Deployment Scenarios



Similar documents
F-Secure Messaging Security Gateway. Deployment Guide

Securing Data on Microsoft SQL Server 2012

Preparing for GO!Enterprise MDM On-Demand Service

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

F-SECURE MESSAGING SECURITY GATEWAY

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

How To Industrial Networking

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Installation and Connection Guide to the simulation environment GLOBAL VISION

MS-55096: Securing Data on Microsoft SQL Server 2012

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

NovaBACKUP xsp Version 15.0 Upgrade Guide

Deploying Windows Streaming Media Servers NLB Cluster and metasan

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

EXPLORER. TFT Filter CONFIGURATION

Kaseya Server Instal ation User Guide June 6, 2008

Global VPN Client Getting Started Guide

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Device Log Export ENGLISH

A Guide to New Features in Propalms OneGate 4.0

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

How To - Implement Clientless Single Sign On Authentication with Active Directory

Installing Policy Patrol on a separate machine

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

IMF Tune Quarantine & Reporting Running SQL behind a Firewall. WinDeveloper Software Ltd.

Secure Web Appliance. Reverse Proxy

Configuring Security Features of Session Recording

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Server Installation ZENworks Mobile Management 2.7.x August 2013

RSA Security Analytics

Web Application Firewall

Deployment Guide: Transparent Mode

AVG Business Secure Sign On Active Directory Quick Start Guide

SSL SSL VPN

My FreeScan Vulnerabilities Report

1 You will need the following items to get started:

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

WhatsUp Gold v16.3 Installation and Configuration Guide

Xopero Backup Build your private cloud backup environment. Getting started

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Introduction to Mobile Access Gateway Installation

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

VPN SECURITY POLICIES

Chapter 4 Virtual Private Networking

Global VPN Client Getting Started Guide

Understanding the Cisco VPN Client

TLS and SRTP for Skype Connect. Technical Datasheet

How To - Implement Single Sign On Authentication with Active Directory

2. Are explicit proxy connections also affected by the ARM config?

This policy applies to all instances of LANDesk client software installed on Creighton-owned hardware that are connected to JAYNet.

ShadowControl ShadowStream

BlackBerry Enterprise Service 10. Version: Configuration Guide

Chapter 6 Using Network Monitoring Tools

GlobalSCAPE DMZ Gateway, v1. User Guide

RingStor User Manual. Version 2.1 Last Update on September 17th, RingStor, Inc. 197 Route 18 South, Ste 3000 East Brunswick, NJ

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

VoIPon Tel: +44 (0) Fax: +44 (0)

Chapter 6 Using Network Monitoring Tools

Centrify Cloud Connector Deployment Guide

Retail Deployment Guide. Microsoft Dynamics AX 2012 Feature Pack

VMware vcenter Log Insight Getting Started Guide

McAfee Firewall Enterprise 8.2.1

Prerequisites Guide for ios

SonicWALL SRA Virtual Appliance Getting Started Guide

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Getting Started with Clearlogin A Guide for Administrators V1.01

Installing and Configuring vcloud Connector

Scenario: Remote-Access VPN Configuration

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Network Detective. Security Assessment Module Using the New Network Detective User Interface Quick Start Guide

Chapter 8 Virtual Private Networking

WHITE PAPER Citrix Secure Gateway Startup Guide

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

White Paper. Intrusion Detection Deploying the Shomiti Century Tap

Configuring the WT-4 for ftp (Ad-hoc Mode)

Global VPN Client Getting Started Guide

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Virtual Appliance Setup Guide

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

Monitoring Remote Access VPN Services

Pre-Installation Checks Installation Creating Users and Quick Setup Usage Examples and Settings Appendix

Case Study for Layer 3 Authentication and Encryption

Salesforce Integration

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Using Public IP Settings

Transcription:

