Firewall Considerations for CCI

advertisement
CCI through Firewall
r11
Objectives
-CCI Considerations for NSM r11
deployment in DMZ
-Review different deployment options
-Review potential Risks , primarily
Denial of Service (DOS) attacks
2
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DoS
-Any software deployed in DMZ
requires protection against malicious
access or denial of service attacks.
This requires review of security
solutions to prevent these attacks
which is out of scope of this
presentation
3
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- CCI Introduction
- CCI Layers
- DoS
- Different Deployment Options
4
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The need for CCI
- Applications, such as Job Management Agent,
Event Management, etc., need to communicate
with one another across various servers and
platforms.
5
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The need for CCI
- Allows applications on various platforms to
communicate with applications on any other using
the mechanism of CCI.
6
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI is available on...
- UNIX
- NT
- AS/400
- OpenVMS
- Tandem
- OS/390
7
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What CCI does….
- Allows applications to communicate with one
another without considering IPC / network
programming issues.
- Presents set of APIs that allow programmers to
focus on what an application needs to do and
forget about IPC / network programming issues.
8
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI Layers
- QUES Layer introduced the ability to connect at
send time.
- RMT Layer connects at CCI start up time.
-RMT has auto-connect capability
-Auto-connect capability can be disabled with
configuration setting
9
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
QUES Layer
- Eliminates need for configuration files
- New hosts may be brought into configuration with
less effort
- Removal of host from configuration does not affect
other hosts
- Connections between hosts are short lived
- Bi-Directional CCI Initialization
10
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
QUES Layer
- Requires 7001 port to be unblocked bi-directional
- CCI Initialization from DMZ and Private Network
- Potential risk for Denial of Service Attacks
-Syn Flooding
- Etc
- Port must be unblocked for the designated NSM
servers and not for all hosts
- No predefined source port
11
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
QUES Layer
- Transport mechanism
-Connects with SYN Flag
-Send Data
-Disconnect
-No persistent connection
12
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
RMT Layer
- Persistent Connection
-Connection established at start up and remains
open for duration of CCI
-Preferred option in Firewall deployment
-New hosts may be brought in with Auto Connect
Feature
13
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
RMT Layer
- Port Usage
-Source Port can be configured by environment
settings
-Destination port defaults to 1721 but can be
configured
14
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Syn Three-way Handshaking
15
DMZ
SYN
Private
DMZ
SYN/
ACK
Private
DMZ
ACK
Private
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How SYN Flooding Works
- A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet can
be "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another
computer. An attacker may send many of these TCP SYNs to tie up as many resources as possible on the
target computer to exhaust the resources
- Upon receiving the connection request, the target computer allocates resources to handle and track the
new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed"
non- existent IP address.
- No response is received to the SYN-ACK. A default-configured Windows NT 4.0 computer will retransmit
the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is
three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission,
96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates
the resources that were set aside earlier for the connection. This can be configured using registry
changes
BLOCK 7001 port except for
designated NSM servers
16
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Firewall SYN Flood
- Review Firewall solution to prevent Syn Flood
attacks or DoS
- Ensure, 7001 is only unblocked for the two NSM
servers which requires CCI Connectivity
17
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI Ports – Windows
- Transporter
-Quenetd
-TCP destination port 7001 for Windows to
Windows communication
-CCI will attempt TCP connection first
- If fails, will then attempt, RMT daemon on 1721
18
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI
- Transporter Service - QUES Layer
- TCP 7001
- Verify Transport Protocols settings to TCP to avoid attempts to open
7003 or 7004
- Transport Protocol defaults to TCP
19
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Firewall Setup
Secured
DMZ
20
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Testing Environment
21
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Deployment Options
Scenario 1
- We want to forward Event exception messages
from DMZ without installing the Ingres Client in
the DMZ environment
- How can we configure this?
23
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Deployment - Scenario 1
- Install Event Agent
- Set Event Agent Proxy Node to NSM server inside
the firewall
- Open up CCI 7001 port bi-directional.
24
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ Event DSB
- Event Agent Proxy Node
-Specify the node name of Central Server Event
Manager
-DSB refreshed from Central Server
25
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ Event DSB
- If proxy node not required, then local dsb can be
pushed to DMZ by other means
26
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows -> Windows
Secured
Zone
MDB
DSM
wvdbt
EVT
Common Services
TCP 7001
DSM
DMZ
FIREWALL
EVT
Common Services
27
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Scenario 2
- We want to open CCI port for outbound traffic only
and prevent CCI initialization from taking place in
the DMZ
- How can we configure this?
28
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Scenario 2
- RMT daemon provides persistent connection
- Customize ccirmtd.rc to start up connection from
secured network
- Add the Windows servers to RMTHOSTNAME
entries
29
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows Remote
RMTHOSTS
Secured
Node
DMZ
Add Windows node to
RMTHOSTS settings for
DMZ and secured servers
30
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows Remote
RMTHOSTS
- Update RMTHOSTS on both Windows nodes.
- If only one node is updated, the other Windows
node will use the QUES layer. For example:
-RMTHOSTS entry on DMZ node not updated to
use RMT layer for secured zone node
-Secured server RMTHOSTS entry updated to use
RMT layer for DMZ node.
-All requests from secured to DMZ will use RMT.
-Events from DMZ to secured will use QUES layer.
This port would be blocked. It will then attempt
to use RMT port.
31
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ccirmtd.rc location
- ccirmtd.rc must reside in ca_appsw directory NOT caiuser directory (as in previous releases)
32
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows Remote
Secured ccirmtd.rc
Add Windows node to ccirmtd.rc to
prevent potential first autoConnect
attempt failure. The CCIRMTD.rc in
the secured network must be updated
to startup RMT connection
33
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows Remote
DMZ ccirmtd.rc
- CCIRMTD.rc file on the DMZ must have entry with
nostart and retry=0 (no retry).
- This prevents CCI initialization from DMZ
environment
34
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows Remote
Source Port
- To pre-define source port for RMT connection, add
environment variable CAI_CCI_PORT1
35
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Source Port
36
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Inbound CAM port Blocked
37
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CAM Inbound
CAM inbound traffic
denied if CAM not initiated
from secured zone
38
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows -> Windows Remote
Secured
Network
MDB
DSM
wvdbt
EVT
Common Services
TCP 1721
DSM
DMZ
39
FIREWALL
EVT
Common Services
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ -> Secured
40
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Deployment - Scenario 3
- Client would like to use QUES Layer but wish to
block 7001 port from DMZ to private network.
- What are the implications?
41
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ -> Secured
- Execute cawto in DMZ environment to send
message to Private network
-Cawto [<secured>] Sending message from DMZ
to Private
-Message will be denied by Firewall
- Exception messages cannot be forwarded from
DMZ to secured network
42
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ -> Private with 7001 Blocked
43
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Summary
- For Windows – Windows, use Ques Layer with
7001 unblocked for the selected NSM servers only.
CCI Initialization from DMZ and Secured
environment
- For Windows – Windows , configure RMT layer to
avoid by-directional unblocking of ports
- For Windows –> Unix or UNIX -> Windows
(including Linux) , RMT layer provides persistent
connection
44
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Questions and Answers
Any questions?
45
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Download