CCI through Firewall r11 - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

CCI through Firewall r11

Description:

UNIX NT AS/400 OpenVMS Tandem OS/390 What CCI does . Allows applications to communicate with one another without considering IPC / network programming issues. – PowerPoint PPT presentation

Number of Views:124
Avg rating:3.0/5.0
Slides: 46
Provided by: supportco9
Category:
Tags: cci | firewall | openvms | r11 | through

less

Transcript and Presenter's Notes

Title: CCI through Firewall r11


1
CCI through Firewallr11

2
Objectives
  • CCI Considerations for NSM r11 deployment in DMZ
  • Review different deployment options
  • Review potential Risks , primarily Denial of
    Service (DOS) attacks

3
DoS
  • Any software deployed in DMZ requires protection
    against malicious access or denial of service
    attacks. This requires review of security
    solutions to prevent these attacks which is out
    of scope of this presentation

4
Agenda
  • CCI Introduction
  • CCI Layers
  • DoS
  • Different Deployment Options

5
The need for CCI
  • Applications, such as Job Management Agent, Event
    Management, etc., need to communicate with one
    another across various servers and platforms.

6
The need for CCI
  • Allows applications on various platforms to
    communicate with applications on any other using
    the mechanism of CCI.

7
CCI is available on...
  • UNIX
  • NT
  • AS/400
  • OpenVMS
  • Tandem
  • OS/390

8
What CCI does.
  • Allows applications to communicate with one
    another without considering IPC / network
    programming issues.
  • Presents set of APIs that allow programmers to
    focus on what an application needs to do and
    forget about IPC / network programming issues.

9
CCI Layers
  • QUES Layer introduced the ability to connect at
    send time.
  • RMT Layer connects at CCI start up time.
  • RMT has auto-connect capability
  • Auto-connect capability can be disabled with
    configuration setting

10
QUES Layer
  • Eliminates need for configuration files
  • New hosts may be brought into configuration with
    less effort
  • Removal of host from configuration does not
    affect other hosts
  • Connections between hosts are short lived
  • Bi-Directional CCI Initialization

11
QUES Layer
  • Requires 7001 port to be unblocked bi-directional
  • CCI Initialization from DMZ and Private Network
  • Potential risk for Denial of Service Attacks
  • Syn Flooding
  • Etc
  • Port must be unblocked for the designated NSM
    servers and not for all hosts
  • No predefined source port

12
QUES Layer
  • Transport mechanism
  • Connects with SYN Flag
  • Send Data
  • Disconnect
  • No persistent connection

13
RMT Layer
  • Persistent Connection
  • Connection established at start up and remains
    open for duration of CCI
  • Preferred option in Firewall deployment
  • New hosts may be brought in with Auto Connect
    Feature

14
RMT Layer
  • Port Usage
  • Source Port can be configured by environment
    settings
  • Destination port defaults to 1721 but can be
    configured

15
Syn Three-way Handshaking
SYN
SYN/ACK
ACK
16
How SYN Flooding Works
  • A TCP connection request (SYN) is sent to the
    target computer. The source IP address in the
    packet can be "spoofed," or replaced with an
    address that is not in use on the Internet, or
    that belongs to another computer. An attacker may
    send many of these TCP SYNs to tie up as many
    resources as possible on the target computer to
    exhaust the resources
  • Upon receiving the connection request, the target
    computer allocates resources to handle and track
    the new connection, then responds with a
    "SYN-ACK". In this case, the response is sent to
    the "spoofed" non- existent IP address.
  • No response is received to the SYN-ACK. A
    default-configured Windows NT 4.0 computer will
    retransmit the SYN-ACK 5 times, doubling the
    time-out value after each retransmission. The
    initial time-out value is three seconds, so
    retries are attempted at 3, 6, 12, 24, and 48
    seconds. After the last retransmission, 96
    seconds are allowed to pass before the computer
    gives up on receiving a response, and deallocates
    the resources that were set aside earlier for the
    connection. This can be configured using registry
    changes

BLOCK 7001 port except for designated NSM servers
17
Firewall SYN Flood
  • Review Firewall solution to prevent Syn Flood
    attacks or DoS
  • Ensure, 7001 is only unblocked for the two NSM
    servers which requires CCI Connectivity

18
CCI Ports Windows
  • Transporter
  • Quenetd
  • TCP destination port 7001 for Windows to Windows
    communication
  • CCI will attempt TCP connection first
  • If fails, will then attempt, RMT daemon on 1721

19
CCI
  • Transporter Service - QUES Layer
  • TCP 7001
  • Verify Transport Protocols settings to TCP to
    avoid attempts to open 7003 or 7004
  • Transport Protocol defaults to TCP

20
Firewall Setup
Secured
DMZ
21
Testing Environment
22
Deployment Options
23

Scenario 1
  • We want to forward Event exception messages from
    DMZ without installing the Ingres Client in the
    DMZ environment
  • How can we configure this?



