databridges L/S 1 Yes 2998 Active Directory LDAP None 389, 3268 2 Server Event Collector HTTPS/L/S Yes 2998, 8996 SecurityFusion L/S Yes 2998 module Agent Manager L/S/HTTPS Yes 2998, 3995 Deployment Manager L/S Yes 2998 X-Press Update HTTPS Yes 3994 Server Event Archiver HTTPS Yes 8998 Site DB JDBC/TDS/ Named Pipe, or RPS Yes 1433, 445, 135, 1434 (UDP port not encrypted) Proventia Network HTTPS Yes 443 MFS Appliance Proventia Network IDS prior to firmware release 1.0 L/S Yes 2998 Desktop Agents (7.0 and earlier) Proventia Network IDS and Proventia Network IPS with firmware release 1.0 or later Proventia Network Enterprise Scanner External Ticketing Server HTTPS Yes 443 HTTPS Yes 443 Vendor Proprietary 3 Yes 1058, 1069 4 SNMP Server SNMP None 162 SMTP Server SMTP None 25 Internet Scanner L/S Yes 2998 Network Sensor L/S Yes 2998 Server Sensor L/S Yes 2998 Third Party Module L/S Yes 2998 Remote Host Windows RPC None 135 IBM MSS Web site HTTPS Yes 443 Agent Manager HTTPS Yes 8082 2 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Source Component Destination Component Wire Protocol Encryption Destination Ports Agent Manager Desktop Agent N/A None ICMP SP Server HTTPS Yes 3994, 8093, 8443 Site DB OLE DB/ RPC/ Configurable 1433, 135, 445, 1434 Named Pipe SNMP Server SNMP None 162 Event Collector Databridge L/S Yes 901-930 Agent Manager L/S Yes 914 Event Archiver HTTPS Yes 8997 Event Collector L/S Yes 912 SP Server HTTPS Yes 3994 Internet Scanner L/S Yes 901-930 Network Sensor L/S Yes 901-930 Proventia Network IDS L/S Yes 901-930 5 SNMP Server SNMP None 162 RealSecure Sensor L/S Yes 901-930 Agent SecurityFusion L/S Yes 901-930 module Site DB ODBC/ RPC/ Configurable 1433, 135, 445, 1434 Named Pipe IBM MSS Event HTTPS Yes 8443 Server Event Archiver SP Server HTTPS Yes 3994 Agent Manager HTTPS Yes 3995 Event Archiver Agent Manager HTTPS Yes 3995 Importer Web Console SP Server HTTPS Yes 3994 Web Browser Deployment Manager HTTPS Yes 3994 Agent Manager HTTPS Yes 8085 Proventia Network Agent Manager HTTPS Yes 3995 Enterprise Scanner Proventia Network IDS, Proventia Network IPS, Proventia Network MFS, and Proventia Server Agent Manager 6 HTTPS Yes 3995 SecurityFusion Event Collector L/S Yes 950 module Site DB ODBC/ RPC/ Configurable 1433, 135, 445, 1434 Named Pipe Proventia Server IPS Agent Manager HTTPS Yes 3995 Proventia Desktop Agent Manager HTTPS Yes 3995 Event Viewer Service SP Server RMI/JRMP Yes 3989, 3988 Chapter 1. Firewall Port Information 3
Source Component Destination Component Wire Protocol Encryption Destination Ports Update Server Agent Manager HTTPS Yes 3995 IBM ISS Website HTTPS Yes 443 1. The Wire Protocol abbreviation L/S refers to Leap / Score. 2. Port 3268 is referenced from the Global Catalog. 3. Vendor Proprietary means this is only specific to the vendor. 4. Port 1069 is based upon the Remedy Web Site. 5. Proventia Network IDS firmware releases earlier than 1.0 use destination ports 901 through 903. 6. All Proventia Agents and Desktop Agent release 7 or earlier communicating with the Agent Manager have the Command & Control option. Port information for Third Party Module traffic You may be required to configure the firewall to allow traffic if a firewall is located between the Third Party Module (TPM) and either of the following: v a CheckPoint or Cisco firewall v another SiteProtector component Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: See the SiteProtector Third Party Module Guide available on the IBM ISS Web site. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and the TPM: Source Component Destination Component Destination Ports Cisco Secure PIX Sensor Controller 2998/tcp Event Collector 901-931/tcp Third Party Module 514/udp Event Archiver SP Server 3994 Sensor Controller Third Party Module 2998/tcp Event Collector Third Party Module 901-931/tcp Port information for Active Directory integration To integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate with Active Directory over certain ports. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and Active Directory: 4 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Protocol TCP Port Kerberos Secure Authentication 88 Lightweight Directory Access Protocol (LDAP) 389 Kerberos Passwords 464 LDAP over SSL 636 Microsoft Global Catalog 3268 Microsoft Global Catalog with LDAP/SSL 3269 Port information for Internet access If you download SiteProtector updates from the Internet, then you may need to reconfigure your firewall rules to allow this communication. This topic gives a procedure for configuring firewall rules for Internet access. Reference: Refer to your firewall documentation for specific instructions. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and the IBM ISS Download Center. Protocol Destination Address Destination Port SSL or HTTPS xpu.iss.net 443 SSL or HTTPS www.iss.net 443 SSL or HTTPS download.iss.net 443 HTTP iss.net 80 Important: IBM ISS recommends that you use secure protocols (SSL or HTTPS) to download updates from the Deployment Manager. Chapter 1. Firewall Port Information 5