Deployment Scenarios Sun Cobalt Summary The Sun Cobalt is a network-based appliance for managing a large number of remote servers and for deploying services to these servers. A control station is deployed according to your specific needs. You need to consider both the security and the scalability of the network configuration into which you will deploy a control station. There are numerous ways of deploying a control station in your network and for each network configuration, there is a set of issues to bear in mind. This document provides a set of likely scenarios and the issues that you need to take into consideration for each. IMPORTANT: These scenarios represent a number of possible installations for a Sun Cobalt. Keep in mind that each network is unique and that you must follow your own security guidelines to ensure the security of your network and control-station installation. P/N 816-7575-02 Page 1 of 8

1. Security Scenarios The Sun Cobalt manages the servers through an agent; this agent is either pushed out to and installed on a managed server or it is pre-installed and manually enabled on a managed server. The Software Management module and BlueLinQ operations use a pull operation over an HTTP connection. The uses several TCP/IP ports to control the managed servers. The uses the following ports: Port 27000 used by the to communicate with the agent. This connection is authenticated and encrypted (see Authentication Technical Details later in this document). Port 80 used by the module to send health-status data. Port 80 used to access the acting as a BlueLinQ server from a BlueLinQ-enabled client (if required) Ports 80, 81 and 444 - used by the to install the agent. Once the agent is installed, access is no longer required to ports 81 and 444. 1.1 Configuring the Basic on the Sun Cobalt If you enable the Basic feature on the Sun Cobalt, at a minimum, you must create these five input rules so that the control station functions properly. To add these rules, see the section Adding an input rule in the user manual entitled Administrator Manual. Note: For each rule, enter the information provided for the fields indicated. Leave all other fields blank. As well as these five rules, change the default Policy to Deny. See the section Changing the default policy for a chain in the user manual entitled Administrator Manual. 1. Rule 1 a. Destination Port Number(s). The low value is 1025; the high value is 65535. b. Policy. Accept 2. Rule 2 a. Destination Port Number(s). The low value is 444; the high value is 444. b. Policy. Accept 3. Rule 3 a. Destination Port Number(s). The low value is 80; the high value is 81. b. Policy. Accept 4. Rule 4 a. Source IP Address (Low). 127.0.0.1. b. Source IP Address (High). 127.0.0.1 c. Policy. Accept 5. Rule 5 a. Source IP Address (Low). Enter the IP address of the default gateway for the control station (see System: Internet in Chapter 2 of the Administrator Manual). b. Source IP Address (High). Enter the IP address of the default gateway for the control station c. Network Protocol. ICMP d. Policy. Accept P/N 816-7575-02 Page 2 of 8

Based on the ports used by the, there are several deployment scenarios. Several such scenarios are described below, along with the associated security risks and benefits. It is recommended that you make the as secure as possible for the particular deployment scenario. 1.2 Scenario #1 - Remote Management (for example, Sun Coalt Qube appliances) In this scenario, the is placed behind a firewall and then accesses the servers or is accessed by the servers across the Internet or an extranet. Internet or Extranet Qube Qube Qube Qube In this configuration, the is used to manage the Sun Cobalt Qube appliances deployed throughout the Internet. An administrator can use the to install updates, patches and new software onto the Sun Cobalt Qube appliances. In general, BlueLinQ-enabled products (the Sun Cobalt Qube 3 appliance, Sun Cobalt XTR server appliance, Sun Cobalt 550 server appliance and future products) can use the as their BlueLinQ server and pull package files rather than having the push package files to them. This allows for patches and updates to be qualified at a central site before making them available to remote Sun Cobalt Qube appliances. The Sun Cobalt Qube appliances that pull package files through the BlueLinQ interface do not have to be managed by the. However, communication for BlueLinQ requests takes place on TCP port 80 so the firewall should allow HTTP requests through port 80. In the Remote Management scenario, the needs to be accessible via the Internet. The firewall is used to protect the and should be configured to allow only inbound connections to the on TCP port 80 (HTTP). The BlueLinQ server and the Health Monitor event collector both run on port 80 of the. The requires outbound connectivity to TCP ports 80, 81, 444 and 27000. Ports 80, 81 and 444 are used by the to install the agent. Once the agent is installed, access to these ports is no longer required. Port 27000 is used by the to communicate with the agent. Note: Access into the managed servers is both authenticated and encrypted. The applications on the Sun Cobalt DO NOT send user names or passwords across the network. P/N 816-7575-02 Page 3 of 8

