IBM Security IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic Version 3.0
Note Before using this information and the product it supports, read the information in Notices on page 13. This edition applies to Version 3.0 of the IBM Security SiteProtector System and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 1994, 2013. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents About this publication........ v Contacting IBM Support.......... v Chapter 1. Firewall Port Information... 1 Port information for SiteProtector traffic..... 1 Port information for Active Directory integration.. 5 Port information for Internet access....... 5 Local-only ports............. 6 Chapter 2. Configuring Components for NAT Firewalls............ 9 Configuring the Application Server for communication with NAT firewalls...... 10 Restarting the Sensor Controller and Application Server services............. 10 Configuring the Agent Manager for communication through NAT firewalls........... 11 Notices.............. 13 Trademarks.............. 14 Privacy policy considerations........ 14 Statement of good security practices...... 15 Copyright IBM Corp. 1994, 2013 iii
iv SiteProtector System: Configuring Firewalls for SiteProtector Traffic
About this publication The IBM Security SiteProtector System cannot function properly if firewalls prevent components from communicating. This guide provides procedures for configuring network devices and SiteProtector components so that they can communicate through firewalls. Intended audience This document assumes that you are familiar with the following: v Procedures for configuring firewalls v Routers, or any other devices that you use to block traffic on your network v Procedures for modifying system files such as Windows registries and properties files Topics Chapter 1, Firewall Port Information, on page 1 Chapter 2, Configuring Components for NAT Firewalls, on page 9 Contacting IBM Support IBM Support provides assistance with product defects, answers FAQs, and helps users resolve problems with the product. Before you begin Before you contact IBM Support, search for an answer or a solution by using other options first: v See the Support portfolio topic in the Software Support Handbook for information about the types of available support. v Check IBM Technotes, accessible through the IBM Support Portal. If you are unable to find an answer or a solution in the Support portfolio or in the IBM Technotes, check to be sure your company or organization has an active IBM maintenance contract, and that you are authorized to submit a problem to IBM, before you contact IBM Support. Procedure To contact IBM Support: 1. Define the problem, gather background information, and determine the severity of the problem. For more information, see the Getting IBM support topic in the Software Support Handbook. 2. Gather diagnostic information. 3. Submit the problem to IBM Support in one of the following ways: v By using IBM Support Assistant (ISA), if the Service Request tool is enabled on your product. Any data that has been collected can be attached to the service request. Using ISA in this way can expedite the analysis and reduce the time to resolution. v Online through the IBM Support Portal: You can open, update, and view all of your service requests from the Service Request portlet on the Service Request page. v By telephone for critical, system down, or severity 1 issues. For the telephone number to call in your region, see the Directory of worldwide contacts web page. Copyright IBM Corp. 1994, 2013 v
Results If the problem that you submit is for a software defect or is about missing or inaccurate documentation, IBM Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Support provides a workaround that you can implement until the APAR is resolved and a solution is delivered to you. IBM publishes resolved APARs on the IBM Support website daily, so that other users who experience the same problem can benefit from the same resolution. vi SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Chapter 1. Firewall Port Information If SiteProtector components or modules are located behind firewalls, you may need to reconfigure the firewalls so that the components or modules can communicate with each other. This section includes background information and procedures for configuring firewall ports for different types of traffic. TCP/IP ports Firewalls commonly filter traffic by IP address and by TCP or UDP ports. Firewalls typically block these addresses and ports unless they are explicitly allowed. Where firewalls are typically located Firewalls can be placed anywhere on a network but are most commonly located between the following: v Console and the Application Server v Application Server and the agents v Agent Manager and IBM Proventia Desktop Endpoint Security agents v Event Collector and agents v Application Server and the Internet v X-Press Update Server and the Internet (IBM Security Download Center) Topics Port information for SiteProtector traffic Port information for Active Directory integration on page 5 Port information for Internet access on page 5 Port information for SiteProtector traffic This topic provides information that can help you configure firewall rules that allow traffic between all SiteProtector System components. Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the destination ports that are specified. Reference: Refer to your firewall documentation for specific instructions about creating and configuring a firewall rule. Destination ports that must be open Destination ports use the TCP protocol unless otherwise indicated. The following table lists the destination ports that must be open to allow communication between each pair of SiteProtector components. Copyright IBM Corp. 1994, 2013 1
Source Component Destination Component Wire Protocol Encryption Destination Ports SiteProtector Console SP Server HTTP / HTTPS / RMI / JRMP / JMS SP Server Desktop Agents (7.0 and earlier) Yes 3988, 3989, 3994, 3996, 3997, 3998, 3999, 8093 Event Viewer N/A Yes 3993 ADS Appliance HTTPS Yes 443 IBM Security web site http:// www.ibm.com/ security/ HTTP None 80 Active Directory Server LDAP None 389, 3268 1 Event Collector HTTPS / L/S 2 Yes 2998, 8996 SecurityFusion L/S Yes 2998 module Agent Manager L/S / HTTPS Yes 2998, 3995 X-Press Update HTTPS Yes 3994 Server Event Archiver HTTPS Yes 8998 Site DB JDBC / TDS / RPC / Named Pipe IBM Proventia Network Multi-Function Security (MFS) Appliance IBM Security Network Intrusion Prevention System (IPS) with firmware release 1.0 or later IBM Proventia Network Enterprise Scanner External Ticketing Server Yes 1433, 445, 135, 1434 (UDP port not encrypted) HTTPS Yes 443, 8001 HTTPS Yes 443 HTTPS Yes 443 Vendor Proprietary 3 Yes 1058, 1069 4 SNMP Server SNMP Yes or None 162 SMTP Server SMTP Yes or None 25 IBM Internet Scanner L/S Yes 2998 IBM Security Server L/S Yes 2998 Protection Remote Host Windows RPC None 135 Agent Manager HTTPS Yes 8082 2 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Source Component Destination Component Wire Protocol Encryption Destination Ports Agent Manager Desktop Agent N/A None ICMP SP Server HTTPS Yes 3994, 8093, 8443 Site DB OLE DB / RPC / Configurable 1433, 135, 445, 1434 Named Pipe IBM Security Server Protection for Windows N/A None ICMP Proventia Server for Linux Event Archiver IBM Security Network IPS appliances (G, GX, and GV) HTTPS Yes 443 IBM Security Virtual Server Protection IBM Proventia Network Enterprise Scanner IBM Proventia Network Multi-Function Security (MFS) HTTPS Yes 443, 8001 SNMP Server SNMP Yes or None 162 SMTP Server SMTP Yes or None 25 X-Press Update HTTPS Yes 3994 Server Event Collector Agent Manager L/S Yes 914 Event Archiver HTTPS Yes 8997 Event Collector L/S Yes 912 SP Server HTTPS Yes 3994 IBM Internet Scanner L/S Yes 60155 SNMP Server SNMP Yes or None 162 SMTP Server SMTP Yes or None 25 RealSecure Server Sensor (IBM Security Server Protection) L/S Yes 902 SecurityFusion L/S Yes 901 module Site DB ODBC / RPC / Configurable 1433, 135, 445, 1434 Named Pipe Event Archiver SP Server HTTPS Yes 3994 Agent Manager HTTPS Yes 3995 Event Archiver Importer Agent Manager HTTPS Yes 3995 Chapter 1. Firewall Port Information 3
Source Component Destination Component Wire Protocol Encryption Destination Ports Web Console SP Server HTTPS Yes 3994 Web Browser Agent Manager HTTP Yes 8085 IBM Proventia Network Enterprise Scanner Agent Manager HTTPS Yes 3995 IBM Security Network Intrusion Prevention System (IPS) IBM Proventia Network Multi-Function Security (MFS) Agent Manager 5 HTTPS Yes 3995 IBM Security Server Protection for Windows IBM Security Network IPS appliances (G, GX, and GV) X-Press Update HTTPS Yes 3994 Server 6 IBM Proventia Network Multi-Function Security (MFS) IBM Security Virtual Server Protection IBM Proventia Network Enterprise Scanner IBM Security Server Protection for Windows Proventia Server for Linux IBM Proventia Desktop Endpoint Security SecurityFusion module IBM Security Server Protection IBM Proventia Desktop Endpoint Security Event Collector L/S Yes 950 Site DB ODBC / RPC / Configurable 1433, 135, 445, 1434 Named Pipe Agent Manager HTTPS Yes 3995 Agent Manager HTTPS Yes 3995 Event Viewer Service SP Server RMI / JRMP Yes 3989, 3988 4 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Source Component X-Press Update Server Destination Component Wire Protocol Encryption Destination Ports Agent Manager HTTPS Yes 3995 IBM Security web site http:// www.ibm.com/ security/ HTTP Yes 80, 443 X-Press Update Server See the entries in the "Destination ports that must be open" section of Port information for Internet access HTTPS Yes 3994 HTTPS Yes 443 1. Port 3268 is referenced from the Global Catalog. 2. The Wire Protocol abbreviation L/S refers to Leap/Score. 