cci through firewall r11
DESCRIPTION
CCI through Firewall r11. Objectives. CCI Considerations for NSM r11 deployment in DMZ Review different deployment options Review potential Risks , primarily Denial of Service (DOS) attacks. DoS. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/1.jpg)
CCI through Firewallr11
![Page 2: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/2.jpg)
2 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Objectives
-CCI Considerations for NSM r11 deployment in DMZ
-Review different deployment options
-Review potential Risks , primarily Denial of Service (DOS) attacks
![Page 3: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/3.jpg)
3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DoS
-Any software deployed in DMZ requires protection against malicious access or denial of service attacks. This requires review of security solutions to prevent these attacks which is out of scope of this presentation
![Page 4: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/4.jpg)
4 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- CCI Introduction
- CCI Layers
- DoS
- Different Deployment Options
![Page 5: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/5.jpg)
5 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The need for CCI
- Applications, such as Job Management Agent, Event Management, etc., need to communicate with one another across various servers and platforms.
![Page 6: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/6.jpg)
6 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The need for CCI
- Allows applications on various platforms to communicate with applications on any other using the mechanism of CCI.
![Page 7: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/7.jpg)
7 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI is available on...
- UNIX
- NT
- AS/400
- OpenVMS
- Tandem
- OS/390
![Page 8: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/8.jpg)
8 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What CCI does….
- Allows applications to communicate with one another without considering IPC / network programming issues.
- Presents set of APIs that allow programmers to focus on what an application needs to do and forget about IPC / network programming issues.
![Page 9: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/9.jpg)
9 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI Layers
- QUES Layer introduced the ability to connect at send time.
- RMT Layer connects at CCI start up time.- RMT has auto-connect capability- Auto-connect capability can be disabled with configuration setting
![Page 10: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/10.jpg)
10 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
QUES Layer
- Eliminates need for configuration files
- New hosts may be brought into configuration with less effort
- Removal of host from configuration does not affect other hosts
- Connections between hosts are short lived
- Bi-Directional CCI Initialization
![Page 11: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/11.jpg)
11 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
QUES Layer
- Requires 7001 port to be unblocked bi-directional
- CCI Initialization from DMZ and Private Network
- Potential risk for Denial of Service Attacks
- Syn Flooding
- Etc
- Port must be unblocked for the designated NSM servers and not for all hosts
- No predefined source port
![Page 12: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/12.jpg)
12 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
QUES Layer
- Transport mechanism
- Connects with SYN Flag
- Send Data
- Disconnect
- No persistent connection
![Page 13: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/13.jpg)
13 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
RMT Layer
- Persistent Connection
- Connection established at start up and remains open for duration of CCI
- Preferred option in Firewall deployment
- New hosts may be brought in with Auto Connect Feature
![Page 14: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/14.jpg)
14 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
RMT Layer
- Port Usage
- Source Port can be configured by environment settings
- Destination port defaults to 1721 but can be configured
![Page 15: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/15.jpg)
15 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Syn Three-way Handshaking
DMZ Private
DMZ Private
DMZ Private
SYN
SYN/ACK
ACK
![Page 16: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/16.jpg)
16 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How SYN Flooding Works
- A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet can be "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker may send many of these TCP SYNs to tie up as many resources as possible on the target computer to exhaust the resources
- Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" non- existent IP address.
- No response is received to the SYN-ACK. A default-configured Windows NT 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. This can be configured using registry changes
BLOCK 7001 port except for designated NSM servers
![Page 17: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/17.jpg)
17 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Firewall SYN Flood
- Review Firewall solution to prevent Syn Flood attacks or DoS
- Ensure, 7001 is only unblocked for the two NSM servers which requires CCI Connectivity
![Page 18: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/18.jpg)
18 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI Ports – Windows
- Transporter
- Quenetd
- TCP destination port 7001 for Windows to Windows communication
- CCI will attempt TCP connection first- If fails, will then attempt, RMT daemon on 1721
![Page 19: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/19.jpg)
19 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CCI
- Transporter Service - QUES Layer- TCP 7001
- Verify Transport Protocols settings to TCP to avoid attempts to open 7003 or 7004
- Transport Protocol defaults to TCP
![Page 20: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/20.jpg)
20 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Firewall Setup
DMZ
Secured
![Page 21: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/21.jpg)
21 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Testing Environment
![Page 22: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/22.jpg)
Deployment Options
![Page 23: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/23.jpg)
23 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
- We want to forward Event exception messages from DMZ without installing the Ingres Client in the DMZ environment
- How can we configure this?