6 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Chapter 2. Configuring Components for NAT Firewalls If your SiteProtector components are located behind firewalls that use NAT or other types of address translation, you may be required to perform additional configuration tasks so that SiteProtector components can communicate. Problems with using NAT with SiteProtector By default, some SiteProtector components are configured to use private IP addresses to communicate with other components. NAT firewalls typically block components that use private IP addresses. How to enable NAT communication To correct NAT communication problems, you must configure SiteProtector components to use either a public IP address or a fully qualified domain name. Common NAT firewall locations NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. You may experience communication problems if firewalls are located between the following: v Remote consoles and the Application Server v Remote Proventia Desktop agents and the Agent Manager Topics Configuring the Application Server for communication with NAT firewalls on page 8 Restarting the Sensor Controller and Application Server services on page 8 Configuring the Agent Manager for communication through NAT firewalls on page 9 Copyright IBM Corp. 1994, 2010 7
Configuring the Application Server for communication with NAT firewalls This topic explains how to configure the Application Server to communicate with NAT firewalls. About this task Important: Perform the procedure in this topic only if a NAT firewall is between the Application Server and the Console. Reference: For more information on stopping and restarting the application services, see Restarting the Sensor Controller and Application Server services. Procedure 1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ 5. Use the following table to configure the registry keys: Folder Entry Change the... issspappservice\parameters JVM Option Number 6 value data from the IP address to the DNS name issspsenctlservice\parameters IPBind value data from the IP address to the DNS name Example: Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services. Restarting the Sensor Controller and Application Server services This topic explains how to stop or restart the Sensor Controller and the Application Server services. About this task After you have configured the Application Server to communicate with NAT, you must restart the Sensor Controller and Application Server services to put the changes into effect. Procedure 1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: v To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. v To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server. 8 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Configuring the Agent Manager for communication through NAT firewalls Perform the procedure in this topic only if a NAT firewall is between the Agent Manager and Proventia Desktop agents. This procedure configures the Agent Manager so that it can communicate with NAT firewalls. Before you begin You must perform this procedure before you generate agent builds. Otherwise, agents cannot communicate with the Agent Manager, and you will be forced to regenerate agent builds. Procedure 1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: \Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini 2. Open the file in a text editor. 3. Change the dcname to one of the following: v DNS name (the recommended option) v public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start. Chapter 2. Configuring Components for NAT Firewalls 9
10 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 1994, 2010 11
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation SiteProtector Project Management C55A/74KB 6303 Barfield Rd., Atlanta, GA 30328 U.S.A Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at Copyright and trademark information at www.ibm.com/ legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. 12 SiteProtector System: Configuring Firewalls for SiteProtector Traffic