1.3 Scenario #2 - Data Center Management (for example, Sun Cobalt server appliances in a data center) In the data center, the can be located behind a firewall close to the systems it manages. In this scenario, the can use the secondary NIC as the management interface while using the primary NIC to access the Internet. The can also be placed on the primary NIC as none of the module data travels past the firewall. This scenario is as shown below: Internet or Extranet NIC Primary NIC With the, you can provide health monitoring, inventory, performance and software management for the Sun Cobalt server appliances. The can be used to push updates and patches to the server appliances. For the Sun Cobalt XTR server appliance, the Sun Cobalt 550 server appliance and newer systems with a BlueLinQ client, the can be configured to act as a BlueLinQ server. The should not be accessible from the Internet. TCP port 80 on the should be accessible on the management network for the BlueLinQ server and the module to function properly. The must be able to connect to TCP ports 80, 81, 444 and 27000 on the s. Ports 80, 81 and 444 are used for installing the agent. Once the agent is installed, access to these ports is no longer required. Port 27000 is used by the to communicate with the agent. This port must be accessible on the management network only; access to port 27000 from the Internet should be filtered by the firewall. P/N 816-7575-02 Page 4 of 8

1.4 Scenario #3 - Remote Distributed Data Center In this scenario, multiple s are used to support different remote data centers or sites. The scenario is shown below. Software Management Local machines for uploading S/W and Apps Servers Primary Servers Polls Sun Cobalt for New or Update Software packages and patches Internet or Extranet Sun Cobalt updates.cobalt.com Remote Systems In this configuration, a primary deployed at a central site is used for software distribution via BlueLinQ. The primary does not manage any Sun Cobalt server appliances or Sun Cobalt Qube appliances directly; the appliances are managed by the secondary s located in the remote data centers. The secondary s have managed and installed the agent on the servers they cover. The secondary s located in the remote data centers are configured to use the primary as their BlueLinQ server from which to obtain software patches and updates. The primary is configured to use the updates.cobalt.com BlueLinQ server to get its updates and patches. The must therefore allow inbound and outbound HTTP connections on TCP port 80. When an update or patch is available on the updates.cobalt.com server, it can be downloaded to the primary and approved to be installed in the remote sites. When the update or patch is approved, it just has to be published, making it available to the secondary s. A secondary can now see the update or patch, and publish it for other BlueLinQ-enabled servers or install it on the servers it manages. Note: The secondary s can be configured to query the updates.cobalt.com BlueLinQ server directly; this scenario, however, is intended to highlight how one primary can be used to control the distribution of software to the managed servers through one or more secondary s. P/N 816-7575-02 Page 5 of 8