Scenario 1Scenario 1
![Page 24: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/24.jpg)
24 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Deployment - Scenario 1
- Install Event Agent
- Set Event Agent Proxy Node to NSM server inside the firewall
- Open up CCI 7001 port bi-directional.
![Page 25: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/25.jpg)
25 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ Event DSB
- Event Agent Proxy Node
- Specify the node name of Central Server Event Manager
- DSB refreshed from Central Server
![Page 26: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/26.jpg)
26 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ Event DSB
- If proxy node not required, then local dsb can be pushed to DMZ by other means
![Page 27: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/27.jpg)
27 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Common Services
DSM EVT
Windows -> Windows
TCP 7001 FIREWALL
7001 Unblocked both directions – CCI may be initiated from DMZ
7001 Unblocked both directions – CCI may be initiated from DMZ
DSMwvdbt
Common Services
EVT
MDB
DMZ
Secured Zone
TCP 7001
![Page 28: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/28.jpg)
28 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
- We want to open CCI port for outbound traffic only and prevent CCI initialization from taking place in the DMZ
- How can we configure this?
Scenario 2Scenario 2
![Page 29: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/29.jpg)
29 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Scenario 2
- RMT daemon provides persistent connection
- Customize ccirmtd.rc to start up connection from secured network
- Add the Windows servers to RMTHOSTNAME entries
![Page 30: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/30.jpg)
30 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows RemoteRMTHOSTS
Add Windows node to RMTHOSTS settings for DMZ and secured servers
Secured Node
DMZ
![Page 31: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/31.jpg)
31 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows RemoteRMTHOSTS- Update RMTHOSTS on both Windows nodes.- If only one node is updated, the other Windows node will use the QUES layer. For example:- RMTHOSTS entry on DMZ node not updated to use RMT layer for secured zone node
- Secured server RMTHOSTS entry updated to use RMT layer for DMZ node.
- All requests from secured to DMZ will use RMT.- Events from DMZ to secured will use QUES layer. This port would be blocked. It will then attempt to use RMT port.
![Page 32: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/32.jpg)
32 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ccirmtd.rc location
- ccirmtd.rc must reside in ca_appsw directory - NOT caiuser directory (as in previous releases)
![Page 33: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/33.jpg)
33 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows RemoteSecured ccirmtd.rc
Add Windows node to ccirmtd.rc to prevent potential first autoConnect attempt failure. The CCIRMTD.rc in the secured network must be updated to startup RMT connection
![Page 34: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/34.jpg)
34 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows RemoteDMZ ccirmtd.rc- CCIRMTD.rc file on the DMZ must have entry with nostart and retry=0 (no retry).
- This prevents CCI initialization from DMZ environment
![Page 35: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/35.jpg)
35 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Windows – Windows RemoteSource Port- To pre-define source port for RMT connection, add environment variable CAI_CCI_PORT1
![Page 36: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/36.jpg)
36 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Source Port
![Page 37: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/37.jpg)
37 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Inbound CAM port Blocked
![Page 38: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/38.jpg)
38 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CAM Inbound
CAM inbound traffic denied if CAM not initiated from secured zone
![Page 39: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/39.jpg)
39 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Common Services
DSM EVT
Windows -> Windows Remote
FIREWALL
MDB
7001 Blocked-
Persistent Connection and traffic initiated from Private network
7001 Blocked-
Persistent Connection and traffic initiated from Private network
DSMwvdbt
Common Services
EVT
DMZ
Secured Network
TCP 1721
![Page 40: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/40.jpg)
40 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ -> Secured
![Page 41: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/41.jpg)
41 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
- Client would like to use QUES Layer but wish to block 7001 port from DMZ to private network.
- What are the implications?
Deployment - Scenario 3Deployment - Scenario 3
![Page 42: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/42.jpg)
42 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ -> Secured
- Execute cawto in DMZ environment to send message to Private network
- Cawto [<secured>] Sending message from DMZ to Private
- Message will be denied by Firewall
- Exception messages cannot be forwarded from DMZ to secured network
![Page 43: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/43.jpg)
43 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DMZ -> Private with 7001 Blocked
![Page 44: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/44.jpg)
44 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Summary
- For Windows – Windows, use Ques Layer with 7001 unblocked for the selected NSM servers only. CCI Initialization from DMZ and Secured environment
- For Windows – Windows , configure RMT layer to avoid by-directional unblocking of ports
- For Windows –> Unix or UNIX -> Windows (including Linux) , RMT layer provides persistent connection
![Page 45: CCI through Firewall r11](https://reader035.vdocuments.us/reader035/viewer/2022062222/5681585a550346895dc5b5ca/html5/thumbnails/45.jpg)
45 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Questions and Answers
Any questions?Any questions?