24
Deployment - Scenario 1
  • Install Event Agent
  • Set Event Agent Proxy Node to NSM server inside
    the firewall
  • Open up CCI 7001 port bi-directional.

25
DMZ Event DSB
  • Event Agent Proxy Node
  • Specify the node name of Central Server Event
    Manager
  • DSB refreshed from Central Server

26
DMZ Event DSB
  • If proxy node not required, then local dsb can be
    pushed to DMZ by other means

27
Windows -gt Windows
Secured Zone
TCP 7001
FIREWALL
TCP 7001
DMZ
7001 Unblocked both directions CCI may be
initiated from DMZ
28

Scenario 2
  • We want to open CCI port for outbound traffic
    only and prevent CCI initialization from taking
    place in the DMZ
  • How can we configure this?



29
Scenario 2
  • RMT daemon provides persistent connection
  • Customize ccirmtd.rc to start up connection from
    secured network
  • Add the Windows servers to RMTHOSTNAME entries

30
Windows Windows RemoteRMTHOSTS
Secured Node
DMZ
Add Windows node to RMTHOSTS settings for DMZ and
secured servers
31
Windows Windows RemoteRMTHOSTS
  • Update RMTHOSTS on both Windows nodes.
  • If only one node is updated, the other Windows
    node will use the QUES layer. For example
  • RMTHOSTS entry on DMZ node not updated to use RMT
    layer for secured zone node
  • Secured server RMTHOSTS entry updated to use RMT
    layer for DMZ node.
  • All requests from secured to DMZ will use RMT.
  • Events from DMZ to secured will use QUES layer.
    This port would be blocked. It will then attempt
    to use RMT port.

32
ccirmtd.rc location
  • ccirmtd.rc must reside in ca_appsw directory -
    NOT caiuser directory (as in previous releases)

33
Windows Windows RemoteSecured ccirmtd.rc
Add Windows node to ccirmtd.rc to prevent
potential first autoConnect attempt failure. The
CCIRMTD.rc in the secured network must be updated
to startup RMT connection
34
Windows Windows RemoteDMZ ccirmtd.rc
  • CCIRMTD.rc file on the DMZ must have entry with
    nostart and retry0 (no retry).
  • This prevents CCI initialization from DMZ
    environment

35
Windows Windows RemoteSource Port
  • To pre-define source port for RMT connection, add
    environment variable CAI_CCI_PORT1

36
Source Port
37
Inbound CAM port Blocked
38
CAM Inbound
CAM inbound traffic denied if CAM not initiated
from secured zone
39
Windows -gt Windows Remote
Secured Network
MDB

FIREWALL
TCP 1721
7001 Blocked - Persistent Connection and traffic
initiated from Private network
DMZ
40
DMZ -gt Secured
41

Deployment - Scenario 3
  • Client would like to use QUES Layer but wish to
    block 7001 port from DMZ to private network.
  • What are the implications?



42
DMZ -gt Secured
  • Execute cawto in DMZ environment to send message
    to Private network
  • Cawto ltsecuredgt Sending message from DMZ to
    Private
  • Message will be denied by Firewall
  • Exception messages cannot be forwarded from DMZ
    to secured network

43
DMZ -gt Private with 7001 Blocked
44
Summary
  • For Windows Windows, use Ques Layer with 7001
    unblocked for the selected NSM servers only. CCI
    Initialization from DMZ and Secured environment
  • For Windows Windows , configure RMT layer to
    avoid by-directional unblocking of ports
  • For Windows gt Unix or UNIX -gt Windows (including
    Linux) , RMT layer provides persistent connection

45
Questions and Answers
Any questions?
Write a Comment
User Comments (0)
About PowerShow.com