3. Vendor Proprietary means this is specific only to the vendor. 4. Port 1069 is based upon the Remedy web Site. 5. All Proventia Agents and Desktop Agent release 7 or earlier communicating with the Agent Manager have the Command & Control option. 6. Use these settings if you want all agents to download updates directly from the X-Press Update Server. Port information for Active Directory integration To integrate Active Directory with SiteProtector, the Sensor Controller must be able to communicate with Active Directory over certain ports. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and Active Directory: Protocol TCP Port Kerberos Secure Authentication 88 Lightweight Directory Access Protocol (LDAP) 389 Kerberos Passwords 464 LDAP over SSL 636 Microsoft Global Catalog 3268 Microsoft Global Catalog with LDAP/SSL 3269 Port information for Internet access If you download SiteProtector System updates from the Internet, then you may need to reconfigure your firewall rules to allow this communication. This topic gives a procedure for configuring firewall rules for Internet access. Reference: Refer to your firewall documentation for specific instructions. Chapter 1. Firewall Port Information 5
Requirement If a firewall is located between the source and destination component, create a firewall rule that allows incoming traffic to the specified destination ports. Destination ports that must be open The following table lists the destination ports that must be open to allow communication between SiteProtector components and the IBM Security License Key and Download Center. Protocol Destination Address Destination Port SSL or HTTPS esdhttp.flexnetoperations.com 443 SSL or HTTPS ibmxpu.flexnetoperations.com 443 SSL or HTTPS ibms-issxpu.flexnetoperations.com 443 SSL or HTTPS ibms-issupdate.flexnetoperations.com 443 SSL or HTTPS ibmdownload.flexnetoperations.com 443 SSL or HTTPS ibms-ibmxpu.flexnetoperations.com 443 SSL or HTTPS xpu.iss.net 443 SSL or HTTPS update.iss.net 443 SSL or HTTPS update.xforce-security.com 443 Important: IBM Security suggests that you use secure protocols (SSL or HTTPS) to download updates. See TechNote article # 1437057 at http://www.ibm.com/support/docview.wss?uid=swg21437057 for up-to-date firewall rules and port information. Local-only ports Certain local-only ports must be open to allow communication between the Application Server and other SiteProtector components on the same machine. Local-only ports are bound to the system's loopback adapter (127.0.0.1) and cannot be accessed remotely. Local-only ports are in a listening state because they only receive internal system communications and are not configured to make use of external calls. Reference: Refer to your firewall documentation for specific instructions. Static ports The following static local-only ports are available for the Application Server: v 1527 v 2001 v 4201 v 6882 v 8009 v 8080 v 9999 v 61050 v 61613 6 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Dynamic ports Local-only ports are also assigned dynamically depending on the port availability for that system. Dynamic local-only ports cannot be documented here because they change dynamically depending on circumstances. Chapter 1. Firewall Port Information 7
8 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Chapter 2. Configuring Components for NAT Firewalls If your SiteProtector components are located behind firewalls that use NAT or other types of address translation, you may be required to perform additional configuration tasks so that SiteProtector components can communicate. Problems with using NAT with SiteProtector By default, some SiteProtector components are configured to use private IP addresses to communicate with other components. NAT firewalls typically block components that use private IP addresses. How to enable NAT communication To correct NAT communication problems, you must configure SiteProtector components to use either a public IP address or a fully qualified domain name. Common NAT firewall locations NAT is typically enabled on external firewalls and not on firewalls that are located on the intranet. You may experience communication problems if firewalls are located between the following: v Remote consoles and the Application Server v Remote IBM Proventia Desktop Endpoint Security agents and the Agent Manager Topics Configuring the Application Server for communication with NAT firewalls on page 10 Restarting the Sensor Controller and Application Server services on page 10 Configuring the Agent Manager for communication through NAT firewalls on page 11 Copyright IBM Corp. 1994, 2013 9