You can also create customized software packages and upload them to the primary from a local machine. In this configuration, TCP port 80 on the primary should be accessible from the Internet. The secondary systems require an outbound Internet connection on TCP port 80 to contact the primary via the BlueLinQ protocol. 1.5 Other Security Notes There are two other issues concerning security on the Sun Cobalt. These particular issues also pertain to all Sun Cobalt server appliances. Though the risk is minimal, they should be noted. 1. Setup Wizard. When the Setup Wizard is launched, the system prompts the user for a user name and password. When entered, this information is transferred in clear text to the server. Anyone sniffing the network could obtain the password for the user admin. It is recommended that you set up the initially on a secure network, preferably one not connected to the Internet. 2. Initial Login. When accessing the Sun Cobalt or any other Sun Cobalt product, initially for that session, the system prompts the user for the user name and password for the user admin. Again, this information is transferred in clear text to the server. Even if the Security check box is selected, the initial transfer of the user name and password occurs in clear text. After the initial login, all other traffic is encrypted. Again, anyone sniffing the network could obtain the password for the user admin. 1.6 Encryption and Authentication Technical Details The uses an encrypted and authenticated channel to communicated with managed servers. A connection from the to a managed server is authenticated using a scheme based on Diffie-Hellman Key Exchange (DH) and Fortified Key Negotiation (FKN). Cryptographically strong primes, between 1024 and 2048 bits, are used for DH key exchange. Keys, once generated, are stored for one hour. Key validation and authentication is performed using FKN. SHA1 is used as the underlying hash function for FKN. Every time a new key is generated, authentication using FKN is performed. During the initial connection, the uses the admin or root password provided by the administrator as the password parameter to FKN. Subsequent connections use a randomly generated 160-bit password that is unique to each managed server pair. This password is only used by the and cannot be used to log in to the server. Once a connection has been authenticated, fresh encryption and message-authentication session keys are derived using AKEP2. Connections are then encrypted using ARC4. Messages are authenticated using HMAC. SHA1 is used as the underlying hash function for HMAC. P/N 816-7575-02 Page 6 of 8

Diffie-Hellman Key Exchange, Fortified Key Negotitation, AKEP2, ARC4 HMAC and SHA1 are in the public domain. The implementations of DH, FKN, ARC4 and SHA1 used by the are derived from examples given in [1]. The implementation of AKEP2 is derived from [2]. The implementation of HMAC is derived from [3]. [1] Applied Cryptography, B. Schneier, John Wiley & Sons, 1996. [2] Entity Authentication and Key Distribution, Mihir Bellare and Phillip Rogaway, CRYPTO 93, Lecture Notes in Computer Science Vol. 773, D. Stinson, Ed. Springer Verlag 1994. [3] HMAC: Keyed-Hashing for Message Authentication, H. Krawczyk, M. Bellare, R. Canetti, RFC 2104, February 1997. 2. Scalability Scenarios 2.1 Scenario 1: Multiple s control a single server The scalability of the is not defined in hardware but is more based on the deployment scenario chosen. The agent is designed to allow multiple s to manage a single server. With this capability, several s can be deployed to manage a large set of servers for different reasons. The scenario below illustrates the multiple deployment. Internet or Extranet Servers SVR #1 SVR #2 SVR #3 #2 SVR #4 #1 SVR #197 SVR #198 SVR #199 #3 SVR #200 In this scenario, #1 performs only the Software Management function. It has an external connection to the Sun Cobalt BlueLinQ server and acts as a staging area for updates and patches. #1 manages all of the servers and can have its own server groups. For example, on #1, you can create groups for the different types of managed server, such as all Sun Cobalt Qube 3 appliances or all Sun Cobalt 4 server appliances. You may also want to group the server according to their physical locations, such as Building 21, Building 22 and so on. P/N 816-7575-02 Page 7 of 8

As another option, you may want to dedicate a control station specifically to the function. In this scenario, #2 monitors the managed servers 1 through 100, while #3 monitors servers 101 through 200. Note: A server can be managed by more than one control station; in this case, only one agent is installed on the managed server. The agent keeps track of the IP addresses of the control stations that are managing the server. This also allows you to have a backup control station in place, should the primary control station fail. 2.2 Scenario 2: A accesses different repositories for different types of package files In your network, you may have specific BlueLinQ servers on which reside certain types of packages or files. For example, the Sustaining department might have their own server for software patches, the Professional Services department might have their own server for customized software, and so on. A dedicated to the Software Management function would poll each of these different BlueLinQ servers for new or updated package files. In the following example, one performs only the Software Management function. It polls the s for the Sustaining, Development and Media Team BlueLinQ servers respectively for any software patches, new modules or applications, or content files. Sustaining Development Media Team Patches New Apps or Modules Streaming Content Files Aggregates software packages from all control stations for distribution Remote Servers Remote Servers P/N 816-7575-02 Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information