HP StorageWorks X5000 Technical Manual page 147

Nas security: technical guide to nsa, c2, e3-fc2, and cc security compliancy

Hide thumbs Also See for StorageWorks X5000:

Release note (39 pages)

Limited warranty (76 pages)

Support manual (17 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

page of 156

/ 156
Contents
Table of Contents
Bookmarks

Table of Contents

All of the rules listed in the table above should be mirrored when they are implemented. This ensures

that any network traffic coming into the server will also be allowed to return to the originating server.

The table above represents the base ports that should be opened for the server to perform its role-

specific functions. These ports are sufficient if the server has a static IP address. Additional ports may

need to be opened to provide for additional functionality. Opening additional ports will make the IIS

servers on the network easier to administer, however, they may greatly reduce the security of these

servers.

Important: These changes could affect performance and should be tested prior to implementing in

production. The exact number of ports that will be opened will depend on the environment as well as

the use and functionality of the server. If IIS server performance or responsiveness degrades,

additional ports may need to be opened.

Because of the large amount of interaction between a domain member and the domain controller, in

particular RPC and authentication traffic, all communications are permitted between an IIS server and

all domain controllers. Traffic could be further limited, but most environments would require the

creation of dozens of additional filters in order for the filters to effectively protect the server. This

would make it very difficult to implement and manage IPSec policies. Similar rules should be created

for each of the domain controllers an IIS server will interact with. To increase the reliability and

availability of IIS servers, this will often include adding rules for all domain controllers in the

environment.

As seen above, if Microsoft Operations Manager (MOM) is implemented in the environment, all

network traffic must be allowed to travel between the server where the IPSec filters are implemented

and the MOM server. This is necessary because of the large amount of interaction between the MOM

server and the OnePoint client-the client application that reports to the MOM console. Other

management packages may have similar requirements. The filter action for the OnePoint client can be

configured to negotiate IPSec with the MOM server if an even greater level of security is desired. This

IPSec policy will effectively block traffic through random high ports, therefore disallowing remote

procedure call (RPC) traffic. This can make management of the server difficult. Because so many ports

have been effectively closed, Terminal Services has been enabled. This will allow administrators to

perform remote administration.

147

Table of Contents

This manual is also suitable for:

Nsa security compliancy C2 security compliancy E3-fc2 security compliancy Cc security compliancy

HP StorageWorks X5000 Technical Manual page 147

Related Manuals for HP StorageWorks X5000

Related Products for HP StorageWorks X5000

This manual is also suitable for:

Table of Contents