Configuring the Application Server for communication with NAT firewalls This topic explains how to configure the Application Server to communicate with NAT firewalls. About this task Important: Perform the procedure in this topic only if a NAT firewall is between the Application Server and the Console. Reference: For more information on stopping and restarting the application services, see Restarting the Sensor Controller and Application Server services. Procedure 1. Stop the Application Server service. 2. Click Start on the taskbar, and then select Run. 3. In the Open field, type regedit. The Registry Editor appears. 4. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ 5. Use the following table to configure the registry keys: Folder Entry Change the... issspappservice\parameters JVM Option Number 7 value data from the IP address to the DNS name issspsenctlservice\parameters IPBind value data from the IP address to the DNS name Example: -Djava.rmi.server.hostname=public_IP_or_FQDN 6. Restart the Sensor Controller and Application Server services. Restarting the Sensor Controller and Application Server services This topic explains how to stop or restart the Sensor Controller and the Application Server services. About this task After you have configured the Application Server to communicate with NAT, you must restart the Sensor Controller and Application Server services to put the changes into effect. Procedure 1. Click Start on the taskbar of the computer where the Application Server and Sensor Controller are installed, and then select Settings > Control Panel. 2. Open the Administrative Tools folder, and then double-click Services. The Services window appears. 3. In the right pane, scroll until you find SiteProtector Sensor Controller Service, and then select it. 4. Do one of the following: v To stop the Sensor Controller service, click Stop Service (the Stop option) on the toolbar. v To start the Sensor Controller service, click Start Service (the Play option) on the toolbar. 5. Repeat Steps 1 through 4 for the Application Server. 10 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Configuring the Agent Manager for communication through NAT firewalls Perform the procedure in this topic only if a NAT firewall is between the Agent Manager and IBM Proventia Desktop Endpoint Security agents. This procedure configures the Agent Manager so that it can communicate with NAT firewalls. Before you begin You must perform this procedure before you generate agent builds. Otherwise, agents cannot communicate with the Agent Manager, and you will be forced to regenerate agent builds. Procedure 1. On the computer where the Agent Manager is installed, locate the Agent Manager initialization files at the following path: \Program Files\ISS\SiteProtector\AgentManager\rsspdc.ini 2. Open the file in a text editor. 3. Change the dcname to one of the following: v DNS name (the recommended option) v public IP address Note: If you select the DNS name option, ensure that it resolves to an IP address. 4. Save the file. 5. On the Console, right-click the Agent Manager icon, and then select Stop. 6. Right-click the Agent Manager icon, and then select Start. Chapter 2. Configuring Components for NAT Firewalls 11
12 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 1994, 2013 13
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Project Management C55A/74KB 6303 Barfield Rd., Atlanta, GA 30328 U.S.A Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at Copyright and trademark information at www.ibm.com/ legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Privacy policy considerations IBM Software products, including software as a service solutions, ( Software Offerings ) may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings. Some of our Software Offerings can help enable you to collect personally identifiable information. If this Software Offering uses cookies to collect personally identifiable information, specific information about this offering s use of cookies is set forth below. This Software Offering does not use cookies or other technologies to collect personally identifiable information. If the configurations deployed for this Software Offering provide you as customer the ability to collect personally identifiable information from end users via cookies and other technologies, you should seek your own legal advice about any laws applicable to such data collection, including any requirements for notice and consent. For more information about the use of various technologies, including cookies, for these purposes, See IBM s Privacy Policy at http://www.ibm.com/privacy and IBM s Online Privacy Statement at 14 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
http://www.ibm.com/privacy/details/us/en sections entitled Cookies, Web Beacons and Other Technologies and Software Products and Software-as-a Service. Statement of good security practices IT system security involves protecting systems and information through prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Notices 15
16 SiteProtector System: Configuring Firewalls for SiteProtector Traffic
Printed in USA